How Cyber Risk Economics Can Help Agency Heads Meet New Accountability Standards

January 10, 2019  Chris Bryant

The Impending Executive Order (EO)
If you operate in cyber, you’d be hard pressed to miss recent revelations regarding the President’s  new EO on cybersecurity.

Once signed, the EO will ask senior leaders across the federal landscape to understand and report smartly on cybersecurity risks their agencies face. Not only that, but also for explicit recommendations to mitigate threats and more effectively manage risk. Another key distinction is the Office of Management and Budget Director and the Secretary of Homeland Security will be tasked to lead an effort in assessing enterprise risk across the entire federal government.

Increased Accountability
The new order calls for an uncompromising level of senior leadership accountability across a wide berth of federal agencies. Agencies must take their strategy, assessment, and management of cyber risk to new heights, with top brass leading from the front. Here’s a few key points direct from the EO draft: “(c) Risk Management. 

  • (i)   Agency Heads will be held accountable by the President for implementing risk management measures commensurate with the risk and magnitude of the harm that would result from unauthorized access, use, disclosure, disruption, modification, or destruction of information or systems. 
  • (ii)   Each Agency Head shall provide a risk management report to the Director of the Office of Management and Budget (OMB) and the Secretary of Homeland Security within 90 days of the date of this order describing the agency’s implementation of the Framework.
  • (ii)  The risk management report shall document at a minimum the mitigation and acceptance choices made by each Agency Head." 

The Dilemma: Meeting the Mandate While Reducing Costs
The President says he seeks agencies to emulate the private sector in how they manage, mitigate, and communicate risk across their enterprise; even mentioning private sector is “way ahead”. At  RiskLens, we’ve seen a growing push by Fortune companies to transition from a mere technical compliance approach to cybersecurity to a risk-driven approach, that takes into account the consequences of cyber events. The President is also calling for modernization of the federal executive branch IT. Bottom line, federal entities will have to start thinking like their enterprise counterparts. How can agency heads meet these requirements for improving their risk posture, while meeting renewed compliance obligations to the NIST CSF and budget reduction objectives?

Leveraging Cyber Risk Economics
Many commercial organizations faced the same dilemma and turned to RiskLens'  cyber risk quantification platform to:

  • Identify their top risks in financial terms.
  • Prioritize their risk mitigations based on business/mission impact.
  • Conduct cost/benefits analysis of their cybersecurity initiatives.

RiskLens is purpose-built on FAIR, the only standard quantitative model for cybersecurity risk. FAIR has been recognized by NIST as a complementary quantitative analysis standard to the NIST CSF. While NIST CSF helps answer the question "what is the level of maturity of our cybersecurity initiatives?", FAIR helps answer the questions of "how much risk do we have? What activities matter the most and should be prioritized?". FAIR has also been recognized by US Federal Banking Regulators (Federal Reserve, OCC, FDIC) as a valid method to rigorously and consistently quantify cyber risk.

Cyber Risk Quantification in Action in Government
In a recent address to members of the FAIR Institute, John Carlin, chair of the global risk and crisis management practice at Morrison & Foerster and formerly in charge of the cyber security division at the US Department of Justice, spoke about a transformative experience that cyber risk quantification brought about to government organizations.

He described how a reactive law-enforcement organization, whose mission was to hold perpetrators of terrorist acts accountable, transformed itself into an intelligence agency whose responsibility was to see where acts of terror might occur and prevent them from happening. In that process, they had to figure out how to garner support from their oversight committees and justify the need to re-allocate resources to certain operations. That led to a project to quantify risk.

They discovered lots of value in helping field officers who were not risk professionals respond to questions in a structured fashion about what the risk was in their domain. But most importantly, he concludes, "based on my experience, it is not even the resulting number that matters the most. It's the conversation it engenders, that allows a board, a decision-making committee, to think in a very structured frame about what the risk is, so that the business side of the house can support you in identifying where resources need to go and how many you need."

At RiskLens, a company founded and operated by veterans, national security is very important to us. We’re excited to see the federal space taking these steps and look forward in partnering with federal leaders to meet this new mandate.