The U.S. Government Accountability Office (GAO) recently gave failing grades to 22 federal agencies for their cyber risk management programs – despite the fact that the May 2017 Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure explicitly calls for the creation of better cyber risk management programs. The EO also mandates adherence to the NIST Framework for Critical Infrastructure Cybersecurity which adopts a heavy risk management approach.
A primary reason for the failing grades is the fact that neither the EO, nor the Framework, provide guidance on how to develop these risk programs. In a new article for Homeland Security Today, RiskLens Risk Science Director Jack Freund gets further to the root of the problem. Too often, Jack writes, government risk managers take a controls-based approach (such as following a framework like CMMI – Capability Maturity Model Integration) and “the result tends to be cybersecurity spending being viewed as a wish list without relevance to the organization’s mission.”
Read Jack’s article in HST: Lack of Actionable Data Contributes to Federal Cybersecurity Risk Program Failure
Jack has the solution: Apply cyber risk quantification (CRQ) through Factor Analysis of Information Risk (FAIR) to “develop a true risk-based methodology” to rationalize controls, set risk appetites, develop strategic priorities, then handle audits like the GAO’s.
The good news is that the CRQ movement in the federal government is already underway:
FAIR “allows agencies to think about the loss [from a cyber event] in terms of the activities and their corresponding costs when assessing mission impact,” Jack writes. For public sector risk analysis, that might include “lost/delayed wages and tax revenues, healthcare costs, loss of life, relocations, and quality of life.”
“Having these conversations is challenging as prioritizing and allocating limited resources is an emotional activity,” Jack writes, but misallocation could have devastating consequences for government agencies. “If your risk management program can’t help you prioritize your top risk items, then your biggest risk may be your risk management program.”
Understand the financial risk in cyber risk. RiskLens is the leader in online and in-person training on FAIR, the international standard model for cyber risk quantification.FAIR Training and Certification