Cybersecurity teams can use an emergency management framework to prepare elected officials to respond to and communicate about a cyber incident.
Because unfolding cyberattacks on city networks are complex and confusing, using the language and processes of emergency management can help stakeholders effectively respond to new and dynamic situations.
Elected officials who have some knowledge of cybersecurity and emergency response best practices will be better prepared when constituents demand answers in the face of a crisis, experts said during a panel at RSA’s Public Sector Day 2022.
Cybersecurity teams must learn how to engage with all levels of government, including elected officials, federal and state partners, according to Michael Makstman, chief information security officer for the city and county of San Francisco. The last thing any city wants is a TV crew to show up at city hall and the elected officials not having a full understanding of a cybersecurity incident.
Further, not arming these individuals with the right information is a detriment to cybersecurity programs overall. The key here is to modify communication, Boston CISO Greg McCarthy said. Technologists may use too much technical jargon rather than emphasizing the impact of a cyber attack.
Giving these officials the full picture through non-technical language can also have an impact on their political stances, the panelists said. By emphasizing the implications of such attacks on schools and government offices, they are more likely to appreciate the importance of cybersecurity and enact meaningful changes in policy.
“If we're talking all technical, most of your elected officials are crying, their eyes are going to glaze over,” McCarthy said during the June 6 panel. “But if you say, for example, all of our school systems went online over the pandemic and they're teaching on Zoom or Teams or Hangouts – [then] explain to them, if this is disrupted, we can't teach our students anymore. That's a huge impact to our constituents that we serve.”
Panelists recommended including elected officials in tabletop cybersecurity exercises, giving them a decision-making role to play, helping them learn how to plan and communicate in the first hour, day or week after a cyberattack “in a very friendly, non-judgmental environment is critical,” Makstman said.
By putting elected officials through cybersecurity exercises, agencies can improve not just cyber response but future policy as well, said Nathan Sinclair, cyber defense operations manager for the city and county of San Francisco. When officials had to be the ones to decide to turn off the network, “having those conversations at the table doing those kinds of exercises actually helped us bring them in closer to build the policies,” he said.
NEXT STORY: NYFD calls for help with doxing