1. Size – Measure overall risk exposure across the organization's value chain
2. Monetize – Adopt a defensible framework for quantifying the benefits of cybersecurity investments
3. Operationalize... more »
Response to question 7) How can we sustain executive-level attention to this critical issue, and institutionalize cyber as an ongoing component of agency risk management practices, not just a sidebar activity?
Cement the relationship between CISOs and RMOS and CDOs; not just an exclusive reporting relationship to CIOs
Use FITARA governance requirements to get cyber risks built into program and budgeting evaluations up front, not afterwards
Engage agency executives to be proactively demanding requirements/expectations/priorities from cyber shops
In a similar way to State Governors being able to declare a "State of Emergency" to unlock resources and federal assistance, perhaps Federal CISO's should be able to declare an "InfoSec State of Emergency" to unlock some shared assets and capabilities to enable the 30 day Cyber sprint a reality.