Blog: CISOs Role in Shaping Public Policy

 

Why would a busy CISO care about public policy? It is a good question worthy of discussion.  

We know is that the state of cybersecurity isn’t sound. The truth is today’s threats are evolving faster than our ability to contain them. Why is that?  It is my experience there are a lot of unhealthy behaviors across the tech ecosystem that must change before cybersecurity improves. I explore many of these unhealthy behaviors in detail in my book The Cyber Conundrum.  So, what should we do about it?

Doing nothing is not an option

If you have studied the problem, or ever tried to change behaviors in your own organization, you realize it is very hard. Trying to change behaviors across the tech ecosystem will require collective action. A CISO might be able to change behaviors in their own company. He or she might be able to change behaviors within an industry sector. But, attempting to address unhealthy behaviors across the entire tech ecosystem is fundamentally beyond the reach of any single CISO.  

The more I talk to CISOs the more I hear about their desire for collective action. FDR once said “While the path forward isn’t clear we all know doing nothing is not an option.” It is one of the reasons a few like-minded CISOs founded The National Technology Security Coalition to promote cybersecurity change across the tech ecosystem.

While no single initiative will solve The Cyber Conundrum (i.e. how do we fix cybersecurity), one very important path worth exploring is the role of public policy in addressing cybersecurity challenges.

Public and private sectors must work together

Most Americans are skeptical about whether today’s policy makers and legislators are up to the task if solving complex problems. I don’t blame them. So far, Congress and federal agencies have not proposed a national, comprehensive cybersecurity strategy. They have also had lack luster progress on other national issues.

The problem is, cybersecurity is now a national security challenge. No one would argue that addressing national security issues is clearly in the federal government’s wheelhouse. The challenge is, cybersecurity isn’t just a national security issue - it is a business challenge impacting the nation’s private sector. So, addressing unhealthy behaviors in the tech ecosystem will require a coalition of public and private sector experts with clear objectives designed to comprehensive promote change. This is where CISOs come in.

“IT HAS BEEN MY EXPERIENCE THAT THERE ARE LOTS OF GOOD PEOPLE ACROSS THE COUNTRY WORKING IN CONGRESS AND THE FEDERAL GOVERNMENT, BUT WE NEED MORE THERE IS NOT ENOUGH MOMENTUM.”

I have walked the halls of many Congressional office buildings talking to legislators. I have talked to the leaders of many of our country’s federal agencies tasked with addressing cybersecurity. It has been my experience there are good people across the country working in Congress and the Federal government, but we need more  momentum.

The truth is they need the tech community to help them plan a comprehensive national strategy and help gain momentum and support. They need tech influencers and they need CISOs to help them shape the national cybersecurity strategy. And, just as important, we need their help us make the reality of a cybersecurity moonshot happen.

What do we do?  

As FDR famously said, doing nothing is not an option. CISOs must band together and work with their company’s public policy teams to push for comprehensive cybersecurity policy initiatives. While many federal agencies have experience with battling hackers, many don’t understand the everyday challenges in the private sector. Federal officials and Congressional leaders need to work closely with the tech community and CISOs if we are going to effectively address The Cyber Conundrum.  

In order to win we will have to do it together.