The Crucial Role of CISOs in Local Governments: Ensuring Good Governance and Cybersecurity
"The single biggest threat to cybersecurity is misunderstanding." - ANSI ISA
In recent years, the importance of cybersecurity has become increasingly apparent to all kinds of organizations, including local governments. As local governments continue to digitize their operations and store sensitive information online, the risk of cyber-attacks grows higher every day. That's why many local governments are now hiring Chief Information Security Officers (CISOs) to lead their cybersecurity efforts.
"To the extent budgetarily feasible, hire a qualified cybersecurity professional as chief of cybersecurity. If you are unable to hire additional staff, designate an existing role as the CISO." - ICMA 2020
The International City/County Management Association (ICMA) recommends that local governments hire a qualified cybersecurity professional as the chief of cybersecurity, or designate an existing role as the CISO, to ensure that senior management and governing officials are informed about cyber risks and can make informed decisions. This recommendation reflects the fact that nearly every decision made by local government involves technology and information and comes with some level of cyber risk.
"One of the most important stakeholders responsible for managing cyber-risk is the board of directors." - California Society of CPAs May 2020
The role of the CISO in local government includes the governance, risk, and compliance (GRC) function. The CISO is responsible for developing and implementing policies and procedures to protect the organization's information assets, as well as ensuring that the organization remains in compliance with relevant laws and regulations. The CISO also plays a critical role in managing the organization's cybersecurity budget.
Enterprise Governance of Information and Technology (EGIT) is concerned with value delivery from digital transformation and the mitigation of business risk that results from digital transformation.
Unfortunately, many local government officials do not fully understand the need for cybersecurity and therefore do not provide adequate funding for cybersecurity. Top officials in organizations are often not engaged in cybersecurity at high levels, and top management is not sufficiently well-informed about or committed to cybersecurity. This lack of engagement can create significant risks for local governments, leaving them vulnerable to cyber-attacks.
The CISO can help to address this lack of engagement by providing reports on the state of cyber risk for the organization. The CISO can also help top officials to understand that cyber risk is business risk, and that it can impact the organization's ability to deliver services. By providing this information, the CISO can help to drive commitment to cybersecurity.
"Understanding these issues will enable local officials not only to see why cybersecurity is crucial to their government’s digital well-being, but will help ensure that cybersecurity has their full support and is adequately funded and properly managed." ICMA 2020
It is imperative that the governing body, whether it is the council or board, takes an active role in managing cyber risk and determining the organization's risk tolerance. To achieve this, the organization should adopt a comprehensive cybersecurity policy that holds everyone accountable for upholding its principles. This policy should be endorsed by the City Council and communicated to all stakeholders to ensure everyone understands their roles and responsibilities in mitigating cyber threats.
Cybersecurity is not an IT issue; it is a business issue.
Cybersecurity is not just a concern for IT professionals but it is also an important aspect of risk management that affects the entire organization. Cyber risk is a complex issue requiring a multidisciplinary approach to ensure the organization is prepared to prevent, detect, and respond to cyber threats. It is important for all employees to be aware of the risks and their role in mitigating them. A successful cybersecurity program requires collaboration and coordination across all departments to ensure that cybersecurity policies and procedures are implemented effectively and the organization can mitigate risks and avoid potential cyber-attacks.
"Size Matters Not" - Yoda
Even small local governments must take steps to ensure the highest levels of cybersecurity. Cybercriminals are relentless, and the risk of being compromised is never gone. Hiring a CISO, or designating an existing role as the CISO, can help local governments to manage cyber risk and protect their information assets. Local governments must recognize the importance of cybersecurity and take proactive steps to protect themselves from cyber-attacks.
"all local governments, regardless of size, must take whatever actions needed to ensure the highest levels of cybersecurity. But even if they do, the cybercriminals are relentless and very good at what they do, and the risk of being compromised is never gone." - ICMA 2020
Where the cybersecurity function should exist within a local government is a topic for another blog post.
Updated August 2021
A look a Local Government Cybersecurity in 2020 - ICMA
Digital Danger, teaching the Board About Cybersecurity Risk - CalCPA
The Urgency to Treat Cybersecurity as Business Decision - ID G00466055 Gartner
Cyber-Risk Oversight 2020 Key Principles and Practical Guidance for Corporate Boards - NACD
What Local Government Officials Should Know and Do about Cybersecurity - Collation of City CISOs
The Financial Management of Cyber Risk - ANSI, ISA