This post is an excerpt is from GovLoop’s recent e-book “Enterprise Risk Management in Today’s Digital World.” Download the full e-book here.
To learn more about the best approaches to enterprise risk management (ERM), we turned to the foremost source on government standards for security: NIST, or the National Institute of Standards and Technology. We spoke with Ronald Ross, Computer Scientist and NIST Fellow, about what risks the digital age brings, how to handle them and what pitfalls to avoid in today’s quick-changing environment.
GovLoop: What risks do federal agencies face in an increasingly digital environment?
Ross: With regard to digital technology, the risk assessment focuses on what components do I have in my system, what kind of software am I running, what’s my mission, how critical is the technology to the mission — the vulnerabilities that may exist in those software products and in the hardware and the firmware, all the parts that come together as part of that system. You have to assess the risk that is there based on the type of technology you’re using and how you’re using it. After you assess the risks that you have, then you look toward responding to the risk. Sometimes organizations will accept the risk, and sometimes they’re not going to accept it and they’re going to do some additional response actions, or mitigations, to close down certain vulnerabilities.
In the risk assessment business, we’re looking at threats and the vulnerabilities and then mission or business impact if the threat actually exploits a particular vulnerability you have in your system. There’s a likelihood component to that. In the digital world, the likelihood is close to 100%. Our adversaries out there are very sophisticated. They understand the vulnerabilities in our systems, they understand who they’re targeting, and so there’s a pretty good likelihood either you have been attacked or you will be attacked soon. That’s the kind of climate we’re working with in the digital world — total dependence on technology, a highly vulnerable infrastructure of IT components — and we have to do the best we can to close down those vulnerabilities as quick as we can and, moreover, try to minimize the damage if the adversaries carry out a successful attack.
How did we get here?
We’ve just built an incredibly complex system and system of systems. We’re building a fully digital world, and in that complexity, if you don’t spend some time figuring out how all those things work, how they’re put together, where the information flows, where are my vulnerabilities, that complexity is where the adversaries live every day. They know it’s complicated, they know we can’t keep track of it all and therefore they always have the advantage.
How can agencies address these risks?
Figure out what your critical assets are and implement stronger protective measures for those places in your system. This is really a two-part problem. People who run enterprises can’t build software and all the security features that are necessary to protect the systems, just like Honda doesn’t ask me to go out and get my own airbag and put it in the car. [There are] certain responsibilities that industry has to step up and face: How are they going to build better security features into the products and systems that every customer is using today, from smartphones to power plants to medical devices? The other half of that point is then what the consumers, who are in federal agencies and private sector organizations, can do to help reduce the risk. We try to start with a critical asset analysis and then we try to encourage them to reduce their digital footprint, or attack surface. So, we encourage agencies to minimize the functions and features on the system, minimize the number of components that are mission-essential, especially when you’re supporting critical missions, critical programs and critical assets.
What are some best practices that agencies can look to?
The RMF that we have helps organizations identify which controls do I actually need, which ones can I get by without and what are my residual risks if I select these particular controls and implement those correctly? Then they can communicate back up the chain to the C-suite about how this organization really looks now in the real world of operations after they’ve done everything they can do to stop the bad guys. The best practices are reflected in the Cybersecurity Framework, they’re reflected in the Risk Management Framework, they’re reflected in our security controls and privacy controls document.
What should agencies look to for the future?
If we’re going to succeed and actually manage risk and carry out critical missions, we’re going to have to conquer and get our arms around this complexity issue. When you go through and identify your critical assets, you can then move those to safer locations; you can build security domains for those critical assets that will allow you to protect those assets to a much higher degree. We have our federal cloud computing controls that industry has adopted, and so when you get to the mid-level information that’s not your most critical stuff, you can start to think of moving some of that to the cloud to take advantage of more efficient ways of computing, providing better services to your customers, and then you thin that environment that exists within the federal agency. The cloud providers are deploying some of the best people on the planet who understand security and they’re protecting that cloud operation. Then you can focus on the critical assets back home. If you try to manage your risk across all of your efforts and all that complexity, you will fail. You have to get some help, and you have to organize for battle.