FAIRCON24 Video: DHS, CISA Officials Promise to Streamline Cyber Risk Regs
At the recent 2024 FAIR Conference, FAIR Institute President Nick Sanna asked two key officials in the cyber world, Iranga Kahangama of DHS (center in the image above) and Jeff Greene of CISA (right), the questions that the FAIR community wants answered - such as when will the Feds one, move off the compliance-first mentality and two, ease up on redundant reporting requirements.
Panel Discussion: Securing the Nation: In Conversation with U.S. Cyber Leaders
- Moderator: Nick Sanna, President, FAIR Institute
- Iranga Kahangama, Assistant Secretary for Cyber, Infrastructure, Risk, and Resilience, US Department of Homeland Security
- Jeff Greene, Executive Assistant Director for Cybersecurity, CISA
If you are regulated by, sell to, or work for the Feds or hoping for more government support for cybersecurity, you’ll want to watch this video closely.
A few of the key points discussed in this wide-ranging conversation:
Question from Nick: “How can the government encourage a move to a more risk-based approach to cybersecurity?”
The answers reflected a different approach to “risk” in the government from the FAIR community’s outlook . Jeff Greene focused his answer on CISA’s program to identify vulnerabilities that went unpatched though mitigations had been identified.
But Nick saw “an opportunity for us to collaborate with the government. One of the research initiatives at the FAIR Institute is to try to map threats to known vulnerabilities so we know which vulnerabilities are exploitable. We’d love to compare notes.”
Iranga saw another point of potential collaboration. DHS is working out implementation of the 2021 White House Executive Order on Improving the Nation’s Cybersecurity, and he saw an opportunity for the Institute to give input on rules for building in cybersecurity to software products.
“What would it take to have the government use more sophisticated CRQ models to actually quantify risk?” Nick asked.
“Data is key and the government data and visibility on this has been uneven at best,” Iranga responded. “I think that is going to mature once we implement mandatory cyber incident reporting” – now under development at DHS pursuant to CIRCIA, the Cyber Incident Reporting for Critical Infrastructure Act, that mandates reporting of cyber incidents by the infrastructure operators within 72 hours.
Nick noted that CISOs already struggle to meet reporting and compliance requirements from multiple federal agencies. Iranga promised that “we’re hyper focused on how to make it easy” – though it will take time, the government is moving in the direction of consolidating cyber incident reporting in CISA. He added that “functionally incident reporting is useless if we are not…providing broader risk insight” back to the cyber risk management community.
Nick concluded with another ask for how the Institute could help the government collaboratively.
“Your collective ability to identify and observe trends and data and threats are going to be almost as powerful as what the government is seeing,” Iranga responded, and encouraged the Institute to publish research in cyber risk and mitigation.
“I want to make a commitment on behalf of the FAIR Institute,” Nick said. “We’d love to see in this next year the public and private partnership substantiate, maybe in the form of working groups, so we can actually get something done…and be an innovation accelerator as a community.”
Watch the FAIRCON24 video: Securing the Nation: In Conversation with U.S. Cyber Leaders
Not yet a member of the FAIR Institute? Join now for a complimentary Individual Membership.