Agencies urged to strengthen risk management efforts

Risk management is proving to be the Achilles’ heel of cybersecurity efforts at many federal agencies.

That’s understandable because risk management is still a relatively new concept. For years, cybersecurity was seen primarily as a technology issue in which the technical vulnerabilities of systems and networks needed to be addressed with technology solutions.

But cybersecurity experts now say technology is not enough. Those solutions must be developed and managed in light of a broader understanding of the risks posed by various vulnerabilities — what is the likelihood that a given vulnerability could be exploited, and what would be the impact on the organization? — and of the resources required to mitigate those risks.

That’s why the Federal Information Security Management Act requires federal agencies to develop risk management strategies as part of their cybersecurity efforts.

Unfortunately, a recent study by the Government Accountability Office found that agencies are struggling to comply. In fact, GAO notes, they are falling further behind with each passing year: In fiscal 2008, only three of the 24 agency inspectors general reported weaknesses related to assessing risk, while in fiscal 2011, 18 of the 24 IGs reported weaknesses in this area, according to the February 2013 report.

Cybersecurity, according to one expert consulted by GAO, “is not a technical problem, but an enterprisewide risk management challenge that must be tackled in a far more comprehensive manner than is generally understood both at the enterprise and government levels,” according to the report.

From a systems perspective, security experts emphasize the importance of incorporating risk management into the systems development process -- not just at any point but at the beginning of that process.

This approach has two benefits. First, assessing the risks associated with a proposed system and estimating the cost of mitigating those risks will help an agency get a more accurate picture of the complete price tag for that system. Second, it is much easier to build security into a system at the start than to patch it up later in the process.

Agencies that delay or skip risk management processes are asking for trouble. Reviewing the Federal Communications Commission’s Enhanced Secured Network program, GAO learned that program officials had cut corners on the agency’s risk management policy because they were under pressure to get the system into the field as quickly as possible. The auditors faulted that reasoning.

“Unless FCC more effectively implements its IT security policies…unnecessary risk exists that the project may not succeed in its purpose of effectively protecting the commission’s systems and information,” the auditors wrote.

But risk management is not just a systems issue, according to guidelines issued by the National Institute of Standards and Technology. It also must be built into the governance processes throughout an organization, involving leadership at all levels in decisions about assessing and mitigating risks. “Risk management can be viewed as a holistic activity that is fully integrated into every aspect of the organization,” the guidelines state.

In effect, risk management is about giving people the information they need to make smart strategic decisions. In a November 2011 report on cybersecurity initiatives at the State Department, the agency’s IG expressed concern about the lack of leadership involvement in the risk management process.

“Because the risk management strategy had not been fully implemented at the organizational level, communication of operations at the system level is negatively affected, along with business decisions such as funding allocation, because management is not fully aware of security vulnerabilities that exist,” the report states.

Finally, to be effective, risk management also must be realistic. This is especially challenging for cybersecurity professionals, wrote Andrew Rose, a principal analyst at Forrester Research, in a blog entry he posted last year after attending a vendor conference.

Cyber pros are prone to overreact to every threat, however unlikely, and to see the flaw in every solution.

“I had hoped that we all recognized that good security was not about hitting a home run,” Rose wrote. “It’s much more about applying the 80/20 rule over and over again, iteratively reducing the risk to the organization.”