The New Era of Cyber Risk Governance

What's next for agencies under the new executive order?

• By Mike Shultz
• May 16, 2017

Over the past few years, the U.S. has seen a devastating wave of high-profile security breaches, both in the government and corporate sectors. A report by Privacy Rights Clearinghouse revealed that federal and state government agencies publicly disclosed a total of 203 data breaches over the past five years.

In all, the breaches resulted in nearly 47 million records being stolen, exposed or otherwise compromised. While these figures are significantly less than those reported in the private sector, the issue lies in the type of sensitive information involved in government breaches, and the critical implications of that information falling into the wrong hands. The Justice Department’s recent announcement that Russian cyber terrorists were responsible for the Yahoo breach also sheds new light on the growing magnitude of cyber terrorist activity in the U.S.— and the harsh financial and legal impacts it can have on agency heads and stakeholders.

The growing concerns on cybersecurity haven’t fallen from focus in the executive branch, who, since the Obama Administration, has been casting light on the underlying issues behind the increased cyber vulnerability in the federal realm. The Trump Administration feels, “the executive branch has for too long accepted antiquated and difficult to defend IT and information systems.” Last week, President Trump signed the long-awaited Cybersecurity of Federal Networks Executive Order, which requires all federal government agencies to begin running risk management, reporting, and recovery programs under the NIST Cyber Security Framework (CSF) in hopes to better protect the government from cyber attacks. Under the mandates, agency heads will now be held responsible for damaging data loss during future cyber attacks to their departments.

This executive order marks a dramatic cultural shift in way the federal government looks at cyber security. The key differences between this EO and the actions that the Obama administration took fall in two categories: 1) never has an executive order required all federal agencies to apply NIST’s CSF to their entire organization, and 2) there has never been a mandate that requires agencies to build a comprehensive risk and mitigation report for their organization and then report to the president of the Department of Homeland Security and the director of the Office of Management and Budget. Currently, all federal agencies have their own cybersecurity processes in place to protect their own systems. However, critical information is leaking on a constant basis, and it’s becoming more and more apparent that this is an internal failure and the fault of a serious disconnect between risk assessment at an IT level and the ability to translate the highly technical insights to overall business risk.

Trump’s order mandates that the security of federal agencies has to be controlled on an enterprise level. Instead of building security protocols for specific systems, all people, processes, and policies within the agency must be analyzed and reported. As cybersecurity continues its shift from a strictly IT function to a business function, the federal government is facing conflicting opinions on how best to standardize risk management and reporting processes. The problem is, there is no “one size fits all” solution to preventing cyber risk, which begs the question of whether or not this order will be enough to set a successful framework that can be applied across all agencies – and to adequately protect the entire government network as an autonomous unit.

One of the main critiques against the order is it it may not be comprehensive enough to incite any notable changes and improvements in risk management practices in the government sector. But the executive order’s requirements that agencies meet the hundreds of control points of the NIST CSF means that cyber risk governance is the goal, rather than IT compliance. Drilling down too deep into the choices of technologies and compliance with technical standards is not what is being demanded, and doing so would miss the stated goal of providing an overview of each agency’s cyber risk. But how can the government ensure that agencies are implementing a cyber-conscious culture that encourages the mitigation of risk from the top-down?

The EO directs government action in three key areas under a mandated 90-day deadline: (1) assessing and improving each federal department’s cybersecurity posture; (2) enhancing the nation’s critical infrastructure; and (3) ensuring sure that “the Internet remains open, interoperable, reliable, and secure.” Meeting these criteria is a massive undertaking for federal agencies, who also have an incredible number of third-party networks, contractors/vendors, and employees that now require examination. Not to mention that the stringent deadline is a huge lift for an order that requires a cultural shift down to the DNA level of how agencies view cyber risk.

An undertaking this substantial means significant amounts of automation will be mandatory in order to be compliant, and do so fast. Getting the job done within this timeframe using traditional means of risk assessment and governance will undoubtedly prove challenging. Gone are the days where checking off protocols on a spreadsheet and presenting convoluted statistics and recommendations to agency heads will be enough to effectively mitigate cyber risk. Agencies must now be able to report on their risk in a manner that can be understood by all stakeholders and used to assess the cyber maturity of the government network on a portfolio view – and do so in a timeframe that was once thought impossible. Investing in automated tools that will streamline cyber risk governance and mandatory reporting processes will be an advantage for agencies that do not wish to incur the penalties associated with non-compliance of this new EO. But achieving these mandates will also be an agency-wide effort that requires involvement at all levels to ensure that everyone at an agency – from entry-level to the C-suite – is equipped to identify, assess, and mitigate risk.

The executive order is a step in the right direction for combatting the outbreak of detrimental breaches in the government sector, and points to a positive shift in the way we as a nation are addressing cybersecurity, but that does not mean it will be an easy adjustment. The impacts of the order await to be seen, but one thing we know for certain is that federal agencies will be fighting an uphill battle if they fail to acknowledge risk governance as a team sport and integral piece of an agency’s overall culture and business function.