FAIR Institute Blog

AFERM and FAIR Inst. Webinar: How Federal Agencies Achieve Risk-Based Cybersecurity

[fa icon="calendar"] Jul 2, 2020 11:06:13 AM / by Jeff B. Copeland

Federal CybersecurityOn July 16, join the Association for Federal Enterprise Risk Management (AFERM) and the FAIR Institute for a webinar that will explain how federal agencies can better meet the requirements of policies to adopt a risk-based approach to cybersecurity and to integrate it with ERM through FAIR™, the international standard for quantifying cyber risk in financial terms. FAIR Institute President Nick Sanna will lead the discussion. 

Register for the webinar now: July 16, 2020, 12:00-1:30 ET

As Nick wrote in a recent blog post, How FAIR Can Help the US Federal Government Better Prioritize and Right-Size Its Cybersecurity Investments, many federal directives are clearly pointing agencies to a risk-based approach, including FISMA and guidance from OMB and DHS. Executive Order 13800 specifically holds agency heads accountable for implementing risk management based on probability and magnitude of likely cyber events, the two variables that FAIR analysis quantifies. The NIST CSF is the basis for many federal cybersecurity standards, and NIST recognizes FAIR as a recommended resource for risk analysis and risk management.  

Nick SannaBut, as Nick wrote, an audit by the GAO found that fewer than half of agencies had developed an agency-wide cyber risk management strategy and tied it to a wider enterprise risk management program.  The problem: lack of standard, quantitative cyber risk assessment models that can answer such basic questions as 

  • How much risk do we have? What are our top risks?
  • Which NIST CSF activities are most effective in reducing risk to an acceptable level?
  • What is our actual risk appetite? (explicitly, in dollars and cents)
  • What is the cost-benefit of improving the score of certain NIST CSF activities?
Now, pioneering federal cybersecurity leaders are turning to FAIR to answer just those sorts of questions. At the 2020 RSA Conference, Emery Csulak, who is introducing FAIR at the Department of Energy as Chief Information Security Officer (CISO)/Deputy CIO for Cybersecurity and Cody Scott, Chief Cyber Risk Officer, National Aeronautics and Space Administration (NASA), also bringing FAIR to that agency, spoke at a session on implementing quantitative risk management in government (watch the video). “We want to give tools to the IT executives to have more meaningful conversations” with agency management, Csulak said. 

AFERM (The Association for Federal Enterprise Risk Management) describes itself as "the only professional association dedicated to the advancement of ERM in the federal government through thought leadership, education and collaboration. AFERM provides programs and education about benefits, tools, and leading practices of federal ERM and collaborates with other organizations and stakeholders to encourage the establishment of ERM in federal departments and agencies."

Expect a lively discussion from Nick and the AFERM audience with many actionable takeaways for government cybersecurity and cyber risk managers. 

Register for the webinar now: July 16, 2020, 12:00-1:30 ET

Topics: Events

Jeff B. Copeland

Written by Jeff B. Copeland

Jeff is the Content Marketing Manager for RiskLens.

Join the FAIR Community