Accountability in cybersecurity: Why government agencies must raise the stakes

Nitat Termmee/Getty

Featured eBooks
Health Tech
Read Now

Next-Generation Computing

Read Now

Space Tech

Read Now
Insights & Reports
Cyber-Informed Engineering for OT Security and AVEVA PI Users
Presented By Carahsoft
Download Now
Revolutionizing Workforce Management for Federal Employees
Presented By Ultimate Kronos Group
Download Now
By Gary Barlet,
Public Sector Chief Technology Officer at Illumio

By Gary Barlet

|

Promoting better cybersecurity in an organization might mean doing things like locking user machines when they don't complete cyber training because accountability is not optional.

As companies and contractors face mounting pressure for cybersecurity accountably, government agencies and their employees must also be held to the same standards.

Traditionally, agencies have relied on incentive-based models to promote cyber compliance, but today’s threat landscape demands a shift toward accountability at every level. Just as a reckless driver would lose their government vehicle privileges due to frequent crashes, employees who repeatedly crash their "digital vehicles" should face real consequences.

To move away from a culture based on incentives, agencies must emphasize a top-down commitment to security. This commitment must include the implementation of real repercussions for lapses in cybersecurity standards, and publicly hold agency leadership accountable.

Why Incentives Alone Don’t Work

Incentives, while appealing, tend to create compliance that’s short-lived or inconsistent. Reward-based systems can unintentionally minimize the importance of cybersecurity, often encouraging employees to merely check a box, rather than have cybersecurity embedded in their daily practices.

An incentive-based approach to cybersecurity diminishes the perceived importance and fails to address the root cause of the problem that government agencies have long faced: a lack of repercussions for non-compliance and a weak cultural understanding of the importance of cybersecurity throughout an entire agency. 

Top-Down Accountability

In the private sector, minor policy violations can result in swift disciplinary action, sending a strong message to employees that compliance is non-negotiable. Government agencies, however, often struggle to impose even basic accountability measures for serious security lapses.

This reluctance stems from a cultural mindset that only IT professionals should uphold cybersecurity standards. Agency leadership often excuse regular employees' security lapses with claims that "they're not really professionals" in cybersecurity. However, hackers don't just hack the IT employees, they target everybody.

For a cybersecurity culture to take root, accountability must come from the top down. When leaders visibly adhere to cybersecurity standards, they reinforce that cyber is everyone’s responsibility, not just the responsibility of the IT department. Regular discussions on cybersecurity, transparent responses to incidents, and consistent follow-up or repercussions on training compliance make accountability a daily practice.

Beyond Training Deadlines: Enforcing No-Exceptions Policies

Agencies need a “no exceptions” policy when it comes to cybersecurity training. One effective strategy is restricting access for employees who haven’t completed mandatory training on time. Locking an employee’s account sends a clear message: cybersecurity is non-negotiable. When access depends on completing training and carrying out these lessons, employees understand that accountability is an individual responsibility.

When employees are aware that skipping training has immediate repercussions, it prompts them to think about security proactively, not passively. Over time, this commitment to timely training translates to increased readiness and better overall cyber hygiene.

Publicizing Accountability Through Scorecards

Another effective way to build accountability is by making security metrics visible through publicized scorecards. Similar to the annual Festivus Report, which highlights government spending inefficiencies, the accountability scorecards would reveal which agencies are lagging in their cybersecurity and compliance efforts.

Creating accountability for agency heads and CIOs sets a public benchmark for cyber hygiene. Knowing that non-compliance will be visible will motivate leaders to put rigorous enforcement processes in place for employees at all levels. If performance is subject to public review, employees at all levels become more conscious of their actions and responsibilities.

Publishing scorecards also sends a strong signal to stakeholders: cybersecurity is a priority, and non-compliance will be visible. With added transparency, all employees understand that they’re accountable for maintaining rigorous standards, fostering a proactive mindset that emphasizes personal accountability.

Raising the Stakes on Cybersecurity

Government agencies handle sensitive data and protect some of the nation’s most critical assets. Cybersecurity should be a top priority, with real consequences for lapses in adherence to security standards. Accountability isn’t optional in an era where cyber threats are constant and evolving.

NEXT STORY: How software reuse and extension can accelerate digital transformation for agencies