Why risk management is critical in cybersecurity

Shutterstock image: open lock. 

If you're a federal cyber official, the advice in a newly revised handbook on corporate cybersecurity might sound familiar. The new National Association of Corporate Directors' cybersecurity handbook says cybersecurity is a risk management issue, not an IT matter.

The language echoes what top federal agency IT managers and cybersecurity officials have been saying about how to handle threats at their organizations.

The NACD guidebook, compiled with the help of the Internet Security Alliance, says that cyber threat expertise isn't a prerequisite for corporate board members, but that corporate boards should have access to that knowledge and consider how cyber affects their companies overall operations, from management to products and supply chains.

"The cyberthreat picture continues to become more challenging with nation-state attacks against both public and private sectors," said ISA CEO Larry Clinton at a Jan. 12 Washington press conference releasing the new handbook.

That melding of targets, said Danny Toler, deputy assistant secretary for cybersecurity and communications at the Department of Homeland Security, makes closer collaboration on attacks and sharing of threat information between corporations and federal agencies increasingly crucial to defending against them. Toler, who was at the press conference, said the growing common terminology, as well as common threats, can help facilitate information sharing with DHS.

DHS and the Department of Justice both have longstanding commitments to helping commercial entities gird themselves against a growing panoply of cyber threats, said Adam Hickey, acting deputy assistant attorney general for national asset protection in the Department of Justice's National Security Division.

Cybersecurity "isn't about prevention," he said. "CISOs can't be judged only on defense," as hackers are too smart for that. "All stakeholders look at responses and resilience, including whether they worked with law enforcement" to do everything they could to blunt attacks.

Toler and Hickey both urged corporations to work ahead of cyberattacks with the federal government on mitigation tactics and even on-site analysis.

Corporations have had liability concerns with sharing threat indicators with federal agencies. Although the Cybersecurity Information Sharing Act of 2015 created new law and governance structure for some of those issues, such as sharing of cyberthreat indicator data, concerns over use of and exposure of the data keep some corporations cautious.

Tole and Hickey said their agencies will work with companies to mitigate those concerns. Toler said DHS will sign agreements with companies that request scans of their networks for threats. Hickey said the FBI isn't after large-scale data from companies, just specific threat data. In both cases, the officials said the data would also be protected under privacy regulations.

Big, publicly acknowledged breaches are teaching private-sector firms that "they are not alone" in their efforts to combat cybercrime or cyberattack. "It could actually make victims feel more comfortable" in sharing threat data to help prevent attacks on others, he said.

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at or follow him on Twitter at @MRockwell4.


  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.