by Larry Clinton
Kudos to Representatives Kathleen Rice (D) and John Katko (R) for their bipartisan legislation requiring Members of Congress to receive training in cybersecurity.
Give congressional representatives an IT tool and they can secure the nation for a day — maybe. Teach Congress how to truly understand and manage cyber risk and we can secure the nation of for the 21st century.
The key question is WHAT do we need to teach them about cybersecurity?
Most Members of Congress are digital immigrants, meaning they were not born into the digital era they now inhabit – and govern in. While typically highly knowledgeable about the various subject matters that formed the basis of their careers, they are generally not schooled in the unique issues that govern the new digital landscape, including cybersecurity.
To use the ship-of-state metaphor, senior policy makers ought not to be spending their time down in the bowels of cyber machinery. They need to be up on the bridge understanding enough about operations to do their job of managing and strategizing for the country.
Senior government officials are not and should not be trained to be mini CISOs. The more apt analogy is they are the government equivalent of corporate board members. Fortunately, corporate board members have already taken the lead and developed an appropriately high level – non-technical – model for training the people Representatives Rice and Katko are targeting.
Since 2014 The National Association of Corporate Directors (NACD) has offered a program based on their 15-page Cyber Risk Handbook for Corporate Directors that identifies the appropriate role for senior executives in managing the cyber issues affecting their broad and diverse environments.
The NACD model is the only set of principles and standards in the cybersecurity environment that has been independently assessed and found to be effective. Specifically, PricewaterhouseCoopers (PwC) analyzed the NACD model as part of its international Global Information Security Survey and found that it increased cybersecurity budgets, enhanced cyber-risk management, created closer alignment between cybersecurity and overall organizational goals, and helped create a culture of security within organizations that used the handbook principles.
As to whether the board members/Members of Congress will accept this training, NACD reports that the Cyber-Risk Handbook is by far the most popular publication it has ever produced — generating 4 times the downloads of the next most popular publication, which covers board members’ salaries
Let me note that again. NACD reports that private sector board members are four times more interested in learning to improve their cyber security than their own salaries. Imagine how much better off our nation would be if members of Congress were four times more interested in cybersecurity than their electoral fundraising.
Congress and the Administration ought to not only pass the Rice-Katko bill but insist that the training follow the successful NACD model and expand that training beyond Congress to the rest of the senior executive agencies.