Leadership is on the right track when it asks why people and organizations don't do what they're supposed to do. Lessons observed (what we know) aren't converted enough into lessons learned (what we do) to prevent familiar security lapses.
This is true of ALL organizations, not just government, and always boils down to one thing: Behavior. Doing the right thing the right way, or not, is about behavior whether you're in strategy or ops, management or staff, cyber or another part of the organization.
There are well known reasons for right and wrong behavior (substitute authorized/unauthorized, safe/risky, protective/vulnerable, etc.) that don't need rehearsed. What is needed is to understand and manage the organizational chains within which desirable and undesirable behaviors reside. What follows is a process recommendation for locating undesirable behaviors in human and nonhuman systems, understanding what reinforces them, and altering/reconfiguring reinforcements to produce desired behavior.
The questions below derive from an approach to policy formulation called Backward Mapping. The premise is to start policy formulation where the rubber meets the road and work backwards through organizational systems to identify the right actions to be taken. It is an alternative to the traditional practice of formulating policy at the top with broad objectives and hoping to change individual behavior as a matter of compliance.
Although decades old, it’s built on some of the same principles as more contemporary practices such as agile development, human centered design, etc. It's content-neutral so it applies to all the roles, processes, and environments relevant to cybersecurity. But it's also context-specific so is supports precise changes to precise vulnerabilities. It makes an effective analytic tool for the "why are we not doing what we're supposed to do" question, and an insightful approach to change management.
1. Identify a specific behavior you wish to change
2. Describe what is wrong with the behavior and what triggered the need to change it
3. Describe the behavior you wish to see occur
4. Identify barriers/constraints which must be addressed for a [role] to implement the desired behavior
5. Propose relevant policy/plans/actions that address barriers/constraints so that a [role] can implement the desired behavior