Quantify Cyber Risk in the U.S. Federal Government

Mandates such as the President's Executive Order of May 2017 (EO) require that you identify high value assets, continually assess and manage cybersecurity risk, and cost-effectively size and prioritize cybersecurity investments. Major transformation initiatives such as the IT Modernization Act require you to undertake massive IT projects and adopt shared services while providing an adequate, risk-based and cost-effective strategy to address evolving cybersecurity threats.

The EO lays out clear expectations and principles for cyber risk management. It mandates a wholesale shift in the way cyber risk is assessed, reported on and managed. It explicitly requires adherence to the NIST Framework for Improving Critical Infrastructure Cybersecurity. But neither the EO, nor the framework, tell you specifically how to assess, manage and report on cybersecurity risk according to the new mandate.

Cyber risk quantification is the answer. The standard Factor Analysis of Information Risk (FAIR™) model that drives the RiskLens platform makes it possible to quantify, report on and manage cyber risk in terms of impact. FAIR is already in use across the private sector, is embraced by NIST, by your peers at the U.S. Department of Energy and by the Office of Management and Budget.

Standardize

On a cyber risk quantification model that informs top leadership

By quantifying cyber risk with RiskLens, you align your Agency to a true understanding of the potential impact of cyber events. This understanding informs all aspects of your decision making process from strategic to tactical. It also helps overcome a systemic issue in Government, a lack of understanding of the true nature of cyber risk from top leadership. Quantifying cyber risk provides real answers to oversight bodies such as OMB (which accepts FAIR based risk analyses), Inspector Generals, and Congress as to the extent of the risk you face, and as to why your budget requests are justified.

Assess

Cyber Risk in Terms of Impact

Your mission isn't simply to protect assets - it is to protect the Agency. The NIST Framework for Improving Critical Infrastructure Cybersecurity makes it clear that your cybersecurity program can no longer be framed around technical vulnerability assessments and qualitative heat maps. It needs to be built on an understanding of the potential impact to the Agency from a myriad of cyber events. Cyber risk quantification helps you identify your high value assets, identify true risk factors so that you can fix them, and enables you to make risk based decisions on IT modernization and shared services programs. Armed with this understanding, you are able to drive strategic and tactical decision making like never before - decisions that are aligned completely to driving down risk.

Advance

Your Security Programs and Comply with Mandates

Build a truly effective security program by focusing your strategic and tactical initiatives around the biggest risks to your Agency. Drive better results from programs like CDM by ensuring that your focus is on the assets that matter most. Comply with legislative mandates requiring better cyber risk management and reporting such as FISMA and the May 2017 Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. Guide your adoption of the NIST Framework for Improving Critical Infrastructure Cybersecurity and NIST CSF, and drive adherence to risk reporting requirements across multiple pieces of legislation.

A Cyber Risk Management Program that Works

Emery Csulak – CISO and Deputy CIO at the U.S. Department of Energy  – discusses his decision to adopt the FAIR model for cyber risk quantification. Emery is using FAIR as a guiding light for IT Modernization, and as his path forward to adhering to the NIST Framework for Improving Critical Infrastructure Cybersecurity. Hear what Emery looks to achieve from a quantified cyber risk management program and find out why the Department of Energy purchased the RiskLens platform in June of 2019.

Better questions, better answers, better security outcomes.

A Cyber Risk Management Program that Works

Emery Csulak – CISO and Deputy CIO at the U.S. Department of Energy  – discusses his decision to adopt the FAIR model for cyber risk quantification. Emery is using FAIR as a guiding light for IT Modernization, and as his path forward to adhering to the NIST Framework for Improving Critical Infrastructure Cybersecurity. Hear what Emery looks to achieve from a quantified cyber risk management program and find out why the Department of Energy purchased the RiskLens platform in June of 2019.

Better questions, better answers, better security outcomes.

Adhere to the Presidential EO on Strengthening the Cybersecurity of Federal Networks

Report risk to OMB the Way They Want to See It

The Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure could not be more clear – you need to change the way you assess, manage and report on cyber risk.

The EO requires that you develop a cyber risk management process that is “aligned with strategic, operational and budgetary planning processes.” It calls on Agency heads to drive cyber risk management programs by leading “integrated teams of senior executives with expertise in IT, security, budgeting, acquisition, law, privacy and human resources.” It mandates that you report to OMB on your Agency’s cyber risk in terms of impact, not in qualitative terms.

The good news is that RiskLens can help you achieve all of these objectives:

  • The RiskLens Platform for cyber risk quantification allows you to prioritize cybersecurity initiatives and set strategic and operational budgets based on their ability to reduce risk
  • RiskLens Professional Services teams have helped dozens of the world’s largest organizations develop cyber risk quantification programs that bring together stakeholders across all disciplines
  • RiskLens trained OMB on the FAIR model, and OMB accepts FAIR based, quantified cyber risk reporting

Identify, Assess and Respond to Cyber Risk

Meet NIST Framework Guidelines

The NIST Framework for Improving Critical Infrastructure Cybersecurity calls for you to identify, assess and respond to risk by understanding the likelihood that an event will occur and the potential resulting impacts. With this understanding, you are able to set an acceptable level of risk and express a risk tolerance. This enables you to prioritize tactical cybersecurity activities, to make informed decisions about strategic expenditures, and to quantify and communicate adjustments to your cybersecurity programs.

The only path to this outcome is to stop treating cyber risk as a technical discussion assessed by enumerating vulnerabilities, or a qualitative risk discussion based on heat-maps. You must be able to conduct quantitative cyber risk assessments in order to achieve the mandated outcome.

The good news is that through the FAIR model – and through RiskLens, the only enterprise-tested, software as a service platform built on the FAIR model – assessing cyber risk in quantitative terms is a reality.

Moreover, NIST has recently embraced FAIR as a complementary analytics model to the NIST CSF – meaning that adopting FAIR is a great pathway to adherence.

Through the marriage of our Professional Services capabilities and the RiskLens Platform, we help you build a quantitative cyber risk management program and set you on the way to adhering to this mandate within a few short months.

Align Cybersecurity to the NIST Framework Core

Use Risk Management to better Identify, Protect, Detect, Respond and Recover

The NIST Framework for Improving Critical Infrastructure Cybersecurity outlines a Framework Core that provides a set of activities to achieve security outcomes. It calls for organizing information to enable risk management decisions, address threats and improve learning from previous activities to help show the impact of investments in cybersecurity.

A quantified understanding of cyber risk guides you through all of the key activities outlined in the Framework Core:

  • Identify: Identifying and quantifying cyber risk according to a standard taxonomy and analytics model such as FAIR allows you to understand the business context, the resources that support critical functions, and the related cybersecurity risks (in terms of outcomes, not technical vulnerabilities) so that the organization can focus on what matters the most.
  • Protect: Without understanding the potential impact of cyber events, developing and implementing appropriate safeguards is a guessing game. RiskLens helps you compare and contrast the impact of various security controls applied to risk scenarios – so that you ensure that the safeguards you apply are proportionate, aligned, comprehensive, embedded and dynamic.
  • Detect: The framework calls for you to develop and implement activities to detect the occurrence of a cybersecurity event – you have access to this data in droves from your security ecosystem. That said, quantifying cyber risk takes this a step further, as the FAIR model looks not only at the frequency of these events but the probability of a negative impact from them.
  • Respond: Without understanding the potential impact of an event – meaning its severity in terms of impact – you cannot develop and implement appropriate activities to take action on that event. How much is too little, how much is too much? The only way to know is to quantify the risk and design an action plan to respond commensurate to that risk.
  • Recover: Similar to the above, by conductive quantitative what-if analyses, you can optimize your recovery initiatives based on their effectiveness in mitigating the impact of unforeseen events. Double down on what works and ditch what doesn’t.

Build a Quantified Risk Management Program for Your Agency

Develop a true cyber risk management program

RiskLens isn’t just a software company, it is a partner in the development of your quantitative cyber risk management program. We marry our world class software platform with a professional services capability that has no rival. Our teams have helped some of the world’s largest organizations – including U.S. Federal Government Agencies – to develop quantified risk management programs.

Our approach to helping you build a quantified risk management program is holistic. We break down program development into five key areas of focus, each of which forms the basis for near and long term success:

  • Purpose:  We help you identify program goals, roles and responsibilities of key stakeholders throughout the organization and identify dependencies for success across the organization to achieve clarity, focus and get everyone on the same page.
  • People: We conduct training, education and awareness courses on cyber risk quantification, the FAIR model and how to benefit from FAIR analyses, from the executive suite that will use results to make better decisions to the risk analysts that will be doing the work.
  • Platform: As we onboard the RiskLens platform, which is the technology foundation for your program, we work to configure the software to your unique environment and to build out rich data libraries which will aide in the automation of cyber risk analyses.
  • Process: We help you to identify your Crown Jewels, your top risk scenarios to build a baseline of your risk landscape, as well as the decision-making processes that will benefit from quantitative risk assessments. We teach you how to run those assessments or conduct them for you, if that’s what you prefer.
  • Performance: RiskLens is a long term partner for your success. We help you to establish financially oriented risk appetite statements, show you how to continually monitor and report on changes to your risk posture, and establish ongoing success measurements.

Cyber Risk Quantification

Your pathway to NIST Framework Adherence and to Better Security Outcomes

Watch this short explainer video on cyber risk quantification using the FAIR model and the RiskLens Platform. You’ll see your cybersecurity future through a RiskLens, and a clear pathway to adhering to the NIST Framework for Improving Critical Infrastructure Cybersecurity mandated as part of the Presidential Executive Order of May 2017.

How FAIR is Changing Risk Management at PNNL

The FAIR model is changing the way your peers across Government think about, measure and manage cyber risk. Hear thoughts from Steve Kramer – shared at FAIRCON ’18 on how he, and his peers across the U.S. Department of Energy, arrived at FAIR.

Learn More

How FAIR is Changing Risk Management at PNNL

The FAIR model is changing the way your peers across Government think about, measure and manage cyber risk. Hear thoughts from Steve Kramer – shared at FAIRCON ’18 on how he, and his peers across the U.S. Department of Energy, arrived at FAIR.

Learn More

"The two goals of an effective cyber risk management program should be to ask the right questions and make better informed decisions. Doing this will help drive a better security program, a defensible budget in front of Congress, and include meaningful information for senior executive conversations."

Emery Csulak - CISO and Deputy CIO at U.S. Department of Energy,

"The best thing to do in cybersecurity is to think of it as a risk to be managed. My hope here is that the risk quantification frameworks like the FAIR model will help…collectively, you are definitely moving the country to a better place. "

Representative Jim Langevin, Co-founder of the Congressional Cybersecurity Caucus ,

"When virtually every aspect of the business is quantitative...having the CISO give red/yellow/green heat maps is debilitating to decision-making."

Jack Jones, Creator of FAIR and Co-Founder at RiskLens

An Executive's Guide to Cyber Risk Economics

Jack Jones - creator of the internationally recognized FAIR model and co-founder at RiskLens provides a high-level introduction to managing cyber risk from a business perspective. You'll learn how the FAIR model powers cost-benefit analysis for security initiatives on a par with other forms of enterprise risk management. Read this eBook and never be satisfied again with simple red-green-yellow risk ratings.

Download today

Demand Better Visibility into Cyber Risk

Within a matter of weeks you can completely change your understanding of cyber risk. Encourage your organization to embrace cyber risk quantification. Schedule a Demo today.

Schedule a Demo