The One Thing That Makes Election Security Assessments Actionable


Whether your cybersecurity program is advanced or in its beginning phases, an election security assessment is a significant part of improving your cybersecurity stance. However, an assessment is only one step in strengthening your defenses against cybercrime. The actions and decisions that follow an assessment are the true determining factor of success.

The methodologies and scope of assessments can vary widely, and while it’s possible to use any assessment as a solid jumping off point for better security practices, there is one element in an assessment that goes a long way in ensuring that a cybersecurity assessment serves as a strong catalyst for better election security.

Understanding How Cybersecurity Fits in the Election Process

That element is perspective. An election security assessment that is weighted down in cybersecurity industry jargon and intense detail is great if you have a cybersecurity team who lives in that world and speaks that language day in and day out. However, most election departments do not have a cybersecurity role on their staff. In many cases, the IT function, which can include cybersecurity, is outsourced. What this means is that the decisions about what to do next to improve security fall to election leadership, not a cybersecurity specialist. In order to make the good decision this high-stakes initiative requires, they need to understand the challenges and the solutions from a higher perspective.

This places an important requirement on companies who are performing assessments. They need to not only thoroughly and accurately present the details of their findings, they need to also place these findings in context of what they mean for the election process so that election leadership can make good decisions about what projects should be implemented in order of priority and what resources to assign to these initiatives as they typically juggle many competing demands with limited resources.

Election Security Assessments Can Align Teams Around a Common Cybersecurity Goal

When looking for an assessment provider, ask if they provide the following:

  • A prioritized list of their findings
  • Context around what could happen if certain issues are not addressed
  • An idea of how your organization ranks in relation to a relevant average
  • Recommendations for improvements in non-technical language

An in-depth highly technical report is still the crux of any effective assessment and the information listed above should not be a substitute for that detailed data. It should be an additional layer of the overall assessment.

An assessment provider who can answer your questions in clear, simple terms can be a helpful partner in boosting your security posture. The team can provide clear cybersecurity guidance on which steps to pursue within the context of keeping the entire election process operating smoothly. With the right high-level perspective in addition to the technical details, your entire team gains a view of your security practices that everyone can incorporate into their plans for continuous improvement. Even if you are one of the fortunate few who has an internal IT or cybersecurity team, having assessment data that is wrapped in context helps facilitate the crucial discussions that technical teams need to have with other areas of the organization. It helps all stakeholders understand what’s at stake, what is operating as it should and where the team needs to take immediate action.

About the author

Brian Engle

Brian Engle is the CISO and Director of Advisory Services, a role in which he leads the delivery of strategic consulting services for CyberDefenses's growing client base with risk management support, information security program assessment and cybersecurity program maturity evolution. Prior to working at CyberDefenses, he was the founder and CEO of Riskceptional Strategies, a consulting firm focused on enabling the development of successful strategies for implementing, operating, and evolving risk-based cybersecurity programs. Brian’s previous information security roles include Executive Director of Retail Cyber Intelligence Sharing Center (R-CISC), CISO and Cybersecurity Coordinator for the State of Texas, CISO for Texas Health and Human Services Commission, CISO for Temple-Inland, Manager of Information Security Assurance for Guaranty Bank, and Senior Information Security Analyst for Silicon Laboratories. Brian has been a professional within Information Security and Information Technology for over 25 years, and serves as a past president and Lifetime Board of Directors member of the ISSA Capitol of Texas Chapter, is a member of ISACA, and holds CISSP and CISA certifications.