How to Talk About Ransomware So Leadership Will Listen
Chief information security officers are working to better engage the rest of government in cybersecurity resiliency and response planning, and several shared their tips during an RSA Conference panel last week.
CISOs need to talk with elected officials and different agencies to help them understand how a ransomware incident could affect them and their priorities, and to prepare them to talk with the public should an incident happen.
“You don’t want it to be that the only time you engage with elected officials — or the only time they think about their role in the cybersecurity program — is during an incident,” said San Francisco CISO and Coalition of City CISOs co-chair Mike Makstman.
GETTING ELECTEDS ON BOARD
Boston CISO and Coalition of City CISOs co-chair Greg McCarthy said he watches budget hearings and elected officials’ speeches to see which parts of city operations have these officials’ attention. If he then explains how cybersecurity impacts those areas, the message is more likely to hit home.
“If we’re talking all technical, most of your elected officials’ … eyes are going to glaze over,” McCarthy said. “But if you say, for example, ‘All of our school systems went online over the pandemic, and they’re doing teaching on Zoom or Teams or Hangouts … if this is disrupted, we can’t teach our students anymore, and that’s a huge impact to our constituents that we serve, it’s a huge impact to their political views or political stances …,’ that was one thing that I found really, really effective,” McCarthy said.
There’s also another reason for non-IT officials to listen up: A city’s cybersecurity posture can have significant impact on government finances.
Municipalities’ cyber defenses can determine whether cyber insurers will offer them affordable plans and even impact their bond ratings. In Boston, for example, rating agencies have asked the city to explain its cybersecurity plan, incident history and security controls, McCarthy said.
“Cyber has been playing into our bond rating. So, our ability as a city, as a municipality, to borrow money for capital investment,” McCarthy said. “It could really impact not only your ability to insure your municipality, but [your ability] to borrow money for capital improvements or large-scale projects.”
THE LANGUAGE OF EMERGENCIES
City leadership is often used to working with emergency management to handle natural disasters and similar events. Presenting cybersecurity as another kind of emergency that must be planned for and mitigated may help CISOs translate their goals, and Makstman urged CISOs to collaborate with emergency management departments.
“In my experience, elected officials and city leaders understand emergencies — that concept and framework of how to deal with emergencies has been in their minds for a long time,” Makstman said. “Framing cyber events, with the language of emergencies — with the concept of emergency management that has been traditionally used — is critical.”
Officials outside the IT department need to recognize cybersecurity is a high priority and one in which they, too, have a role to play. That’s especially true because the press is going to come asking for answers following a cyber incident, and they’ll need to know how to respond, McCarthy said.
Boston has found it helpful to have everyone — from legal teams to the mayor’s press office and the chief financial officer — participate in tabletop exercises. Engaging non-IT officials early on in these kinds of simulations also gives them an opportunity to understand their roles in cyber incident response and ask questions at a safe time, Makstman said, rather than trying to learn this during a crisis.
Makstman said he’s found it helpful to talk with elected officials and other agencies to think through how they’d respond if certain systems were down for lengthy periods of time.
“When you sit down with an elected official, when you sit down with their CFO, their public information officer and you say, ‘OK, well, technology’s gone. What if it takes a week? What if it takes a month to recover? What’s going to happen?’ … How do we communicate this early on?” Makstman said.
SPEAKING TO THE PRESS AND PUBLIC
If a cyber incident hits, residents and the media will want to understand what’s going on. IT needs to make sure elected officials are prepared with accurate information when the press calls — something that hasn’t always been the case, Makstman said.
San Francisco’s tried to get on a stronger path, and its emergency management and IT department collaborated on a cyber response plan that details actions down to the minute and outlines responsibilities — including when officials like the mayor, city attorney and treasurer get briefed, and by whom.
“We need to make sure that those elected officials are prepared,” Makstman said. “When the mayor has to stand in front of City Hall, on the steps of City Hall, and talk to the press, she will have a plan; she will have a message already prepared.”
This article first appeared in Government Technology, a sister publication of Industry Insider — California.