City Councils Are Having the Wrong Conversations About Cybersecurity

In the Harvard Business Review article "Boards Are Having the Wrong Conversations About Cybersecurity," authors Lucia Milică and Dr. Keri Pearlson highlight the ineffective approach of many corporate boards when it comes to cybersecurity oversight. Despite increasing awareness of cyber risks, board members often lack the right questions to ask and fail to prioritize resilience over protection. The authors stress the importance of board-CISO (Chief Information Security Officer) engagement and personal familiarity to bridge the communication gap and align priorities. They emphasize the need for boards to focus on resilience, assume cyberattacks will occur, and prepare the organization for effective response and recovery. Furthermore, the article highlights the need to view cybersecurity as an organizational and strategic imperative rather than just a technical issue. The authors suggest that boards should include members with cybersecurity expertise, prioritize cybersecurity discussions at every board meeting, and actively demonstrate the importance of cybersecurity through their actions.

This is a great article but how does this apply to local governments?

According to the survey conducted by Lucia Milică and Dr. Keri Pearlson, there is a growing awareness of cyber risks in the corporate world, but it is not translating into better preparedness. In the realm of local government, there is a range of awareness levels regarding cyber risks, from complete cluelessness to hyper-awareness. However, compared to their corporate counterparts, executive management in local governments appears to be lagging behind. It seems that the old saying, "A fish doesn't know the importance of water until it's out of it," holds true in this case. It's only when a city experiences a cyber-attack that the importance of cyber risk diligence becomes highly visible. Until then, it is not given priority.

In my observations, organizations that have experienced a cyber incident often exhibit a decline in diligence over time. This can be attributed to changes in City Council members or executive personnel, who may not fully appreciate the operational impact that the cyber incident had on the organization, because they have not experienced it first-hand. It could also be because over time our estimation of risk changes. I have previously addressed this phenomenon in a blog post, offering a comprehensive explanation. "The Psychology of Cybersecurity: How Our Minds Distort Our Perception of Cyber Risk."

The survey results also highlighted a significant lack of board interactions with the Chief Information Security Officer (CISO). This issue is even more pronounced in the local government sector where the majority of organizations do not have CISOs, and those that do often lack direct communication channels with the City Council. Frequently, the CISO reports to the Chief Information Officer (CIO), who may be further placed under the authority of the Finance Director or another department head. This fragmented structure hinders meaningful dialogue between the Council and CISOs regarding cyber risk, making it difficult for the Council to provide effective strategy or oversight. Following the Oakland breach, I witnessed a council members from various City's asking City executives about cybersecurity and receiving a response claiming they had a cybersecurity plan or that they had a CISO. Such shallow exchanges do not constitute meaningful dialogue for oversight, nor do they foster transparency within the council. Basically, City executives are saying, "Don't worry about that we have cybersecurity covered." Sorry, that is not proper governance or oversight.

I have also observed that City executives resist the crucial organizational changes required to provide City Council with the necessary access to cyber risk expertise. Their reasons for resistance can be as flimsy as stating, "I have had a long and successful career in local government without ever needing a CISO, so I see no need for one now." Such attitudes significantly impede council oversight and hinder the ability to effectively address and manage cyber risks. If Councils can't get the necessary information from their current executive team, they should seek external independent consultants.

The survey results also revealed that boards tend to prioritize protection over resilience, which is a obsolete approach. Similarly, in the realm of local government, if council members are engaged, they often adopt the mentality of "If we have sufficient protection, we can prevent a cyber incident." However, organizations must recognize the importance of not only protection but also their ability to detect, respond, and recover from a cyber event. Cyber resilience encompasses an organization's capacity to maintain operations during a cyber incident and effectively detect, respond to, and recover from such events.

The survey reveals that both boards and local government entities often view cybersecurity solely as a technical concern, failing to grasp its evolution into a critical organizational and strategic imperative. As organizations increasingly rely on technology and data, the corresponding risks to their operations have significantly increased. Regrettably, there has been a lack of proportional reinforcement in cybersecurity measures to effectively address these mounting risks. It is crucial for organizations to recognize that cyber risks are enterprise risks, and the responsibility for enterprise risk management extends beyond the IT department.

In order to steer the conversation away from technical aspects and towards more meaningful discussions on cyber risk, council members should focus on the potential impact of cyber risks on operations, liability, finances, public trust, and the delivery of critical services. Delving into operational details like asking about multi-factor authentication (MFA) is unnecessary for the Council's role. It is essential for the Council to delegate the task of operational management to the appropriate personnel, while their primary responsibility lies in providing strategic guidance and oversight.

The survey results also highlight the importance of demonstrating cybersecurity as a priority for the board, which holds true across various organizations. The tone set by top leadership is crucial for effective cybersecurity practices. Therefore, it becomes imperative to provide council members with cyber literacy training to ensure they understand the significance of cybersecurity and can contribute effectively to its prioritization.

The authors highlighted that in 2022, the SEC introduced comprehensive recommendations for cybersecurity risk management, governance, and disclosure, which are likely to become regulatory requirements. Consequently, boards must enhance their oversight of cybersecurity risks and incorporate dedicated cybersecurity expertise within their composition. This holds particular significance for local governments that issue bonds and aim to maintain favorable bond ratings, as they should carefully consider the SEC's guidance. In a blog post titled "Ensuring Transparency and Disclosure: Navigating Cybersecurity Risks in the Municipal Bond Market," I discussed some of the recent changes pertaining to the bond market, offering further insights on this topic.

How can local government councils have a meaningful conversation about cybersecurity? Check out this blog post: "Cybersecurity Governance Unleashed: Empowering for Effective Risk Oversight."