The Importance of Active Involvement from Local Government Leaders for a Cyber Safe Future

In today's digital age, every local government is a digital government. With the increasing reliance on information and technology, residents and customers expect nothing less than seamless service from their local governments. In fact, they are starting to prefer candidates for office who are up-to-date with the latest technological trends. This shift has created new challenges for local governments, particularly in the area of cybersecurity. The threat of cyberattacks is very real, and any breach of sensitive data or systems can have far-reaching consequences for local communities. In this blog post, we will explore the City Council's active involvement in cybersecurity and discuss the importance of implementing effective measures to safeguard against cyber threats.

“Only 26 percent of the CIOs believed that elected council members were either moderately or exceptionally aware of cybersecurity issues.” ICMA Cybersecurity Survey 2016

The ICMA LG Cybersecurity Survey 2020 sheds light on the current state of cybersecurity in local governments across the United States. Conducted by the International City/County Management Association (ICMA), the survey covers a range of topics related to cybersecurity, including budget allocation, training, and preparedness. One key area that the survey examines is the level of involvement of senior management and the governing body in cybersecurity. This is an important aspect of cybersecurity because, without active involvement from these leaders, it can be difficult to establish a comprehensive cybersecurity strategy and ensure that it is properly implemented throughout the organization. The survey provides valuable insights into the current state of cybersecurity in local governments and highlights the need for more active involvement from senior leaders to effectively address this important issue.

The ICMA Survey paints a concerning picture of the current state of cybersecurity in local governments. The survey found that many top officials in organizations are not engaged in cybersecurity at high levels, despite the growing threat of cyberattacks. This lack of engagement can lead to insufficient funding, a lack of cybersecurity training for staff, and a failure to establish effective incident response plans. In addition, the survey highlights that top management is often not well-informed or committed to cybersecurity, which can result in a failure to establish a strong cyber safe culture throughout the organization. Furthermore, top officials may fail to act appropriately in their own cyber responsibilities, such as using weak passwords or failing to follow established cybersecurity protocols. These findings underscore the need for more active involvement from top officials in local governments to ensure that cybersecurity is given the attention and resources it deserves.

"78.6% responded that their governments provided mandatory cybersecurity training annually to the mayor/elected county executive, city/county council members, department heads, and average end-users." - ICMA LG Cybersecurity Survey 2020

Interestingly, despite the mandatory cybersecurity training for elected officials, many are still not actively involved in cybersecurity matters. It seems that many officials mistakenly view cybersecurity as an IT issue rather than a broader business issue that requires their attention. This is a critical error, as effective cybersecurity requires understanding that cyber risk is a business risk.

Another factor that may contribute to the lack of attention given to cybersecurity by some officials is the unconscious bias discussed in Daniel Kahneman's book "Thinking, Fast and Slow." This bias refers to the tendency of humans to underestimate risks that they have not yet experienced. Therefore, some officials may not take cybersecurity seriously enough because they have not personally experienced a serious cyber incident. However, this emphasizes the critical importance of taking proactive cybersecurity measures to prevent incidents before they occur, rather than merely reacting after the fact.

Given the increasing threat of cyberattacks, it is crucial for local governments to understand cyber risk, particularly top elected or appointed officials. Officials need to be aware of the cyber threats facing their government and take action to protect information assets. Unfortunately, the ICMA Survey found that there is often a significant gap between actual cybersecurity practices and what is needed to address cyber risks effectively. This gap is due to various barriers that local governments face in implementing cybersecurity measures, such as insufficient funding, inability to pay competitive salaries, inadequate cybersecurity training, and a lack of cybersecurity expertise. However, with greater awareness and active involvement from top officials, local governments can take steps to address these barriers and improve their cybersecurity posture. However, they cannot address cybersecurity if they are not aware of these barriers.

"Until local governments affirmatively address these and perhaps other barriers—especially funding, staffing, awareness, and support—they cannot expect to improve their cybersecurity outcomes or more effectively protect their information assets."

The National Association of Corporate Directors (NACD) published "Cyber-risk Oversight 2020, Key Principles and Practical Guidance for Corporate Boards," which offers insights that are equally applicable to local governments. One key takeaway from the report is that many executives and boards still hold outdated views about cybersecurity, failing to recognize the gravity of the threat and the need for a comprehensive response. The NACD emphasizes the importance of ensuring that management is fully engaged in making the organization's systems as resilient as economically feasible. This includes developing defense and response plans that are capable of addressing sophisticated attack methods. Local governments must take these principles to heart and actively engage with their management teams to protect against cyber threats.

"Board members need to ensure that management is fully engaged in making the organization's systems as resilient as economically feasible. This includes developing defense and response plans that are capable of addressing sophisticated attack methods." - Cyber-risk Oversight 2020 - NACD

Cyber risk is not solely the responsibility of IT or cybersecurity professionals. Instead, it belongs to the council or board overseeing the organization. Executives must understand the role that technology plays in modern government, including the financial risks that technology poses to the organization, and take appropriate steps to manage those risks. This is emphasized in the ANSI/ISA standard "The Financial Management of Cyber Risk," which provides guidance on how organizations can manage cyber risk in a financially responsible manner. By adopting a comprehensive approach to cybersecurity that involves all stakeholders, including council or board members, local governments can better protect their data and infrastructure from cyber threats.

“These executives must appreciate, or learn, if need be, the true role that technology plays in the modern organization, including the financial risks that technology places on the organization and the steps that must be taken to manage risk appropriately.” - The Financial Management of Cyber Risk (ANSI/ISA)

The Marin County Civil Grand Jury released a report on May 11, 2020, highlighting the growing threat of cyberattacks to the Marin government. The report emphasized that cyber threats have become increasingly sophisticated and that local governments need to take measures to protect their sensitive data and networks. The report found that Marin County has not adequately addressed the risk of cyberattacks and lacks a comprehensive cybersecurity strategy. To ensure that local government elected officials are engaged in cyber risk the grand jury recommend that “…each city and town council should hold public discussions, at least annually, on their cybersecurity measures, which would also raise awareness among residents and local organizations on ways to improve cybersecurity.”

It is crucial for all local governments to implement the recommendation of the Marin County Civil Grand Jury and hold public discussions on cyber risks and their cybersecurity response. This can raise awareness among residents and local organizations on ways to improve cybersecurity. However, these discussions should be conducted carefully to avoid revealing sensitive information that could be exploited by cybercriminals. Ultimately, it is the responsibility of the council to provide oversight of cyber risk management and ensure that appropriate measures are in place to protect against cyber threats. A public discussion provides transparency and ensures the public’s right to access to the internal workings of their government.

In conclusion, while the implementation of governance for information and technology in local government is a complex issue that requires further discussion, it is clear that council or board involvement and leadership is crucial in mitigating cyber risks. As cyber threats continue to become more sophisticated, it is essential that local governments take proactive measures to protect their sensitive data and networks. By staying informed, engaging with cybersecurity experts, and implementing comprehensive cybersecurity strategies, local governments can help prevent or respond effectively to cyberattacks and protect their communities from harm. In the end, it falls upon elected officials to give importance to managing cyber risk and taking appropriate measures to guarantee the continuity of critical services provided by the local government.

Resources

• The ICMA LG Cybersecurity Survey 2020

• Cyberattacks: A Growing Threat to Marin Government (Marin County Civil Grand Jury - May 11, 2020)

• Cyber-risk Oversight 2020, Key Principles and Practical Guidance for Corporate Boards (NACD)

• The Financial Management of Cyber Risk (ANSI/ISA)

• COSO Framework

• ICMA Cybersecurity Survey 2016

• Internal Control Guidelines, California Local Agencies (California State Controller's Office)