How to Talk About Ransomware So Leadership Will Listen

Chief information security officers are working to better engage the rest of government in cybersecurity resiliency and response planning, and several shared their tips during an RSA Conference panel last week.

CISOs need to talk with elected officials and different agencies to help them understand how a ransomware incident could affect them and their priorities, and to prepare them to talk with the public should an incident happen.

Mike Makstman cropped.JPG

“You don’t want it to be that the only time you engage with elected officials — or the only time they think about their role in the cybersecurity program — is during an incident,” said San Francisco CISO and Coalition of City CISOs co-chair Mike Makstman.


Boston CISO and Coalition of City CISOs co-chair Greg McCarthy said he watches budget hearings and elected officials’ speeches to see which parts of city operations have these officials’ attention. If he then explains how cybersecurity impacts those areas, the message is more likely to hit home.

“If we’re talking all technical, most of your elected officials’ … eyes are going to glaze over,” McCarthy said. “But if you say, for example, ‘All of our school systems went online over the pandemic, and they’re doing teaching on Zoom or Teams or Hangouts … if this is disrupted, we can’t teach our students anymore, and that’s a huge impact to our constituents that we serve, it’s a huge impact to their political views or political stances …,’ that was one thing that I found really, really effective,” McCarthy said.

There’s also another reason for non-IT officials to listen up: A city’s cybersecurity posture can have significant impact on government finances.

Municipalities’ cyber defenses can determine whether cyber insurers will offer them affordable plans and even impact their bond ratings. In Boston, for example, rating agencies have asked the city to explain its cybersecurity plan, incident history and security controls, McCarthy said.

“Cyber has been…