The Local Government Officials Guide to Cybersecurity

Ron, Cesar, and I (Don) are currently collaborating on a new professional guide for executives in local government on the topic of cybersecurity and information technology governance. The guide will be titled "The Local Government Officials Guide to Cybersecurity" and will focus on the role of elected and appointed officials in managing cyber risks and the appropriate governance of information and technology.

Unlike other technical control-focused guides, this guide will provide a broad understanding of cyber risk management, suitable for City Councils or City executive teams who may not have a deep technical background. The guide is modeled on the Cyber Risk Oversight 2020 guide written by the National Association of Corporate Directors.

If you are interested in contributing to this effort, please contact us to discuss how you can help. We will present this guide or whitepaper at this year's MISAC conference.

Our Outline

Goal:

The goal of this guide is to provide executives in local government with an understanding of the importance of cybersecurity and information technology governance, as well as recommendations on how to effectively manage cyber risks within their organization.

Executive Summary:

Cybersecurity is a top priority for local governments, as the threat of cyber-attacks is ever-present and the impact of such attacks can be devastating. While many local governments have implemented measures to mitigate cyber risks, there are still challenges that need to be addressed. In this guide, we will explore the scope of cybersecurity, the probability and impact of cyber incidents, the barriers to cybersecurity, and recommendations for managing cyber risks.

Cyber Risk is a Top Risk:

Cyber risk is a top risk for local governments, and it is essential that executives understand the potential impact of a cyber incident. A cyber-attack can compromise sensitive information, disrupt operations, and damage the reputation of the local government.

Local Governments' Current Response to Cyber Risks:

Many local governments have implemented measures to mitigate cyber risks, such as firewalls, anti-virus software, and employee training. However, cyber threats are constantly evolving, and it is essential to stay up-to-date with the latest trends and technologies.

The Scope of Cybersecurity:

The scope of cyber risks goes beyond IT. The scope of cybersecurity encompasses all aspects of information technology governance, including operational technology, elections security, critical infrastructure security, ethics, data privacy, risk management, incident response, and compliance. It is essential that local governments have a comprehensive cybersecurity plan that covers all areas of the organization.

Threat Actors:

Threat actors in the cyber landscape include nation-states, criminal organizations, hacktivists, and insiders. It is essential to understand the motivations and methods of these threat actors in order to effectively manage cyber risks.

Probability and Impact of Cyber Incidents:

The probability and impact of cyber incidents can vary greatly depending on the size and complexity of the local government. It is essential to conduct a risk assessment to identify potential vulnerabilities and develop a plan to mitigate these risks.

Barriers to Cybersecurity:

There are several barriers to cybersecurity in local governments, including limited resources, a lack of cybersecurity expertise, lack of budget, and a lack of awareness among employees. These barriers must be addressed in order to effectively manage cyber risks.

Recommendations:

Cyber risk should be a top priority for elected and appointed officials, and they should be actively involved in cybersecurity planning and decision-making. To effectively manage cyber risks, local government executives should consider the following recommendations:

1. Cyber Risk is Enterprise Risk: Cyber risk is not just an IT issue, but rather an enterprise-wide risk that must be addressed by all departments and stakeholders.

2. Assign an Appropriate Budget for Cybersecurity: Local governments should allocate an appropriate budget for cybersecurity, taking into account the size and complexity of the organization.

3. Oversight: Local governments should establish oversight mechanisms to ensure that cybersecurity policies and procedures are being implemented effectively.

4. Selecting a Framework: Local governments should consider adopting a cybersecurity framework, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework, to guide their cybersecurity efforts.

5. Monitoring and Reporting of Cyber Risk to the Council or Board: Local governments should establish a process for monitoring and reporting cyber risk to the council or board, in order to keep them informed of potential risks and ongoing efforts to mitigate these risks.

Conclusion:

In conclusion, local government executives must prioritize cybersecurity and information technology governance in order to effectively manage cyber risks. By following the recommendations outlined in this guide, local governments can develop a comprehensive cybersecurity plan that covers all aspects of the agency and effectively manage cyber risks.