Quantify Cyber Risk in the U.S. Federal Government

The Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure could not be more clear – you need to change the way you assess, manage and report on cyber risk.

The EO requires that you develop a cyber risk management process that is “aligned with strategic, operational and budgetary planning processes.” It calls on Agency heads to drive cyber risk management programs by leading “integrated teams of senior executives with expertise in IT, security, budgeting, acquisition, law, privacy and human resources.” It mandates that you report to OMB on your Agency’s cyber risk in terms of impact, not in qualitative terms.

The good news is that RiskLens can help you achieve all of these objectives:

• The RiskLens Platform for cyber risk quantification allows you to prioritize cybersecurity initiatives and set strategic and operational budgets based on their ability to reduce risk
• RiskLens Professional Services teams have helped dozens of the world’s largest organizations develop cyber risk quantification programs that bring together stakeholders across all disciplines
• RiskLens trained OMB on the FAIR model, and OMB accepts FAIR based, quantified cyber risk reporting

The NIST Framework for Improving Critical Infrastructure Cybersecurity outlines a Framework Core that provides a set of activities to achieve security outcomes. It calls for organizing information to enable risk management decisions, address threats and improve learning from previous activities to help show the impact of investments in cybersecurity.

A quantified understanding of cyber risk guides you through all of the key activities outlined in the Framework Core:

• Identify: Identifying and quantifying cyber risk according to a standard taxonomy and analytics model such as FAIR allows you to understand the business context, the resources that support critical functions, and the related cybersecurity risks (in terms of outcomes, not technical vulnerabilities) so that the organization can focus on what matters the most.
• Protect: Without understanding the potential impact of cyber events, developing and implementing appropriate safeguards is a guessing game. RiskLens helps you compare and contrast the impact of various security controls applied to risk scenarios – so that you ensure that the safeguards you apply are proportionate, aligned, comprehensive, embedded and dynamic.
• Detect: The framework calls for you to develop and implement activities to detect the occurrence of a cybersecurity event – you have access to this data in droves from your security ecosystem. That said, quantifying cyber risk takes this a step further, as the FAIR model looks not only at the frequency of these events but the probability of a negative impact from them.
• Respond: Without understanding the potential impact of an event – meaning its severity in terms of impact – you cannot develop and implement appropriate activities to take action on that event. How much is too little, how much is too much? The only way to know is to quantify the risk and design an action plan to respond commensurate to that risk.
• Recover: Similar to the above, by conductive quantitative what-if analyses, you can optimize your recovery initiatives based on their effectiveness in mitigating the impact of unforeseen events. Double down on what works and ditch what doesn’t.