by Larry Clinton
Perhaps the one thing virtually everyone in the cybersecurity field agrees on is that, notwithstanding many laudable efforts, we are losing the fight to secure cyberspace.
Illustrative of this reality, the Director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, Chris Krebs, has wisely commented we need a new model. Doing the same thing over and over and expecting different results is, after all, the definition of insanity.
The good news is that DHS is doing something to change, or at least expand, their direction. Part of the new DHS cyber strategy announced at last year’s DHS Cybersecurity Summit is the creation of a new Cyber Risk Management Center, directed by veteran cyber expert Bob Kolasky. Specifically, DHS is now moving forward from the virtually exclusive focus on cybersecurity as an operational issue, and more fully embracing cybersecurity as more than an “IT” issue and instead as an enterprise-wide risk management issue.
This is a very welcome enhancement. While IT is obviously a critical element of the cyber security problem, it is not the entire problem.
This is liable to be a long road. The conventional wisdom in cyber public policy has been to view cyber as essentially a technology issue to be solved by technologists. However, technology is only how cyber-attacks occur, it’s not why they occur. To get to the root of the problem, the full risk management constellation of issues – policy, economics, and technology – must be merged. This is the role of the Risk Management Center.
Central to understanding, and then acting, in a true risk management model is an appreciation of the important subtleties of doing comprehensive cyber-risk management in a public-private partnership. It’s long been recognized that the private sector owns and operates the vast majority of the cyber infrastructure we are all dependent on. However, it is also important to understand that the public and private sectors assess cyber risk in aligned, but not identical ways.
For the private sector, security risk management is essentially a cost issue. Naturally enterprises want to assure security but that security is at a commercial level. Everyone knows retailers allow a certain percentage of inventory to “walk out the back” door. Why do they do that? Because it costs more to provide the security than to lose that level of product. The public sector, burdened by not only economic, but non-economic issues – national security, privacy, assuring election fairness – has a lower risk tolerance than the private sector. However, in cyber, both the public and private sectors are using the same system even though their risk appetites are different (for legitimate reasons). Hence there is what Krebs has termed a delta between the public and private sectors with respect to cyber risk management.
At a meeting called by Director Kolasky a week ago, DHS instituted a process to move beyond the technologists and the inside-the-beltway industry reps who tend to dominate much discussion in DC to reach out to some of the most senior risk managers in the private sector to better appreciate their approaches to cybersecurity and begin to develop this new model embracing this broader approach to cyber risk management.
Director Kolasky opened the session by explaining that the purpose of the event was begin a process wherein DHS will become more strategic in its approach to cybersecurity. Specifically, to shift from the traditional IT-centric approach to an enterprise-wide approach including measurement of effectiveness of mitigation and transfer measures from a business perspective. In that process they hope to learn from the private sector and then move to begin to identify gaps government can fill to collaborate more fully.
Part of this effort will hopefully be government learning some lessons from the private sector, which has largely embraced the broader risk-management approach to cybersecurity. One such illustration of this broader direction is the work of the National Association of Corporate Directors, which has been promoting an enterprise-wide approach complete with a series of handbooks and tool-kits for corporate directors. Much of the learning the corporate directors have been developing might fit well into the Risk Management Center’s agenda as it moves forward.
Clearly more than meetings will be required. As has often been noted, every great plan eventually dissolves into actual work. Hopefully this is the first stage of a cyber risk management work program.