Webinar presenter Stacey Wright answered a number of your questions after her presentation, Cyber Metrics for Agency Execs. Here are just a few of her responses.
Audience Question: Do you have any other analogies to help us illustrate issues to our executives like the one you used earlier the graffiti for defacement?
Stacey Wright: I have a ton of them. I’ll start with a simple one. I often compare things like ports to windows. You heard me mention that one. I frequently do a lot of comparisons and IP address is like their home mailing address. That’s the address where you can be located how the post office can reach you is equivalent to how the internet knows to reach you. IP address equals mailing address. You can think about things that if your house is your computer, well, the front door is the main way in. It’s how most of the people would go through. That’s not how a burglar goes through. They are going to do things like trying the windows to see if they are locked. Your windows are the ports. The other protocols that are in use by a computer as opposed to the standard one. You use the ports to get in. This is how burglars, this is how the bad guys in cyber frequently get in. I’m sure I have a bunch of others. If there is anything that you are looking for, I would say email me I would be happy to give you the one I use for that situation. I can’t think of many more of that offhand except for DDOS and TDOS. The DDOS, the distributed denial of service attack I usually equate to somebody ringing the doorbell repeatedly. They are just trying to get you to go into the door as many times as you can so you’re too busy to do anything else. Telephony denial of service, same concept except they just keep calling your phone number. Really that is what a TDOS is calling you so you’re too busy to do anything else. A DDOS is the cyber equivalent of ringing your doorbell and making you answer the door as many times as possible.
Audience Question: I can’t seem to get my boss to understand the importance of what we do, why our safety mechanisms are important etc. How do I get him to understand?
Stacey Wright: That’s tough. I would probably suggest trying and find out what he does understand. Where is he putting his resources? Is he spending money on a particular program? That gives you an idea of his priority. Talk to the person who is getting the yes answers. That will give you some better sense of where your boss’ priorities are and the language he is going to understand. Take it and twist the information you have a little bit. Frequently, at least I used to, I would say I need another body to do this. I need extra help here. I didn’t get very far. What I learned to do was something that I was talking about on my slide where instead of saying I need this, I would phrase it as here’s what I can do. The control slide back on twelve where I showed those different circles and graphs I would say here’s what I can implement, here are the choices I can make. I can get to level one completed, level two will be partially completed. I am not going to be able to do level three. You then have that conversation to explain yeah I cannot get to it. There’s just not enough of me in the day. Here’s where my time is going. That’s where I got buy-in and then oh well this is important. Okay, maybe we need to bring in extra resources. Sometimes changing the perspective so it becomes the executive’s idea to bring in whatever it is you want. Give them the facts to the information. Lead them to the conclusion if you will. It will make a difference and help out.
Audience Question: Do you think that executives simply don’t understand the technology and they don’t even know the question to ask. Do you think it’s because they are too busy to even try to understand?
Stacey Wright: I think it’s a combination. I think there’s a lot of different reasons and every executive is going to be a little bit different. I know a lot of executives do try to understand but they are and I hate using this phrase that they are in a 20,000-foot view. They have to understand a mile-wide and an inch deep. We have the luxury of going maybe at the half a mile wide and half a mile deep marker. The higher you get in management, the more you are frequently asked to cover more things. You just run to the point where you can’t get it all. With cyber in particular, it’s scary. I know that I say the word cyber and people get intimidated by that which also means that they are going to be a little bit more hesitant to talk about it, to learn about it because it seems intimidating. Some executives simply just don’t even understand what they don’t understand. This is true, executive or anywhere. It may be as simple as what I was talking about defacement. They understand that it’s graffiti on the wall. They don’t understand that it’s graffiti on the interior wall which means somebody has broken into your website. That has nothing to do with them. It has to do with they don’t have a detailed cyber background. We’re talking about years of learning to reach that point. They probably aren’t going to have time to reach there either.
Audience Question: What do you think are some of the most important statistics or facts that agency leaders should make sure that they take the time to understand about their system about their security, about cyber in general.
Stacey Wright: I’d probably say understanding the most current threat is really important. Agency leaders are in a position to change policy. If they understand the current threat and they understand what you are currently doing about them, they can fill those gaps. The policy and procedure side of the house is where the executives can really help in cybersecurity or IT. This is where they can try training, mandate training maybe if they get the money to bring in training or speakers where they can try policy changes and so on. By combining the two, understanding the current threat environment and the current resources you have available, by that I mean you can look at the threat environment and say okay malicious theft spam is the biggest threat we have right now. Our users are not properly trained. Here’s what we have done. We have a once a year mandatory training. We have email filtering in place and a couple of other technical solutions. You’re giving them that BLUF that bottom line up front where you’re telling them here’s what is happening here’s what I can do about it and you are leaving that gap for them to step in and say how about we do more and bring their buy-in to make it better. Combining those three items together and giving it a little bit further hopefully.
Audience Question: Are you saying that executives are starting to understand the importance of cyber more and maybe that’s just because of the purview of what’s always in the news or is it a kind of out of sight, out of mind until a hack happens?
Stacey Wright: I think they’re starting to understand it more. I tend to be an optimist but more and more I have seen the chief information security officer of an organization be added to the C-suite meetings even having a seat in the C-suite. That means that everybody is starting to recognize that cybersecurity is one of those things that can really make or break an agency. You don’t want to be that Police department that says we paid to that guy $400,000 and their ransom demand because we had no choice. You never want to be that person standing in front of the media answering those questions. There’s a little bit of fear involved but there is also that greater understanding that people are demanding it. It’s not just legal and regulations now. Your customers, your members and so on are also finding this critically important as the kind of things they will ask about it in meetings. What are you doing to safeguard my information? This is a question that comes up. It’s an outside driving force but it’s also an internal recognition that they need to understand more about it because everything is online and connected. If they don’t understand it, they are really driving a car without understanding how the car operates or even that they have to put gasoline in the car. They are just hoping it never breaks down.
Audience Question: What are the biggest mistakes agency leaders make when dealing with IT? What can they do to change that?
A: I think it’s a classic one of ignoring it, just assuming that IT will do its own thing, that it’s not integral to the business process, that is internal and it doesn’t really matter. I would say that at least everybody I hope on this call knows, it matters. If IT goes down, your network goes down. Everything goes down probably including your phones. At this point, IT is so integral. I think the biggest mistake I see is somebody just ignoring it and saying well it’s okay it will always work or I don’t understand it so I’m going to leave it for the next guy. I’m retiring in a couple of years anyway.