Ensuring the Success of Nascent Cyber Risk Management Programs in Government

By Nicola (Nick) Sanna | January 23, 2019


Virginia taking the lead in mandating a risk-based approach to cybersecurity

On Aug 31, 2015 Governor McAuliffe of Virginia signed an  executive directive mandating an expansion of cyber risk management activities within the VA government and agencies. Its intended goal is to improve the protection of citizens' personal information and other sensitive data and systems.

We commend Governor McAuliffe for mandating a swift transition to a risk-based approach to cybersecurity, so that risk mitigations can be prioritized based on their capacity to reduce actual risk. This is even more impressive in a context where Federal and State agencies nationwide have been focusing on meeting cyber security regulations from a technical compliance perspective.

Transitioning from a compliance-based to a risk-based approach to cybersecurity

The once-dominant assumption of compliance leading to total protection has been shattered by the constant increase in the number and the sophistication of cyber attacks. Compliance-based approaches to cybersecurity are useful for implementing a minimum set of security best practices but are not sufficient, in large part because they fail to address the need to prioritize effectively. If cyber risk cannot be completely eliminated, then it needs to be managed and reduced to a minimum level that an organization can tolerate. Many organizations, mostly large commercial enterprises, started the transition to risk-based approaches to cybersecurity in the past year and, until yesterday, we were wondering when government organizations would follow suit.

Key factors of success

Achieving the goals listed in the directive, particularly risk prioritization and developing a risk-based approach to security and mitigation plans, will require the implementation of key risk management initiatives:

  • Choosing a standard risk model for managing information risk. Choosing a standard taxonomy and ontology for defining and managing information risk such as FAIR (Factor Analysis of Information Risk) is an essential first step. The Commonwealth will not be able to consistently quantify, compare and aggregate the multitude of risk scenarios if they aren't operating from consistent definitions of risk and related risk management practices.
  • Moving beyond qualitative assessments of risk. Aiming at mere qualitative assessments of risk will limit the prioritization of risk scenarios and will not enable effective-decision making. Effective prioritization and decision-making will require understanding the possible loss exposure in quantifiable terms that everyone can agree on and understand, and not on inherently subjective and inaccurate estimates in terms of High, Medium or Low, or in terms of 1-5 scoring.
  • Adopting quantitative risk analysis to enable effective prioritization. Value-at-Risk models have emerged to analyze information security and operational risks with the same analytical rigor and objectiveness as traditional risk management disciplines and are being adopted by many of the world's largest corporations. Our hope is that the Commonwealth of Virginia and many other Federal and State agencies will follow suit and adopt proven cyber risk quantification methodologies as part of their new risk management programs