Bob Kolasky, who runs the National Risk Management Center in CISA, gave the FAIR Conference 2021 a briefing on CISA’s Systemic Cyber Risk Reduction Venture, an effort to manage and reduce cyber risks to critical infrastructure. The Venture is mapping 55 functions critical to national security, business operations and daily life and “we are starting to see real investment being made in strengthening those critical elements.”
FAIRCON21
Presentation - Ensuring the Resilience of National Critical Functions
Bob Kolasky, Cybersecurity and Infrastructure Security Agency (CISA)
FAIR Institute members can watch the video of this FAIRCON21 session in the LINK member community. Not a member yet? Join the FAIR Institute now, then sign up for LINK.
He’s looking for what he called “metrics-izing the way we think about risk for national security so we can qualify and ultimately quantify likely risk reduction.”
“I want to bring in the risk community to deal with what is an unacceptable period of cyber risk. We need help borrowing from techniques and learning how to price risk into decision-making in both business and government.”
The Systemic Cyber Risk Reduction Venture is working at several levels:
- Building out a risk architecture to understand how cyber attacks on those 55 functions of critical infrastructure could affect society, with a goal of maintaining resilience
- Apply the findings of the risk architecture to set investment priorities based on “what the impact would be in term so of reducing risk in real world metrics.”
- Defining tactics, incremental risk reduction that would have an overall system impact. For example, CISA recently publicized multi-factor authentication as a best practice for individuals and issued industrial control system performance goals for pipelines.
And Kolasky mentioned one final CISA goal that must have gone over well with the virtual audience for FAIRCON21: “Getting boards of directors and chief executives to feel passionately about the need to address cyber risk.”
