The IT and security teams aren’t alone in managing risk at organizations, but they are often the ones who understand it best. To help other government officials understand risk and their role in minimizing it, Minnesota IT Services (MNIT) created Risk Management Scorecards that have fostered communication — and security — since 2015. We spoke with Aaron Call, Chief Information Security Officer (CISO) at MNIT, to learn more.
GovLoop: How have risks evolved in your state along with the growth of digital?
Call: Risks have evolved for the state very similar to the way the risk has evolved for anybody in the private sector as well. Well-funded adversaries continue to use the expanded footprint of IT against us. What’s unique in the public sector is that we’re also prime targets for politically motivated attackers to a degree that most private sector organizations aren’t.
In 2015, you created the Minnesota IT Services Risk Management Scorecards to address those risks. What are the advantages of having them?
We recognized that we can’t meet this evolving threat as a security silo. A security program of any organization can’t do this alone, and we have to have investment — not necessarily just in money, but also in priority — with the business leaders. You can play Chicken Little. You can tell them how scary the world is and try to compel them that way, or you can go down a more respectful path and present that risk that they own ultimately through their own business decisions, help them understand how those business decisions impact risk.
In 2015, we gathered together a number of metrics that we iterate on every couple of years. We roll each of those metrics up into a weighting for particular relevance into five different areas based on the NIST Cybersecurity Framework functional areas. So, what we’re telling them is not how effective their antivirus is or how well-patched their systems are. What we’re telling them is how well we can identify the systems and data that support their business, how well are we able to prevent attacks from happening and how well we can detect attacks, whether they’re successful or not. When a cybersecurity event does occur, [we show] how effective we are at stopping it from spreading or [stopping] it from happening again, and whether it’s “Here’s a related incident” or just some bad luck, [we show] how well we are equipped to bring the IT systems that support their services back online. Those five areas — identify, protect, detect, respond and recover — are easily understood, they’re non-geeky and they give us an opportunity to then describe to the business leaders, “This is what this needs.”
Do you have a scorecard success story?
We’ve got some tactical wins where conversations around the risk scorecard highlighted something that surprised a business leader or brought light to risk that they weren’t comfortable accepting, and they were able to address that. In the broader sense, it’s also created more of an atmosphere of trust between the business leaders and the security teams. Today, more than any time in the past and hopefully continuing forward, when security suggests something or tries to drive an additional control or a change in a technology, the resistance is really quite minimal in most cases.
How are you preparing for future risks?
Despite being a security leader, I see security as being a silo, as being horribly inefficient and that’s something that needs to be as much as possible eliminated. The fact that I have tax dollar-paid staff within the state doing just security work, they’re not directly providing value or services to our citizens, so if we can accomplish the same security by having IT and business staff behave in more secure ways or equip them with more secure tools, then we can eliminate that cost. That’s a leading philosophy for how we move forward: Where can we make things secure by default, and where can we make things secure out of the box so we don’t have to do that ineffective and inefficient security bolt-on?
What are a few lessons learned?
The best lesson learned is the importance of having the right people communicating those scorecards to the business. What we put together wasn’t particularly novel. The real value, though, is making sure that a respectful and informed conversation is happening. Most security people can use the scorecard. They can determine what an agency’s relative risk is in each of these areas. But not everybody can sit down with a commissioner or a deputy commissioner and talk to them about their risk. Many times simply by presenting them with this information, they have to own it. That’s not a position every commissioner, deputy commissioner, political animal really wants to be in, so being respectful of that yet getting the information across to them really is a soft skill that not everybody has. The departments and agencies that we’ve been more successful at with the risk scorecards tend to be those where we had security leaders that had those skills.
This article is an excerpt from GovLoop’s report “Enterprise Risk Management in Today’s Digital World.” Download the full report here.