Perhaps an alternative is providing prioritization for allocation of existing funds (This mandate is #1, then this exec order etc etc).
With the "public" availability of such a list, audit should become more effective,... more »
1) How do we move from inconsistent security/privacy protection control approaches to solid fundamentals that address most basic risks faced by agencies?
Cyber Tips of the Day – first thing to pop up on intranet logon-screen would be a cyber awareness question (with ability to quickly check against answer). These would be focused on knowledge leveling, increasing awareness of vulnerabilities created by SPAM/Phish attacks, etc. etc.
1. Establish “white hat” teams that test employees through phishing and spear-phishing intrusion testing.
2. Change enterprise email policy to only allow plain text, preventing unintentional click-through threats.
3. Similar to the “Cybersecurity Tip of the Day” concept, establish a “Cybersecurity Blunder of the Day” program.