Cyber security


Federal cybersecurity is everyone's responsibility

Insights to action

The collective impact is staggering—federal agency data breaches have resulted in millions of stolen personal records¹ and possible illegal trading.² These incidents can disrupt and potentially disable some of the work of government agencies around the country and can impact their citizen customers.

More than just information technology

By: Deborah Golden, Tim Li, Pilar Jarrin, Stephen Woskov, and Rachel Mastro

A 2017 Executive Order placed more responsibility on senior executives to develop a strategy for strengthening federal networks and protecting agencies from cyber threats. But is “cybersecurity” just a problem for information technology offices to solve? Core business functions should share the responsibility to enhance an agency’s security posture and decrease its susceptibility to cyber risks. Senior executives of federal agencies should establish a broader approach towards cybersecurity that encompasses responsibility and accountability across both the functional and technical areas of focus, incorporating various levels across these disciplines given the pervasive impact of cybersecurity on the agency.

Information technology (IT) teams are typically considered essential to protecting networks, applications, and assets. Monitoring and blocking cyber traffic, installing the latest software patches, and controlling user accesses are just a few of the many protection measures generally needed to defend an agency from cyber-attacks. IT senior leaders commonly sustain these capabilities by enabling employees and implementing technology to address the latest threats through education and training opportunities.

However, other business functions can be just as important when it comes to protecting the cyber domain. The Executive Order released in May 2017 states:

Effective risk management requires agency heads to lead integrated teams of senior executives with expertise in IT, security, budgeting, acquisition, law, privacy, and human resources.

It seems no longer sufficient to rely only on IT leaders with the technical acumen for cyber. Executives across all business functions should develop knowledge and skills to help safeguard their agency’s information and assets. A shared responsibility for mitigating cyber risk can be important to sustain federal operations, preserve mission assurance, and protect the nation.


Importance of senior executives in influencing behaviors

To drive a culture of cybersecurity that goes beyond IT considerations, understanding the leadership role that senior executives play within an agency is often essential. If the senior executives aren’t bought in, how can they expect the employees of an agency to cooperate? In order for senior executives to change potentially risky behaviors that employees might engage in, they should focus on the factors that can impact how an employee thinks, feels, and acts.

Every senior executive has the potential to be a catalyst for creating a cyber-aware culture by:

  • Setting a “tone at the top” and becoming the example for employees to follow
    As many as 88 percent of all US workers aren’t sure if their agency has information security policies. This lack of awareness could be improved by senior executives talking about cyber as an issue they own too.
  • Equipping employees with the right tools, funding, and training to perform their duties
    With most cybersecurity training, employees only have a 25 percent chance of recognizing a cyber attack one month after the training is complete. Senior executives can help protect their agency by instituting more frequent awareness education.

But what are more targeted actions that senior executives in non-IT positions can take to help prevent, mitigate, and respond to cyber incidents?

In order for senior executives to change potentially risky behaviors that employees might engage in, they should focus on the factors that can impact how an employee thinks, feels, and acts.

Some key cybersecurity considerations for federal senior executives across an agency

This section pinpoints specific examples of activities that senior executives within core agency business functions should consider when thinking about cybersecurity.

Human resources

People are what make the government run. Cybersecurity challenges could require changes to hiring and training within human resources:

  • Hiring: With a competitive job market, employees who possess essential technical skills are often challenging to source. The hiring strategy should explore innovative methods for acquiring talent, such as leveraging the gig economy.
  • Workforce training: Each employee can inadvertently do something that might cause a cybersecurity incident. While agencies typically mandate cybersecurity training, attention may be needed to ensure learning objectives are successfully adopted and training effectiveness is measured. Executives in particular should be provided with training focused on high impact topics such as critical infrastructure protection and high value assets.


Business objectives cannot be accomplished without funding. Finance should proactively establish a budget to maintain and evolve agency cybersecurity functions, while also accounting for potential risks:

  • Capital planning: Hiring employees with specific skill sets and purchasing hardware/software comes with high lifecycle costs. Consider coordinating with other senior executives across the agency to identify long-term cybersecurity budget needs.
  • Risk budgeting: Risks can be both tangible (e.g. stolen hardware) and intangible (e.g. hacked data). Consider how these types of risks can impact the budget and develop strategies to mitigate their effect, like budgeting for a loss reserve.


Agencies must know how to lawfully operate. With a fast-paced cybersecurity landscape, the legal team should remain diligent with compliance and education:

  • Compliance: Consider the range of impacts that could result from Privacy Act violations or data breaches. Establishing comprehensive policies and procedures can help maintain compliance with all applicable regulations.
  • Legal education: Significant cybersecurity incidents could change federal regulations and policies. Consider establishing practices for legal teams to remain current on evolving rules via news alerts, continuing education, and routine industry reviews.


Agencies should be equipped for future challenges. The planning function should increase collaboration and conduct exercises to prepare for cyber incidents:

  • Collaboration: Senior executives from all business areas are typically necessary to tackle cybersecurity issues. Consider forming a cyber risk working group or designating a federal leader and ensure the proper questions are being addressed to evaluate the agency’s cyber maturity.
  • Exercises: To enable agency preparedness in the event of a cyber incident, resiliency should be tested periodically. Consider developing and conducting war gamming exercises to increase the agency’s muscle memory as well as identify response gaps.


No matter what, the mission must always carry on. The operations function should identify where IT dependencies exist and consider implications of extending the mission beyond physical boundaries.

  • IT mission mapping: Operations depend upon resilient information systems. Mapping current IT systems to agency objectives can help determine where vulnerabilities exist and mitigation strategies that should be strengthened. This framework often helps agencies understand the potential impact of cybersecurity issues on the mission.
  • Virtual domain: Business processes have become increasingly virtual (e.g. telework, Internet of Things). With the creation of this new extended enterprise, particular consideration is often needed to understand how security operations should propagate in this expanding ecosystem.

Visit our Cyber Risk Services and Leadership Services pages to learn more about what Deloitte has to offer regarding cybersecurity and senior executive services.

Learn more about 'Insights to action'

Insights to action is a community for sharing proven ideas during a time when government agencies are almost universally experiencing disruptive change. It shares insights from trusted leaders with extensive experience and diverse perspectives on leadership, strategy, business operations, innovation, and emerging capabilities.

Insights to action helps leaders and managers look again at the challenges and opportunities that come along with the evolution in government.

Back to top

Discover more perspectives and research

Insights to action home


1 OPM.govCybersecurity resource center—cybersecurity incidents
2 Federal News Radio—“SEC reveals 2016 hack that breached its filing system”, September 20, 2017

Did you find this useful?