In a recent National institute of Standards and Technology webinar on integrating cybersecurity and ERM, Energy Dept. CISO Emery Csulak shared the goals his agency set for its transition to a cyber risk management program based on FAIR™ -- high-level principles that could apply equally to the government or corporate information security.
The top-level goal is simply stated: “Enable leadership at all levels to make better decisions today than yesterday, with a stronger business case.”
“At all levels” was crucial because DOE, like other agencies or private enterprises with multiple subsidiaries, operates at a “federated level”: “We really wanted to make sure that the decisions affecting the mission are made at the point where the mission is being achieved,” in addition to the senior management level.
Emery Csulak was a panelist at the 2019 FAIR Conference
Two implications of that push:
- --Decision makers at all levels needed the “tools and capabilities” to make risk-informed decisions and…
- A common language to talk about risk. “One of our key goals was to put in a quantitative risk management program so we could have stronger conversations with business.”
That led Csulak and team to FAIR, the standard for analyzing cyber risk in financial terms. “We use FAIR as model for improving the conversation, then we supplement that with a lot of consulting and additional services.
They also recognized that the move to a risk quantification (and away from qualitative red/yellow/green risk rating practices) would be “a cultural issue” so they established a “cyber council” with representatives from across the organization, and wrote a new cybersecurity policy to line up with new principles and goals.
They also defined the services that a central cyber risk team would provide to different levels of the organization to support the federated model – including training on risk analysis techniques such as interpreting Monte Carlo simulations and doing calibrated estimation, two pillars of FAIR analysis.
Csulak says his organization is now well on the way to “convince leadership that we’ve got a good story to tell, that our IT and cybersecurity professionals are becoming more professional and are able to engage in the level of conversation that they are expecting” from risk managers at the Department.
Watch the NIST webinar: The Missing Link: Integrating Cybersecurity and ERM
NISTIR 8286 Second Draft: Strong Focus on Risk Quantification for Aligning Cyber and Enterprise Risk Management