ACT-IAC Cybersecurity Innovation Initiative 7. Executive Leadership-led Risk Management

Federal executives continue to grapple with how best to allocate funds in addressing prevalent and emerging cyber threats. Federal agencies can empower executives in the fight against cyber crime by taking three calculated actions:

1. Size – Measure overall risk exposure across the organization's value chain
2. Monetize – Adopt a defensible framework for quantifying the benefits of cybersecurity investments
3. Operationalize... more »

Executive Leadership-led Risk Management has not been a part of the past because risk management issues were isolated to factions of the Organization. To keep Executive Leadership engaged in Risk Management activities execute a Risk Management Framework (NIST) which involves all Tiers 1-3(Organization., Mission-Business Processes, & Information Systems) in the Risk Management Process/Commuincations. Two-way Communication... more »

Organizations in government tend to be overly optimistic about their capabilities and performance, reference OPM's epic failure. Cyber security is too important to be left to self-assessments. An organization should be externally assessed and rated by unbiased and competent evaluators. Risk is only one aspect of management performance. Governance, culture and technical competence are but three key facets that determine... more »

Provide for the escalation of risk-based decisions through senior leadership if critical security recommendations are rejected by owners of business lines or applications, ensuring critical security decisions are not made in isolation. For example, decisions to keep critical systems available while overriding security recommendations should no longer be routinely deferred exclusively to network, system, or application... more »

As enterprises strive to gain value by leveraging technology, the risk associated with digital business is increasing. Isolated approaches to information security, business continuity and incident response are a thing of the past; today, the urgency of providing continuously available services for customers and business partners in the digital economy requires enterprises to become resilient. A resilient enterprise protects... more »

(Regular print are supported ITAPS recommendations in response to questions, flagged are expanded recommendations to more explicitly address questions, not directly addressed by ITAPS; participated in and collaborated with ITAPS OMB-OPM-NSC Task Force)

How can we sustain executive-level attention to this critical issue, and institutionalize cyber as an on-going component of agency risk management practices, not just... more »

What government organizations need to do to ensure the success of their nascent cyber risk management initiatives
.
On Aug 31, 2015 Governor McAuliffe of Virginia signed an executive directive mandating an expansion of cyber risk management activities within the VA government and agencies. Its intended goal is to improve the protection of citizens' personal information and other sensitive data and systems.
We commend... more »

Response to question 7) How can we sustain executive-level attention to this critical issue, and institutionalize cyber as an ongoing component of agency risk management practices, not just a sidebar activity?

Cement the relationship between CISOs and RMOS and CDOs; not just an exclusive reporting relationship to CIOs

Use FITARA governance requirements to get cyber risks built into program and budgeting evaluations up front, not afterwards

Engage agency executives to be proactively demanding requirements/expectations/priorities from cyber shops

In a similar way to State Governors being able to declare a "State of Emergency" to unlock resources and federal assistance, perhaps Federal CISO's should be able to declare an "InfoSec State of Emergency" to unlock some shared assets and capabilities to enable the 30 day Cyber sprint a reality.

The evolution of the cyber attacker’s techniques, skills and tools has far exceeded the pace of the cyber defender’s. Throughout the public and private sector, from federal agencies to health insurance providers, emerging threats continue to wreak havoc on enterprise networks, applications and data. Incident response teams must move faster, but the tools they’ve been given to do the job aren’t fast enough in detecting,... more »