Federal CISOs Strategize Culture Change Around Cyber
Security leaders find value in tactics such as cyber escape rooms over traditional training.
Among the many roles federal chief information security officers play in their agencies, normalizing a culture around cybersecurity and bringing it to the forefront of their agencies’ leadership is one of their biggest tasks.
For CISOs at the departments of Health and Human Services, Veterans Affairs, Homeland Security and beyond, this effort comes with its own set of challenges.
“I looked at the landscape at my organization and realized how siloed cybersecurity was and that we really need to speak the language of the mission and the program that we’re dealing with and make it relevant to them,” HHS CISO Janet Vogel said at ACT-IAC’s Imagine Nation ELC in Philadelphia Tuesday. “If people get too frightened by what you’re saying, they’re going to tune you out, and yet they have to know the basics for their everyday life.”
Community outreach has been a key strategy for Vogel to communicate the importance of cybersecurity to the agency in an easily consumable way. Having annual cybersecurity training did not engage personnel in an effective way, so Vogel tried to make it more engaging to drive the impact of cybersecurity into the agency’s mission.
“We looked at each organization, what their goals were and tied into them,” Vogel said, adding that she saw experiential learning was a strategy that she saw people liked. “We implemented a ‘several birds of a feather’ type of activity where we got groups together to share their experiences. So we’re not telling them — we’re asking.”
Vogel launched other experiential learning programs at HHS, such as having a “cyber escape room” for hands-on learning, as well as speed matching, where CISOs discuss and share best practices. Other initiatives include reading out to the health care community through portals HHS has created.
“All we have to do now is talk to our customers that are in the community,” Vogel said. “It has to be in plain language, and it has to be in a medical terminology that they understand.”
Department of Education CISO Steven Hernandez echoed Vogel’s comments, saying that one of the most important ways he’s been able to communicate cybersecurity priorities to his agency as been through “being able to tell a story and being able to explain where we’re coming from, where we’re going and what’s important to the stakeholder.”
Strategically, accomplishing effective communication of cybersecurity priorities requires a balance of mission and security, DHS CISO Soldenise Sejour said. She said she does this by bringing integrated teams of different stakeholders together.
“The collaboration and integration has really led to not only building secure solutions, but also resolving conflicts and resolving conflicts at the beginning and not the end, helping avoid that back and forth against an operation,” Sejour said. “On top of that, which I think is the best outcome of the collaboration, is it builds a trust and transparency. So [it goes] back to Janet’s comment on silos and breaking down those barriers.”
At VA, breaking down barriers between cybersecurity and agency mission means stacking priorities and mapping them out fiscally to project tangible progress and results to leadership.
“That priority stack is very valuable,” said VA CISO Paul Cunningham. “If you do get a plus-up and we are successful in justifying our money, we’re going to get that additional dollar. We know exactly where we want to put it and get the biggest bang for our buck.”
Likewise, one of Department of Energy CISO Emery Csulak’s top tasks is to “sell cyber to the agency.”
The CISOs all agreed that their main job is to make cybersecurity easier for their agencies to accomplish and, as Hernandez said, to “know the risk, provide a way.” They underlined that customer experience, community outreach and engaging their organizations’ leadership and personnel effectively are critical ways they accomplish the CISO mission.
This is a carousel with manually rotating slides. Use Next and Previous buttons to navigate or jump to a slide with the slide dots
-
Biden's Technology Legacy: Advancing AI, Cybersecurity
Executive orders, memos and policy all strengthened information technology policy in the outgoing administration.
6m read -
HHS to Launch 2 Acquisition Programs in FY 2025
The two programs will streamline knowledge and foster two-way communication between industry and the agency.
2m read -
AI Startups Help Detect, Prevent Common Cancers in Women
Brittany Connors, SBIR director of investor relations at NCI, discussed how she is working with startups to develop the technology that better detects breast cancer and cervical cancer in their early stages.
23m listen -
Opinion: Effective AI Hinges on Meaningful Strategic Vision
AI’s transformative power lies in redefining work, augmenting human potential and driving sustainable, strategic advantage.
10m read