“Would you tell me please — which way to go from here?” asked Alice.
“That depends a good deal on where you want to get,” replied the Cheshire Cat.
As government signals its desire to drive better risk management into cybersecurity, it is imperative that across the administration there is a uniform blueprint for what the overall objectives and priorities are. Multiple million-dollar awards have recently been made to contractors – from various departments and agencies – to help drive better cyber risk management. Without a government-wide understanding of what this means, these projects could potentially miss a critical objective.
This leads us to the executive order from President Trump on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure that was signed in May 2017. After all, doesn’t the EO describe the government’s cybersecurity objectives? Superficially, yes, and it is certainly influencing the scope of the projects that are spinning up. Furthermore, its short deadlines were guaranteed to quickly get everyone’s oar in the water, stroking vigorously – in one direction or another.
You can’t get there from here…
What, I wonder, would the Cheshire Cat have said to Alice if she had expressed a desire to go somewhere that, well, just wasn’t possible? Being a direct sort of cat, perhaps he’d simply have said something like, “You can’t get there from here. Is there somewhere else you’d like to go?”
The good news is the EO set an expectation that everyone would use the National Institute of Standards and Technology (NIST) Cybersecurity Framework as a standard for cybersecurity assessment. The bad news is it called for assessment, planning, and reporting to occur within a very short timeframe. This wouldn’t have been a problem except that baked within this was an expectation that risk management measures would be “commensurate with risk and magnitude of harm.” Given the state of risk measurement in the cybersecurity industry, which I described in last month’s article, and the incredibly short reporting timeframe, that simply wasn’t going to happen – at least not in any sort of consistent and defensible manner. Will cybersecurity risk levels decline because of these projects? Absolutely, but we shouldn’t delude ourselves the plans reported within the defined timeframe were going to reflect cost-effective risk management.
Fixing an airplane in flight
However, all is not dark and gloomy. Risk management is always a bit like fixing an airplane’s course mid-flight, and this is no different. It’s never too late to re-evaluate an organization’s cyber risk management strategy and plans and, if necessary, adjust priorities and expectations. That’s usually much easier when done earlier rather than later in the process.
As simple as that sounds, it can be a tough thing to accomplish for a couple of reasons:
- There are usually egos involved – i.e., current planning was done by professionals who may not be inclined to have their strategies and plans called into question.
- If the government wants to ensure that cybersecurity strategy and planning are prioritized consistently and based on apples-to-apples cost-benefit analyses, it must adopt a standard cyber risk measurement model and method.
The first challenge can be mitigated by executive management simply saying, “Make it so.” Yes, there will be some gnashing of teeth, but the goal isn’t to protect egos. The goal is to take every practical step to ensure that our government can apply its limited cybersecurity resources – i.e., tax dollars – as cost-effectively as possible.
The second point isn’t inherently difficult. A well-established framework for cyber risk measurement already exists. Factor Analysis of Information Risk (FAIR) is an open international standard that has been under development and in use for over 15 years by public and private organizations. The FAIR standard was accepted and is managed by the Open Group.
The bottom line
It’s important to keep in mind the threat communities we face, whether nation-state, criminal or ideology-driven, have inherent advantages that are largely outside of our control. Unfortunately, an inability to prioritize effectively or understand the cost-benefit proposition of our risk management efforts is a gift we hand them every day. It’s also something within our reach to fix if we take it seriously. Given the focus and resources now being broadly applied to the cybersecurity problem thanks to the EO, it seems logical and responsible to ensure they’re applied as cost-effectively as possible.