“Cybersecurity is an iceberg topic: The largest part is what you don’t see—and that’s the part that can sink an organization,” wrote Wayne Sommer, internal audit manager in Aurora, Colorado, and former director of administration and finance at ICMA. Sommer was writing for the ICMA Blog, and his suggestions were so good that we’re repeating them for people who didn’t see the blog post.

One of Sommer’s responsibilities in Aurora is to look at his organization through the eyes of “risk,” the possibility of an event or condition occurring that will have an impact on the ability of the organization to achieve its strategic objectives. With that in mind, he teamed up with Tim McCain, Aurora’s information security officer, to come up with a list of questions managers should ask as they address the risk of cyber disruptions.

“In Aurora, we are watching the cybersecurity ice mountain grow larger and larger before our eyes, but we are not sitting still or ignoring it,” McCain wrote. “We are looking below the surface at the complex issues involved and chipping away at them strategically, consistently, and in line with the resources we have at hand. It’s not an easy task. It’s a big berg. We have no choice; neither do you.”

Cybersecurity affects everyone. Large? Medium? Small? Regardless of your organization’s size, you are a potential target. E-mail scams, network attacks, and ransomware are just three of the predators out there looking for a vulnerable target. Cities take advantage of technology to make internal operations and service delivery more efficient and effective. The “Internet of things,” which enables cities to use the Internet in ways never before imagined, provides an exponential number of increasing opportunities for mayhem.

A manager can hand the problem off to IT and move on, but the problems and the solutions go beyond IT. Cybersecurity is an organizational issue that just happens to enter in through the technology door. Addressing the issue needs to start at the top and involve everyone within the organization.

Managers deal with risk every day, whether they are conscious of it or not. And cybersecurity is a risk challenge that requires a conscious approach. Here are six questions a manager can use as a framework to get started.

1. What could go wrong? Brainstorm. No possibilities are off the table. The more voices in the room from every staff position and generation, the more likely you are to gather a comprehensive list of possibilities.
2. What would be the early warning signs? How would you know if something is amiss? Have your staff noticed more mysterious e-mails in their inboxes? Is your IT Department finding anomalies showing up on their reports? Is your administrative staff receiving any odd phone calls? Identify as many warning signs as you can and try to understand if you have the ability to monitor them and alert the appropriate people if they occur.
3. What is the likelihood of this event or condition occurring? This is somewhat subjective, but have your staff consider your existing defenses, the status of your hardware and software, and even your computer use policies. Did you know that any staff member sitting in front of a monitor and keyboard is your greatest vulnerability point? Open one wrong e-mail attachment and . . . well, it could get ugly quickly. Gauging your threat awareness and readiness will help you estimate the likelihood of an event occurring. No one is immune. The question is no longer “if” you will ever get hacked, but “when.”
4. What would be the impact if an event did occur? First thoughts here jump to financial hits and that is a real possibility; but don’t forget to consider potential impacts on internal operations, external service delivery, and especially reputation impacts. Who wants to work for an organization that cannot keep its employees’ personal information out of the public domain?
5. How would you respond if it did occur? This is critical. Once an event occurs, how you respond can affect the severity of the impact. Your response can also boost or further destroy your organization’s reputation in the public’s eye. Identify the response resources required—time, money, and people—for which you should plan before an incident occurs.
6. What are you doing now that would minimize the impact or likelihood of this risk or condition if it did occur? You can use your work in determining your organization’s current preparedness level to address this question.

Sommer and McCain suggest gathering a cross-section of your operational staff to begin answering these questions related to cybersecurity. That’s a good starting point that can help you evaluate your preparedness, identify your worst vulnerabilities, and provide a basis for generating an action plan to begin addressing this critical issue. “Start now,” Sommer says. “That iceberg is headed your way.”

Contacts: Wayne C. Sommer, internal audit manager, Aurora, Colorado (wsommer@auroragov.org); Tim McCain, information security officer, Aurora, Colorado (tmccain@auroragov.org).