Guardians of the Gateway: Launching a Cybersecurity Task Force

In May 2017, I was appointed Director of Risk Management for the Town of Greenwich and Greenwich Public Schools. There were many things to learn and much to stay on top of, including cybersecurity, which pushed to the forefront of my priorities. While the Town and Schools had robust cybersecurity protections and policies in place, communication between the entities managing the networks was limited. Cyber liability insurance applications have become much more detailed and complex. The Finance Board was inquiring about the town-wide budget required to address cybersecurity issues and concerns. The one person who touches all departments and entities and needs to be involved in these discussions is risk management. But how would I efficiently and accurately collect and reflect the information needed to make these decisions and ensure that cybersecurity-related issues and concerns were budgeted for and addressed? I needed to bring all the experts into one room (albeit virtually) to ensure confidential information was shared among those who needed to be involved. A virtual meeting is especially helpful if the public entity is geographically dispersed or has employees with hybrid or remote work schedules.

The Town of Greenwich Cyber Security Task Force (CSTF) was formed.

I reached out to the Town's Chief Technology Information Officer to inquire about which positions would be appropriate and necessary to include on the task force. We then reached out to all relevant IT entities in Town and the Schools and had a representative from each commit to meeting monthly virtually to discuss cybersecurity-related issues and concerns. In addition, I am on the task force as well as a paralegal from the Law Department, the Comptroller and the Chief Information Security Officers for the Town and the Public Schools. We do not record meetings or keep meeting minutes because the discussions are highly confidential, given that security-related information for the Town and Public Schools is discussed. All attendees must turn on their camera when they first sign in to ensure only authorized participants are present. If any documents need to be shared with the committee, they are sent via a password-protected email platform.

Be prepared for some pushback from employees or staff, as with any new endeavor. I assured each person asked to serve on the task force that any information shared would be kept confidential and that the purpose of the Task Force is to share information and resources to help one another, not to place blame or call out any shortcomings. It is important to build those relationships and get the buy-in from all involved.

Preliminary objectives and a mission statement should be formed. One of our first and most successful goals as a task force was to organize and implement robust cybersecurity training for anyone with a town-issued email address. This includes employees, staff, elected officials, appointed officials, and others. The training is mandatory as part of the onboarding process, and refreshers are given annually. If anyone fails the training, their email and most search and file access rights are suspended until they complete a refresher and pass. One of the highest sources of exposure in cybersecurity is human error. It is imperative that public entities protect themselves as much as possible from these threats.

One final thought: I realize that public entities face various budget constraints. Forming the task force incurs no cost to the entity, and discussions are ongoing regarding workarounds or other solutions due to budget constraints.

Don’t get caught without guardians protecting your gateway! Form a cyber security task force to work together on protecting your organization(s) from internal and external cyber threats and attacks!

*The views and opinions expressed in the Public Risk Management Association (PRIMA) blogs/podcasts are those of each respective author/speaker. The views and opinions do not necessarily reflect the official policy or position of PRIMA.*