There are few constants when it comes to federal cybersecurity. Agencies are bombarded daily with evolving cyber attacks against their sensitive data and systems. They also face a never-ending battle to secure consumer devices that employees are connecting to their networks.
Although agencies can’t control the sophistication and frequency of attacks, they can take steps to improve their defensive posture. One way is through strong risk management, which includes assessing risks (security, financial and otherwise) and evaluating alternatives to address those risks. For example, before agencies decide to let employees use their personal devices for work, they must determine what risks this decision could pose and how those risks can be mitigated.
“The reality is that devices proliferate, and this is usually driven by a business need or somebody who’s anxious to push a lot of connectivity out on behalf of the agency,” Dave Bowen, Managing Director at PricewaterhouseCoopers (PwC), said in an interview with GovLoop. “The intentions are good, but oftentimes the security aspect is not considered upfront.”
These actions inevitably introduce new risks into an organization, some of which go undetected or are not properly managed. The fact is some agencies grasp this concept of risk management better than others, but many tend to manage reactively, crisis by crisis.
One thing is true for all agencies, however: Understanding risk is a learning process. They’re trying to learn the size and nature of risk to the enterprise, and what problems it could cause the agency, said Bruce Brody, Director at PwC. That’s why GovLoop teamed up with PwC experts who have served as federal IT executives and know firsthand the barriers agencies face to improving risk management, especially as it relates to attempts to strengthen an agency’s cybersecurity posture.
In this report, we explore the cybersecurity benefits of effective risk management, the challenges agencies face when implementing risk-management programs and how PwC is working with agencies to address those issues.