A primary reason for the failing grades is the fact that neither the EO, nor the Framework, provide guidance on how to develop these risk programs. In a new article for Homeland Security Today, RiskLens Risk Science Director Jack Freund gets further to the root of the problem. Too often, Jack writes, government risk managers take a controls-based approach (such as following a framework like CMMI - Capability Maturity Model Integration) and “the result tends to be cybersecurity spending being viewed as a wish list without relevance to the organization’s mission.”
Read Jack’s article in HST: Lack of Actionable Data Contributes to Federal Cybersecurity Risk Program Failure
Jack has the solution: Apply cyber risk quantification (CRQ) through Factor Analysis of Information Risk (FAIR) to “develop a true risk-based methodology” to rationalize controls, set risk appetites, develop strategic priorities, then handle audits like the GAO’s.
The good news is that the CRQ movement in the federal government is already underway:
FAIR “allows agencies to think about the loss [from a cyber event] in terms of the activities and their corresponding costs when assessing mission impact,” Jack writes. For public sector risk analysis, that might include “lost/delayed wages and tax revenues, healthcare costs, loss of life, relocations, and quality of life.”
“Having these conversations is challenging as prioritizing and allocating limited resources is an emotional activity,” Jack writes, but misallocation could have devastating consequences for government agencies. “If your risk management program can’t help you prioritize your top risk items, then your biggest risk may be your risk management program.”