Government cyber risk professionals: This session at the 2020 FAIR Conference was packed with practical advice – you’ll want to listen carefully to the video but also download the slides to study all the details. Experienced FAIR practitioners in the federal government were on the panel:
- Emery Csulak, (CISO), Deputy CIO for Cybersecurity, Department of Energy
- Dan LaGraffe, Director of Cybersecurity Operations, Department of Energy
- Natalie Priani, Contractor Support Lead, Department of Energy, Accenture Federal Services
- Cody Scott, Chief Cyber Risk Officer, National Aeronautics and Space Administration (NASA) & Government Chapter Co-Chair, FAIR Institute
You can view the video and the slides here at the LINK member resources site:
Case Study - Building A Quantitative Risk Management Program in the Federal Government
FAIR Institute membership required – join now.
The panel covered four challenges for launching and sustaining a FAIR program at a public agency. Here are some highlights:
Challenges of Deployment
Panelists had all started out looking for perfection in risk analysis, particularly in data. “That got complicated really fast,” Cody Scott said. “It also wasn’t providing any value to the work that we had to do today.” A better way: Jump right into analysis on risk questions of high relevance to the organization, and learn as you go. DOE also found that providing stakeholders with a range of materials – from short elevator pitches to relevant use cases to analysis templates – “was a key part that got us over initial hurdles” with SMEs to ease the way for risk analysis work to get done, Natalie Priani said.
Learn more from FAIR practitioners in government: Join the FAIR Institute’s Federal Government Chapter (FAIR Institute membership required – join now).
Challenges in Education
An important talking point was relating the new information about FAIR to established models and practices. “NIST tells us to do quantitative analysis -- FAIR is the connector,” Scott said this was an effective construct, and showed how FAIR analysis fits into the broader NIST SP 800-37 risk management process. “That gets folks thinking ‘This is something we can do’.” Both the DOE and NASA FAIR teams used stakeholder seminars, tiered for the level of risk management experience in the audience, to good effect.
Challenges in Communication
As Dan LaGraffe explained, there are challenges in effective communication to SMEs in gathering data that involve not so much explaining FAIR as practicing good interview techniques. And presenting analysis results to executives has a separate set of challenges in getting them to understand results in probability ranges. Finally, some stakeholder teams could care less about understanding analysis results; they’re just looking for actionable information that relates to their mission. “It’s on the practitioner to think through what are the objectives of these teams and what decisions do they need to make,” Scott said.
Challenges in Sustaining a Program
“The key to sustaining a program is to make it programmatic,” LaGraffe said, to build FAIR into ongoing processes and procedures in the department or agency. For instance, the CISO office at DOE now applies FAIR analysis to every purchase over $100,000. And the SOC uses FAIR to assess vulnerabilities as they are discovered and what amount of resources should be put against them. At NASA, Scott’s internal education has paid off, with stakeholders now building FAIR analysis into their programs. “We don’t have a budget in my organization for doing any of this, but we’ve been able to get it off the ground just on the interest we’ve built.”
Watch the FAIRCON2020 session: Case Study - Building A Quantitative Risk Management Program in the Federal Government
Learn more about FAIR at NASA: Read this interview with Cody Scott.