The Public Eye with Eric Chabrow

Scared Straight

Jittery Agency Heads Take IT Security More Seriously

The constant barrage of news headlines of breaches, hacks and other cyberthreats seems to be getting on the nerves of more government agency heads these days, resulting in more of these leaders who control the purse strings over IT security budgets to take cybersecurity more seriously than ever before.

On Thursday, I had a lengthy conversation about information asset classification with Tom Smith, director of New York State's Office of Cybersecurity (see Classifying Information Assets), and our chat segued to how agency executives seem to be taking such IT security initiatives more seriously than a mere year or two ago.

"I think some of that is a natural result of how prevalent reports of breaches are in the press," Smith says. "There's a clear understanding among the agency commissioners that they want to address those risks before they're the ones who have the breach that is discussed in the news. There's a higher sensitivity to it. I think they're learning the message of the importance of being involved in this process."

Information asset classification is an important process; after all you can't protect what you don't know you have. But for many non-IT security types with responsibility for the functioning of government agencies, it's a matter that would solicit a glazed look. Not any longer.

"I think they're really more understanding of the fact that it's not a just compartmentalized process; that's it's part of their overall business, their overall assessment of risk," Smith says. "After we did the executive briefing this year, we had a much stronger uptake of agencies who said, 'Please tell me how I can improve our compliance with the policy. Help me get the regular training, move my information classification process forward.' We had a much stronger reaction."

New York State issues annual report cards to agencies that rate their cybersecurity readiness, and in the past, Smith suspects, many agency heads just stuck the assessments in a file drawer and forgot about them. That's changing. "They're more interested in improving," Smith says. "It's something that they look at and say, 'This is something we need to work at.' Even in a tough time, people don't have money to spend on technology, they are looking at the people and process stuff they can take to improve compliance."

With limited resources in these economically strained time, getting agency heads to be scared straight into championing IT security initiatives isn't such a bad thing.



About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.eu, you agree to our use of cookies.