Many government agencies have robust cybersecurity programs overseen by chief information and chief information security officers. Agencies can build on that strong foundation by better coordinating their cybersecurity programs and ERM activities. In turn, agency leaders can be better positioned to fully assess, monitor and make decisions about cybersecurity risks. Discussions in our working session revealed several ways that this increased coordination can help ensure effective and secure federal operations, thus enabling government to better carry out its mission.
Bridge communication gaps between agency leadership, staff and technical experts
During our working sessions, federal cybersecurity practitioners discussed the challenge of communicating complex information about threats and vulnerabilities to agency leaders who may not have in-depth technical knowledge. This communication gap can have serious consequences—if leaders don’t understand the information presented to them and the risks associated with that information, they may not make the necessary decisions or investments to safeguard the agency’s cybersecurity. Federal ERM programs have the tools and expertise to help agencies develop a comprehensive risk register. A good risk register can clearly articulate the full picture of an agency’s cybersecurity risks and serve as a resource to help agency leaders understand, prioritize and address those risks.
Increase understanding of cyber-related risk
Integrating cybersecurity and enterprise risk management can also help ERM professionals better understand an agency’s cyber risks. ERM programs can work with cybersecurity professionals to connect information on cyber risks and vulnerabilities to information about other agency programs and strategic priorities. These efforts enable ERM professionals to better understand and monitor cybersecurity risks in relation to other elements of an organization’s risk profile. As a result, ERM practitioners are able to more fully grasp the agency’s overall risk. At the same time, the urgent nature of cybersecurity work means that practitioners must constantly focus on addressing immediate threats and often lack the time to step back and assess the full scope of cybersecurity risks. By connecting cyber risk to other agency priorities, ERM can help cybersecurity practitioners think more strategically about how to manage these risks.
Bring risks to the attention of agency leaders
Once ERM practitioners have analyzed how cybersecurity risks relate to other agency programs and strategic priorities, they can work with cybersecurity experts to elevate critical issues and areas to agency leadership. This coordination can help agency leaders more efficiently and effectively respond to rapidly evolving cybersecurity threats. For example, at our working session, officials from the State Department shared that the agency’s Office of Global IT Risk uses ERM principles to frame technical information about cybersecurity risks for agency leaders and then relays their decisions about risk tolerance back to technical staff as it evaluates specific programs and systems. “If we’re going to have a conversation at the organizational level, we need to have it in the context of how leaders deal with decisions on a regular basis,” said Peter Gouldmann, director of the Office of Global IT Risk. “We have to look at the strategic implications.” ERM programs, with their broad view of risk, can also help leaders assess trade-offs and make decisions about how to manage cybersecurity risks while also addressing the other risks an agency faces.
Although relatively new, the idea of closer coordination between federal ERM and cybersecurity programs is gaining traction in government. For example, in October 2020, the National Institute of Standards and Technology released “Integrating Cybersecurity and Enterprise Risk Management,” an overview of how agencies can integrate the two disciplines. “[Agencies] have generally treated these areas as separate and created some silos…this document talks about how [ERM and cybersecurity] can work in concert,” said Stephen Quinn, senior computer scientist at NIST and one of the document’s authors.
The document demonstrates that NIST recognizes the critical relationship between cybersecurity and ERM, and details how an integrated approach can help agencies better identify, assess and manage cybersecurity risks. Quinn also noted that NIST is now developing further guidance that can help agencies align their cybersecurity and ERM programs.