Cyber insecurity: Managing against the risk

Firewalls and other barriers can’t begin to guard against every threat. Today’s interconnected systems and mobile workforce demand a very different approach.

Risk Management chart

The process of managing risk requires six distinct steps, all of which need careful attention. (FCW graphic).

Risk management has been part of IT security from Day One, but has often taken a backseat to aggressive zero-tolerance policies that sought to raise impenetrable barriers to security threats. Now we know better.

An explosion in the volume and sophistication of malware in the past few years has overwhelmed barrier technologies such as firewalls and intrusion-detection systems, and the bogglingly fast spread of powerful mobile devices such as tablet PCs and smart phones has provided the black hats with a wealth of different ways to break into networks.

“Three decades ago, a mainframe would have been a big investment for an organization, but IT has become a commodity today and we use those technologies very aggressively,” said Ron Ross, a fellow at the National Institute of Standards and Technology and the leader of NIST’s Federal Information Security Management Act (FISMA) Implementation Project. “The trend now is also to connect everything to everything. Couple that with the exponential growth in malware, and that’s why people are so concerned.”


Related items:

A risk management reading list

Risk management: A view from inside


In contrast to the castle-and-moat approach to security, risk management sets acceptable levels of risk for an organization, and then controls and seeks to mitigate those risks. That way — or so the theory goes — the most mission-critical systems can be protected and the organization will still be able to function even if cyberattacks succeed in penetrating periphery defenses.

Theory is one thing and implementation another, however. Although the concept of risk management is now well understood in agency IT and security departments, it is not yet a widely practiced discipline. Agencies such as the National Security Agency and the State, Commerce and Defense departments are acknowledged leaders in risk management, but overall, the government is behind the curve.

A recent Ponemon Institute study of risk-based security management in the United States, which included input from government organizations, noted that more than three-quarters of respondents had a significant commitment to RBSM, but less than half actually have a program in place. A third of respondents have no RBSM strategy.

“Lots of organizations want to do RBSM, and they realize the importance of it,” said Larry Ponemon, the institute’s chairman. “But there’s either resistance internally from people who are reluctant to move out of their comfort zones, or they just don’t have the right resources to make it happen systematically. What you often end up with is a kind of a hodgepodge approach to it.”

Chris Kennedy, principal security architect and senior program manager at Northrop Grumman Information Systems’ Civil Systems Division, said he believes most federal agencies understand what risk management is, but “it’s just one of those things that’s really tough to operationalize.”

“The challenge is that IT has been traditionally managed in agencies as a mission enabler, and there hasn’t been the level of cross-pollination between the mission owner and IT system operators to manage risk appropriately,” he said. “Someone needs to work the priority of the mission to establish the appropriate risk management framework around the systems.”

The first step in developing a risk management program is to get everyone to agree on what the risks are, which is more complicated than it sounds. In the older approach to security, the risks were associated with the network and attached systems, and identifying them was the responsibility of the IT department. With enterprise risk management, many communities own the business processes that are at risk, and with the rise of cloud computing, they will increasingly have responsibility for the IT services that are delivered. However, each of them might have very different ideas of what the risks are and how to define them.

“If you want to develop a cohesive risk management strategy, you have to develop a centralized risk register that everyone can refer to, and that means also having a common nomenclature for risk,” said Torsten George, vice president of worldwide marketing and products at Agiliance, a company that provides risk management solutions. “If you try to do that later, then the accuracy of the data that comes back to you will vary, and the trend data that helps you predict your security needs going forward will be impacted.”

NIST’s Ross described this as a need for a second front in government to integrate cybersecurity and risk management processes into the mainstream.

“I do think the understanding for all of this is there, but the systemic problems are also there and need attending to,” he said.

Likewise, it is vital early on to create a governance process for making decisions about which risks will be targeted and what steps will be taken to mitigate them. That process will need to cover the entire enterprise.

Once it has been decided that there is a risk in a particular organizational unit with an operational mission responsibility, the governance process will require the professional who can assess that risk to characterize it and describe it to the operational manager, said Lee Holcomb, vice president of strategic initiatives and cyber operations at Lockheed Martin Information Systems and Global Solutions.

“That manager needs to be able to say he will invest the money to fix that risk and put in a process to mitigate it, or that he will flat out accept the risk and not invest in mitigation,” said Holcomb, whose federal career includes serving as CIO at NASA and chief technology officer at the Department of Homeland Security. “That discussion is a central one that absolutely needs to take place.”

He added that one of the current challenges in the cybersecurity area — and it relates directly to the assessment of risk — is the need for people to be able to say what an additional dollar of investment buys in terms of security. “There are probably a significant number of agencies that don’t have a rich discussion of that through a governance process,” he said.

Leadership commitment is also essential for implementing an effective risk management program, said Henry Sienkiewicz, vice chief information assurance executive at the Defense Information Systems Agency. Furthermore, the governance process is vital to ensure ongoing collaboration and synchronization of the efforts of the multiple groups and teams that will be involved.

Sienkiewicz said key areas include “identifying roles and responsibilities across the organization, methods for de-confliction of issues, means of communication with stakeholders, sharing of information and ensuring leadership acceptance of risks.”

tiered risk management graphic

FCW graphic. Information source: NIST

Assessing the risks that must be managed is typically more of an art than a science that requires hard numbers. NIST recently published the final version of its risk assessment guidelines, Special Publication 800-30, which covers what it sees as the four elements of a classic risk assessment: threats, vulnerabilities, impact to missions and business operations, and the likelihood of a threat exploiting vulnerabilities in information systems and their physical environment to cause harm.

The document provides a common lexicon regarding risk factors that influence the method of assessing and ultimately managing risks, Sienkiewicz said. But he added that the methods for assessing risk are more descriptive than prescriptive and leave it to the organization to determine the most suitable approach for itself, taking into account factors such as system use and mission requirements.

Agencies will have to make it up on their own to some extent and choose standards for risk assessments that they will be able to carry forward, said Tim Erlin, director of IT security and risk strategy at nCircle, a company that specializes in risk and security performance management.

“There also isn’t a consistent methodology for assessing multidimensional risks or the combination of risk and environment that might be dependent on each other,” he said. “While the NIST guidance is very comprehensive, it doesn’t seem to provide a lot of guidance on how to chain these things together.”

One constant in any government program, of course, is cost. Given the budget constraints agencies face today and will have to operate under for the foreseeable future, any sizable new investment will be closely scrutinized. Risk management will involve some upfront costs in terms of process and tools, such as new automation technologies, but it could result in savings down the road.

In researching the costs of risk management, the Ponemon Institute has come up with a range that covers short-term costs such as extra people and new technology, indirect costs, and what it calls opportunity costs, the potential for damage to agency missions through data loss and a consequent drop in user trust if security is not done right, for example.

“The reality is that the short-term costs probably do go up pretty substantially if you do it right,” Ponemon said. “But over time, we would expect to see a reduction, especially in indirect and opportunity costs.”

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.