DOE Deputy CISO Greg Sisson recently disclosed that he’s not focussed on buying security tools right now — first, he’s leveraging the FAIR model for cyber risk quantification (CRQ) to help him make the right strategic decisions. In a new article for Homeland Security Today, RiskLens Risk Science Director Dr. Jack Freund, takes a look at what’s driving the DOE — and in fact all federal agencies — toward a risk-based, quantified approach to cybersecurity.
Jack applauds the DOE’s 2018 plan for energy sector security that states:
“Resources are limited and all systems cannot and should not be protected in the same manner. DOE will use risk-based methods to make decisions and prioritize activities.”
“Kudos are due to the DOE for making this statement; it’s an incredibly mature and sophisticated look at the complex, interconnected world in which we live,” Jack writes.
“There’s a lot of synergy with FAIR” and the DOE’s Risk Management Process (RMP) guidance document, Jack notes, with FAIR analysis capable of providing the prioritization to carry out the RMP’s high level guidance.
“Be on the lookout for a more explicit connection to CRQ as the DOE’s experience with FAIR increases – and expect to see similar initiatives coming out of other departments and agencies as the risk-based approach spreads,” Jack writes.
There’s plenty of confirmation for Jack’s point of view in a recently released report from the General Accounting Office that gave failing grades on cyber risk management to 23 federal agencies and departments. Federal CISOs repeatedly told GAO investigators that they were being held back by lack of ability to quantify risk, lack of a common vocabulary and taxonomy to analyze risk and inability to prioritize investment to meet the requirements of federal frameworks — all failings that, as the Energy Department is finding, can be cured by applying FAIR.
Read Jack’s article in Homeland Security Today