Read HSTRisk: Finding the Right Path with the Cyber Risk Management Cheshire Cat in Homeland Security Today
The good news, Jack writes, is that the cyber EO set the goal of getting all the federal agencies on the National Institute of Standards and Technology (NIST) Cybersecurity Framework for cybersecurity assessment, and the goal that risk management should be “commensurate with risk and magnitude of harm”.
The bad news is that, given the current state of risk management in the cybersecurity industry, and the short time frame set by the EO, “that simply wasn’t going to happen – at least not in any sort of consistent and defensible manner,” in Jack’s opinion.
“If the government wants to ensure that cybersecurity strategy and planning are prioritized consistently and based on apples-to-apples cost-benefit analyses,” Jack writes, “it must adopt a standard cyber risk measurement model and method” like the FAIR model that powers the RiskLens platform, as a complement to NIST CSF assessments. Get the rest of Jack’s thinking on government cybersecurity at Homeland Security Today.
Read Jack's eBook: An Executive's Guide to Cyber Risk Economics