Mandates such as the President's Executive Order of May 2017 (EO) require that you identify high value assets, continually assess and manage cybersecurity risk, and cost-effectively size and prioritize cybersecurity investments. Major transformation initiatives such as the IT Modernization Act require you to undertake massive IT projects and adopt shared services while providing an adequate, risk-based and cost-effective strategy to address evolving cybersecurity threats.
The EO lays out clear expectations and principles for cyber risk management. It mandates a wholesale shift in the way cyber risk is assessed, reported on and managed. It explicitly requires adherence to the NIST Framework for Improving Critical Infrastructure Cybersecurity. But neither the EO, nor the framework, tell you specifically how to assess, manage and report on cybersecurity risk according to the new mandate.
Cyber risk quantification is the answer. The standard Factor Analysis of Information Risk (FAIR™) model that drives the RiskLens platform makes it possible to quantify, report on and manage cyber risk in terms of impact. FAIR is already in use across the private sector, is embraced by NIST, by your peers at the U.S. Department of Energy and by the Office of Management and Budget.
By quantifying cyber risk with RiskLens, you align your Agency to a true understanding of the potential impact of cyber events. This understanding informs all aspects of your decision making process from strategic to tactical. It also helps overcome a systemic issue in Government, a lack of understanding of the true nature of cyber risk from top leadership. Quantifying cyber risk provides real answers to oversight bodies such as OMB (which accepts FAIR based risk analyses), Inspector Generals, and Congress as to the extent of the risk you face, and as to why your budget requests are justified.
Your mission isn't simply to protect assets - it is to protect the Agency. The NIST Framework for Improving Critical Infrastructure Cybersecurity makes it clear that your cybersecurity program can no longer be framed around technical vulnerability assessments and qualitative heat maps. It needs to be built on an understanding of the potential impact to the Agency from a myriad of cyber events. Cyber risk quantification helps you identify your high value assets, identify true risk factors so that you can fix them, and enables you to make risk based decisions on IT modernization and shared services programs. Armed with this understanding, you are able to drive strategic and tactical decision making like never before - decisions that are aligned completely to driving down risk.
Build a truly effective security program by focusing your strategic and tactical initiatives around the biggest risks to your Agency. Drive better results from programs like CDM by ensuring that your focus is on the assets that matter most. Comply with legislative mandates requiring better cyber risk management and reporting such as FISMA and the May 2017 Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. Guide your adoption of the NIST Framework for Improving Critical Infrastructure Cybersecurity and NIST CSF, and drive adherence to risk reporting requirements across multiple pieces of legislation.
Emery Csulak – CISO and Deputy CIO at the U.S. Department of Energy – discusses his decision to adopt the FAIR model for cyber risk quantification. Emery is using FAIR as a guiding light for IT Modernization, and as his path forward to adhering to the NIST Framework for Improving Critical Infrastructure Cybersecurity. Hear what Emery looks to achieve from a quantified cyber risk management program and find out why the Department of Energy purchased the RiskLens platform in June of 2019.
Better questions, better answers, better security outcomes.
Emery Csulak – CISO and Deputy CIO at the U.S. Department of Energy – discusses his decision to adopt the FAIR model for cyber risk quantification. Emery is using FAIR as a guiding light for IT Modernization, and as his path forward to adhering to the NIST Framework for Improving Critical Infrastructure Cybersecurity. Hear what Emery looks to achieve from a quantified cyber risk management program and find out why the Department of Energy purchased the RiskLens platform in June of 2019.
Better questions, better answers, better security outcomes.
The Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure could not be more clear – you need to change the way you assess, manage and report on cyber risk.
The EO requires that you develop a cyber risk management process that is “aligned with strategic, operational and budgetary planning processes.” It calls on Agency heads to drive cyber risk management programs by leading “integrated teams of senior executives with expertise in IT, security, budgeting, acquisition, law, privacy and human resources.” It mandates that you report to OMB on your Agency’s cyber risk in terms of impact, not in qualitative terms.
The good news is that RiskLens can help you achieve all of these objectives:
The NIST Framework for Improving Critical Infrastructure Cybersecurity calls for you to identify, assess and respond to risk by understanding the likelihood that an event will occur and the potential resulting impacts. With this understanding, you are able to set an acceptable level of risk and express a risk tolerance. This enables you to prioritize tactical cybersecurity activities, to make informed decisions about strategic expenditures, and to quantify and communicate adjustments to your cybersecurity programs.
The only path to this outcome is to stop treating cyber risk as a technical discussion assessed by enumerating vulnerabilities, or a qualitative risk discussion based on heat-maps. You must be able to conduct quantitative cyber risk assessments in order to achieve the mandated outcome.
The good news is that through the FAIR model – and through RiskLens, the only enterprise-tested, software as a service platform built on the FAIR model – assessing cyber risk in quantitative terms is a reality.
Moreover, NIST has recently embraced FAIR as a complementary analytics model to the NIST CSF – meaning that adopting FAIR is a great pathway to adherence.
Through the marriage of our Professional Services capabilities and the RiskLens Platform, we help you build a quantitative cyber risk management program and set you on the way to adhering to this mandate within a few short months.
The NIST Framework for Improving Critical Infrastructure Cybersecurity outlines a Framework Core that provides a set of activities to achieve security outcomes. It calls for organizing information to enable risk management decisions, address threats and improve learning from previous activities to help show the impact of investments in cybersecurity.
A quantified understanding of cyber risk guides you through all of the key activities outlined in the Framework Core:
RiskLens isn’t just a software company, it is a partner in the development of your quantitative cyber risk management program. We marry our world class software platform with a professional services capability that has no rival. Our teams have helped some of the world’s largest organizations – including U.S. Federal Government Agencies – to develop quantified risk management programs.
Our approach to helping you build a quantified risk management program is holistic. We break down program development into five key areas of focus, each of which forms the basis for near and long term success:
Watch this short explainer video on cyber risk quantification using the FAIR model and the RiskLens Platform. You’ll see your cybersecurity future through a RiskLens, and a clear pathway to adhering to the NIST Framework for Improving Critical Infrastructure Cybersecurity mandated as part of the Presidential Executive Order of May 2017.
The FAIR model is changing the way your peers across Government think about, measure and manage cyber risk. Hear thoughts from Steve Kramer – shared at FAIRCON ’18 on how he, and his peers across the U.S. Department of Energy, arrived at FAIR.
The FAIR model is changing the way your peers across Government think about, measure and manage cyber risk. Hear thoughts from Steve Kramer – shared at FAIRCON ’18 on how he, and his peers across the U.S. Department of Energy, arrived at FAIR.
Jack Jones - creator of the internationally recognized FAIR model and co-founder at RiskLens provides a high-level introduction to managing cyber risk from a business perspective. You'll learn how the FAIR model powers cost-benefit analysis for security initiatives on a par with other forms of enterprise risk management. Read this eBook and never be satisfied again with simple red-green-yellow risk ratings.
Within a matter of weeks you can completely change your understanding of cyber risk. Encourage your organization to embrace cyber risk quantification. Schedule a Demo today.