FAIR adoption is rapidly ramping up in the federal government, and the FAIR Institute’s Federal Government Chapter has become the informal information clearing house and networking center for federal CISOs looking to go quantitative. The chapter is co-chaired by Cody Scott, the first Chief Cyber Risk Officer for the National Aeronautics and Space Administration (NASA). “It’s brought a lot of people together to see who is actually doing FAIR”, Cody says.
“A year and a half ago, you had a lot of naysayers in government who said that risk quantification for cybersecurity isn't really meaningful and I think we’ve started to disprove that pretty substantially.”
Cody and another FAIR pioneer in government, Emery Csulak, Principal Deputy Chief Information Officer, Department of Energy, are the panelists for the FAIR Conference session “Case Study - Building A Quantitative Risk Management Program in the Federal Government”, 1:15 - 1:45 PM, Wednesday, October 7.
See the complete FAIR Conference agenda, October 6-7, 2020.
Cody first became FAIR-aware while working as a contractor for NASA and other agencies. “I realized that this wasn’t just another vendor-specific, proprietary approach to scoring a ‘risk score’, this is actually a whole method for how you approach and decompose risk.”
When he went on staff at NASA in 2018, he set about to launch a FAIR program and ran up against the kinds of socialization barriers that are familiar to many FAIR evangelists. NASA’s culture had been heavily mission-focused and siloed, with little centralized direction on cybersecurity.
But trends in federal government cybersecurity were running his way. The requirements of the Federal Information Security Management Act (FISMA), directives from the White House Office of Management and Budget (OMB) and the Cybersecurity and Infrastructure Security Agency (CISA), recommendations from the National Institute of Standards and Technology (NIST) and more federal authorities have been pushing agencies to both justify cybersecurity spending for risk reduction in financial terms and take an agency-wide, non-siloed view of security budgeting.
With that opening, Cody says he has approached the various NASA centers in the spirit of “partnership...We say let’s think about the business that you have, the operations you have, and let’s use a risk-based approach to prioritize what you should do in the interest collectively of the agency and the federal government. That flips the conversation.”
In February, Cody hosted a full-day crash course on quantitative risk management for all the CISOs at NASA. He’s running one FAIR project scoping out how to do risk mitigation prioritization for some of the high value assets and a second project in collaboration with Department of Energy staffers for a more detailed use case.
Cody is developing an agency-wide cybersecurity strategy and, most significantly, “we now have people coming to us asking how they can get support for doing risk assessments. They’re asking, ‘Can you help us solve a business problem? Can you help us know what to prioritize first?’ That's never happened before.”
Catch Cody’s FAIR Conference session “Case Study - Building A Quantitative Risk Management Program in the Federal Government”, 1:15 - 1:45 PM, Wednesday, October 7.
The 2020 FAIR Conference (FAIRCON2020), the premiere global risk management conference, will be held digitally on October 6 & 7 (Tues. and Wed.). FAIRCON2020 will provide ground-breaking keynote addresses, engaging C-suite panels, and expert case study sessions through a cutting edge virtual event platform. See the agenda. REGISTER NOW!