In an article for GCN, “Real Cyber Hygiene Depends on Risk Assessment, Not Compliance,” RiskLens CEO Nick Sanna argues that the Cyber Hygiene report card issued to federal agencies by the Department of Homeland Security’s US-CERT falls short. It’s a technical vulnerability scan, not an actual risk analysis generating the most relevant information that decision-makers need, Nick writes.
“Looking through our FAIR cybersecurity risk analysis lens, the government’s cyber guardians should identify the assets at risk, the likely frequency of attacks on an annual basis and the impact of ongoing attacks to get actionable insight into their current risks and to game out the relative effectiveness of potential controls. Currently, agencies get good visibility into technical deficiencies, but bad prioritization.”
DHS would do well to take a cue from the SEC's cybersecurity guidance that directs public companies to size cyber risk and its cost – or follow the lead of trendsetters in the cyber risk profession, like Gartner, that recently added risk quantification to its list of the five must-haves for successful integrated risk management.