During Tuesday’s California Virtual Digital Government Summit, Douglas Leone, agency information security officer at the California Labor and Workforce Development Agency, joined two private-sector counterparts in offering a frank assessment of “Navigating the Cyber Threat Landscape.” Among the takeaways:
- Investing in “people, people and people” is key, Leone said, before offering his top three priorities for organizations to focus on in addressing information security risks. First, he said, do a skills gap analysis — identify all your organization’s technologies and match people, skill levels and technologies to map the gaps. Be sure, he added, to include all the technologies. Second, fill your open positions “with the intent to close the gaps” and then train, coach and mentor to empower your people. “And train people to be positive change agents, to be servant leaders and to develop the soft skills required (in this) work environment,” he said. Third, he said, apprenticeships can be an entry point, such as the state apprenticeship program that lets candidates earn while they learn.
“Cybersecurity is about keeping the trust between the people inside and outside the organization and ensuring your organization completes its very important mission,” the AISO said. “And trust is what’s at stake.” - Information security leaders need to “develop people into amazing technologists,” Leone said in response to a question from moderator Deb Snyder, senior fellow at The Center for Digital Government.* This, he said, is different from a being a CIO, as CIOs can “delegate and rely on others to be a technologist and focus more on being a visionary.
“There’s a tension between visionaries and information security because information security requires control,” he said. “But we can ensure there’s progress, innovation and the right controls are in place to keep the trust. Let the CIOs do their job being a visionary. Empower the CIOs, but have control in place.” - Information security governance is a subset of enterprise governance, the AISO said, meaning that “organizations must pass information governance at all levels in the organization” — from information gathering to operations to executive-level quarterly meetings. He recommended doing an “organizational assessment against information security frameworks” at the outset, to determine where the organization’s “crown jewels” may lie — then create a strategy to close any security gaps.
- Making a strong case and communicating it clearly is crucial when vying for cybersecurity funding, Leone said. To compete for the available money, he said, organizations need to “develop a strong business case” that describes the work you do, the people providing you resources — and what would be the outcome if those resources needed couldn’t be obtained.
“It’s really important to ensure that you’re laying that business case out so clearly that everyone understands, it’s not cyber-speak so to say, it’s really a business case in English,” Leone said.
*The Center for Digital Government is part of e.Republic, parent company of Techwire.