Are standard approaches to risk management becoming obsolete as cybersecurity threats to federal information systems grow more relentless and sophisticated? Many experts in government and industry think that more dynamic assessments are in order, while federal security pros often complain about overly complex methodologies.
It's no longer possible to write a large white paper about the risk to a particular system. You would be rewriting the white paper constantly.
chief technology officer for the public sectorLayer 7 Technologies
"Risk management is the heart of the problem right now," said Adam Vincent, chief technology officer-public sector at Layer 7 Technologies, which provides security services to federal agencies, including Defense Department organizations. "The threat is advancing quicker than we can keep up with it. The threat changes faster than our idea of the risk. It's no longer possible to write a large white paper about the risk to a particular system. You would be rewriting the white paper constantly.
In conventional risk management, security initiatives are prioritized so that resources can be aimed at what are perceived to be the greatest security threats, leaving an organization knowingly vulnerable to risks outside of the prioritized structure, though they may appear minimal. Earlier this year the National Institute of Standards and Technology issued updated guidelines in its risk assessment framework that mirrored a shifting emphasis toward continuous monitoring and making real-time assessments. Special Publication 800-53A, revision 1, Guidance for Assessing the Security Controls in Federal Information Systems and Organizations/Building Effective Security Assessment Plans (.pdf) describes a shift in emphasis to enterprisewide, near-time risk management "in dynamic environments of operations."
To be sure, as systems become more globalized, the imperative is to be able to evaluate risks more holistically, sources said.
"My biggest concern on the federal side is what I would term the seams between the various parts of the organization," said Roger Baker, assistant secretary for information and technology at the Veterans Affairs Department. "The biggest thing that we're doing at VA is eliminating those seams. We have a consolidated network. We're doing the things that give us full visibility to all the devices and managing the entire portfolio from that risk standpoint."
Vincent said that the notion of "coupling together" the risk of various systems as they interoperate needs to be looked at. "I think risk management is one of the reasons why we can't move as fast as the threat can push us, so we're always going to be forced to do things a day late and dollar short because systems are going to change and the threat is going to change quicker than we can identify the threat to a particular system."
He added, however, there is a no "silver bullet" yet for establishing a continuous monitoring paradigm.
"We need to move to a more robust mechanism of continuous risk assessment, but what that means, I can't tell you," Vincent said. "I do think that when you look at how we're going to have to change the way we do business, we're going to be forced down the road of deploying applications and changing those applications as the threat changes. That's a continuous process and therefore there have to be mechanisms to make it more dynamic and more flexible."
Baker, who served as a top IT executive with several companies in the private sector before arriving at VA last year, said that government needs to look to industry for risk management models.
"In the private sector as a CIO you know you've got risks coming at you constantly from the cyber standpoint," he said. "A lot of folks that have been inside government for a while would be just stunned to find out the level of sophisticated of cyber protection when you get inside these companies; they have to do it, they can tie it directly to the value of the company. Think about the impact of an information breach on the brand value of some of the large companies in the U.S."
"The risks in government are magnified by scale, visibility and mission," he said. "My fundamental problem is that the private sector organizations that I worked at did a much better job of enforcing the cyber disciplines for technologies than I find in government and yet the risks are bigger in government."
About the author:
Richard W. Walker is a freelance writer based in the Washington, D.C., area who has been covering issues and trends in government technology for more than 10 years.