Don’t sacrifice security of data or systems – and be wary of sending mixed messages
Taxpayers and regulators expect public entities to protect public assets. Your messaging and Tone from the Top is critical to how your staff act daily to support security of public data and assets while performing their roles. Staff continue to be the critical front line of defense against cyber attacks. Your messaging should include “Do not sacrifice security of data or systems doing your job”. Everyone in every role should have clear guidance on the required internal controls to protect data and systems in their specific roles.
Challenges come when supporting security may conflict with meeting deadlines, efficiency, user experience and other public and political expectations. Managers and supervisors must maintain security as a priority and not send conflicting messaging that security can be sacrificed when conflicts and pressures arise, or in the name of ease or efficiency.
No one should direct staff, or decide on their own, to take shortcuts, reduce or turn off security or reduce configurations just to meet a deadline, manager directive or because it is easier. The public mission can be threatened when security is sacrificed for efficiency or deadlines. Work to foster a security mindset across your department with every employee and finding creative ways to support security as the foundation of, and not an impediment to, your department mission.
See our CTR Cyber page for more cybersecurity internal controls. Departments should contact [email protected] with any incidents or suspected incidents of fraud or cyber threats or if you need support from our Statewide Risk Management Team.