Scared StraightJittery Agency Heads Take IT Security More Seriously
On Thursday, I had a lengthy conversation about information asset classification with Tom Smith, director of New York State's Office of Cybersecurity (see Classifying Information Assets), and our chat segued to how agency executives seem to be taking such IT security initiatives more seriously than a mere year or two ago.
"I think some of that is a natural result of how prevalent reports of breaches are in the press," Smith says. "There's a clear understanding among the agency commissioners that they want to address those risks before they're the ones who have the breach that is discussed in the news. There's a higher sensitivity to it. I think they're learning the message of the importance of being involved in this process."
"There's a clear understanding among the agency commissioners that they want to address those risks before they're the ones who have the breach that is discussed in the news
Information asset classification is an important process; after all you can't protect what you don't know you have. But for many non-IT security types with responsibility for the functioning of government agencies, it's a matter that would solicit a glazed look. Not any longer.
"I think they're really more understanding of the fact that it's not a just compartmentalized process; that's it's part of their overall business, their overall assessment of risk," Smith says. "After we did the executive briefing this year, we had a much stronger uptake of agencies who said, 'Please tell me how I can improve our compliance with the policy. Help me get the regular training, move my information classification process forward.' We had a much stronger reaction."
New York State issues annual report cards to agencies that rate their cybersecurity readiness, and in the past, Smith suspects, many agency heads just stuck the assessments in a file drawer and forgot about them. That's changing. "They're more interested in improving," Smith says. "It's something that they look at and say, 'This is something we need to work at.' Even in a tough time, people don't have money to spend on technology, they are looking at the people and process stuff they can take to improve compliance."
With limited resources in these economically strained time, getting agency heads to be scared straight into championing IT security initiatives isn't such a bad thing.