Government leaders have a responsibility to their employees and the general public to protect the data handled by their agencies. That responsibility has become more demanding over the years, alongside the evolution of IT systems and the proliferation of networks.
Consequently, traditional risk assessments have also transformed. Rather than focus narrowly on IT security and cyber risk, agencies are taking a broader view of threats and contingencies. At the leadership level, understanding all the different types of risk and how they’re manifested in agency operations is the key to prioritizing risk mitigation efforts. These more comprehensive evaluations of risk are best described by the term ‘digital risk management.’
Although digital risk management is a far-reaching concept, here are three of the more important trends that agencies should consider:
Aim for Continuous Monitoring
Traditionally, evaluations of risk were based on infrequent assessments of the systems in place. Because threats don’t stand still, that method is no longer viable. Instead, continuous monitoring is quickly becoming a best practice, especially in the federal government, where there’s an emphasis on defining risk in all its forms and possibilities so that leaders at the top levels can make good decisions.
For example, the Department of Homeland Security’s Continuous Diagnostics and Mitigation program (DHS-CDM) has brought awareness to the fact that agencies need to assess risks on an ongoing basis. The process typically begins with an initial assessment, followed by near-real-time continuous monitoring to ensure that the system is improving and that the initial risk factors are decreasing.
Look Closer at Supply Chains
One effect of IT modernization is the introduction of third-party providers into the agency’s digital supply chain. Agency leaders have to update their models to account for the risks posed by handing access to those providers. To get a handle on the risks, agency leaders should know who their suppliers are, what information those suppliers can access, and what controls those suppliers have in place to protect the agency’s data?
Supply chain risk isn’t limited to the providers that agencies deal with directly. For instance, say there’s a component manufactured by a supplier that’s associated with a vulnerability. It goes on a board that goes inside a server that’s used by a third-party supplier to the agency. Effective digital risk management allows the agency to account for that extended risk, even though it’s several steps removed.
Quantify the Cost of Inaction
Another trend in the public sector is the practice of associating risk with a cost factor. Instead of translating risk like a stop light or a numerical scale, agency leaders ask what is the cost of not addressing a risk if it were to be realized?
For example, say an agency has 5,000 boxes that need a patch. If they aren’t patched and that leads to a breach, what are the costs associated with the breach? At the highest levels of an agency, this can be a useful framework for making decisions. It allows agency leaders to look at a total risk profile and decide how to allocate resources. For instance, it might be that relatively small investments reduce the overall risk profile dramatically when viewed through this framework.
For this to work at the agency level requires collaboration between the CIO and CFO as they seek to understand the cost of managing near-term risk with the costs if something were to happen in the long-term.
Dan Carayiannis was recently interviewed by Federal News Radio as part of Carahsoft’s “Innovation in Government” series. Listen to the audio and learn more about digital risk management and supply-chain risk. For more information about new software tools that can help mitigate supply-chain risk and ensure business resiliency, visit www.carahsoft.com/rsa.