NASCIO 2014 State IT Recognition Award Nomination Cyber Security RETURN ON INVESTMENT Film State of Delaware Department of Technology and Information Category: Cyber Security Initiatives Nominator: James H. Sills, III Secretary/CIO Contact: Elayne Starkey - CSO Project initiation date: January 2013 Project completion date: April 2013
EXECUTIVE SUMMARY Revenues are down. Expenses are up. Budgets are tight. Security is expensive. What is the return on investment for information security? Could the CEO be held criminally responsible for an information security breach? RETURN ON INVESTMENT is a film created by the State of Delaware Department of Technology and Information. This movie was created for our 4th Annual Cyber Security Workshop in February 2013. The film features State of Delaware employees (and budding actors) for the majority of the cast positions. We developed the film to bring awareness that although protective cyber security measures do not come cheap, the costs of lost revenue, spoiled reputation, and breach recovery can be far greater than the cost to invest in strong security. What an important message for our management to hear! Page 1 of 4
BUSINESS PROBLEM AND SOLUTION DESCRIPTION Cyber Awareness, Education, and Training have been the cornerstone of Delaware s Information Security Program since its inception. Our program includes training at all levels, including outreach and collaboration with local governments and other critical infrastructure providers in the state. Many of our exercises, seminars, and cyber conferences are jointly planned and executed by the community. One of our feature events is the annual Delaware Cyber Security Workshop, a day-long education conference that brings together state and local governments, law enforcement, military, higher education, healthcare, and other critical infrastructure providers. A special feature of the 2013 Delaware Cyber Security Workshop was the unveiling of the RETURN ON INVESTMENT film, the third in a series of cyber security movies created by the State of Delaware Department of Technology and Information s W2 Productions. Page 2 of 4
The film gives the viewer a peek into the boardroom discussions of CEO Christopher Banks, CIO Robert Matthews, and CFO Leslie Channing as they struggle to balance the budget. The CIO advocates that cutting cloud security is a mistake and we can t put a price on keeping information safe and secure. The CEO decides to balance the budget by cutting back on security. He justifies his decision by saying that we ll add security back in later. He meets the bottom line but pays a much bigger price when his company is responsible for a large security breach of social security numbers, dates of birth, and other personally identifiable information. It turns out that the CEO and CIO become neighbors.in prison, as a judge and jury holds them criminally responsible for the breach. SIGNIFICANCE OF THE PROJECT One of the biggest challenges to maintaining an effective education and awareness program is finding ways to keep the message fresh, inviting, and interesting to our target audience. Over the years, we ve published newsletters, run contests, offered boot camps, and even wrapped a Delaware Transit bus with a cyber security theme. Our latest attempt is to venture into video marketing of the cyber security message. Why? Just look at the popularity of YouTube: 1 billion users watch 6 billion videos per month. There is plenty of compelling evidence suggesting that video marketing should be a major focus of every outreach program. According to Dr. James McQievey of Forrester Research, the value of one minute of video is 1.8 million words. That s the equivalent of 3,600 typical web pages. When you look at it that way, video marketing of any type of message cannot be ignored. Page 3 of 4
BENEFIT OF THE PROJECT At the 2013 Delaware Cyber Workshop, we ran 3 consecutive sessions of RETURN ON INVESTMENT and it was one of the most popular sessions. The viewing of the film was followed by a Q&A discussion session with the participants, which helped to reinforce the salient points of the film. Some enjoyed it so much they stayed in their seat to watch it a second time. Others left to track down their manager to encourage them to attend the next viewing. Additional showings of RETURN ON INVESTMENT were held in various departments across the State; the film was also featured as an instructional tool for Wilmington University s Systems Analysis and Design course. The film has already been viewed by over 1000 executives, IT leaders, vendors and managers, and it is available for use in college courses, corporate trainings, and military and local government cyber safety presentations. In the end, we invested less than $5,000 and 11 hours of film time to produce a 15- minute film that has been viewed by hundreds of people. Given the important message that it conveys, the ROI of the RETURN ON INVESTMENT film is incredibly high. It continues to be an effective tool to keep the cyber security message fresh, inviting, and interesting to our target audience. RETURN ON INVESTMENT is the third in a successful series of cyber security dramatic educational films. 37.5 (2009) was the debut and it was an immediate hit; a Cyber Security spoof of Fox Network s hit television series, 24. Governor Jack Markell played himself in the film. A year later, the team produced its second film, Dimensions of Deceit (2010), which followed the same Cyber Security genre, yet with a more serious and practical plot line. The entire series has exceeded our expectations and provided a great boost to our outreach and awareness efforts. In summary, the Delaware RETURN ON INVESTMENT film is a unique and creative security awareness tool, and a strong contender for the 2014 NASCIO Cyber Security Award. Link to Cyber Security RETURN ON INVESTMENT Film: http://youtu.be/rj6kejchxza Page 4 of 4