On Aug 31, 2015 Governor McAuliffe of Virginia signed an executive directive mandating an expansion of cyber risk management activities within the VA government and agencies. Its intended goal is to improve the protection of citizens' personal information and other sensitive data and systems.
We commend Governor McAuliffe for mandating a swift transition to a risk-based approach to cybersecurity, so that risk mitigations can be prioritized based on their capacity to reduce actual risk. This is even more impressive in a context where Federal and State agencies nationwide have been focusing on meeting cyber security regulations from a technical compliance perspective.
The once-dominant assumption of compliance leading to total protection has been shattered by the constant increase in the number and the sophistication of cyber attacks. Compliance-based approaches to cybersecurity are useful for implementing a minimum set of security best practices but are not sufficient, in large part because they fail to address the need to prioritize effectively. If cyber risk cannot be completely eliminated, then it needs to be managed and reduced to a minimum level that an organization can tolerate. Many organizations, mostly large commercial enterprises, started the transition to risk-based approaches to cybersecurity in the past year and, until yesterday, we were wondering when government organizations would follow suit.
Achieving the goals listed in the directive, particularly risk prioritization and developing a risk-based approach to security and mitigation plans, will require the implementation of key risk management initiatives: