Rethinking continuous risk metrics to fortify federal cybersecurity

Public trust hinges on the resilience of critical infrastructure and government agencies against cyber threats.

For five years, I had the pleasure of serving the State of California, including four years in the cabinet affairs function for the governor, covering a portfolio that included homeland security, emergency services and technology. In a state with over 40 million residents that has had over 46 natural disaster events exceeding $1 billion in economic loss since 1980, I saw the considerable strain that emergency services and the whole of government faced in supporting communities, impacted constituents, and protecting life and property.

However, these disasters and the threats were almost always more complex because of opportunistic non-state and state actors seeking to take advantage of disaster survivors as highlighted by the Cybersecurity and Infrastructure Security Agency’s concerns over social engineering tactics, techniques and procedures. The Federal Emergency Management Agency’s 2023 National Preparedness Report also highlighted how cyberattacks represent a high community-level risk.

From my experience, this is a drastic understatement as I witnessed the strategic deployment of ransomware and malware onto hospitals, ports, the electric grid, schools and water treatment plants. Under significant duress, public trust is tested even more as the operation of critical infrastructure and government service delivery is further strained. Simply put, building community-wide resilience sets the foundation for successful response and recovery in the wake of physical or digital disasters.

Why a real-time assessment of cyber resilience is needed

But how do decision-makers measure our cyber resilience and progress to community wide resilience? How do organizations improve and harden? As CISA Director Jen Easterly stated, “It’s hard to say you’ve reduced risk unless you know how to measure it.” Cybersecurity professionals I speak with want analytics and key performance indicators that highlight trends and improvement over time, showcase how their organization reacts to and prepares for events, and compare them to others in the industry.

Roadmap for identifying key risk metrics

The power of continuous risk metrics lies in their objectivity. They rely on verifiable data, allowing for transparent evaluations across different sectors. This information sharing fosters collaboration, leading to the identification of industry-wide problems and best practices that transcend individual organizations. These shared insights can create a more consistent national defense against cyberattacks.

What specific risk management metrics should agencies be tracking? Key metrics and KPIs include:

  • Identify the number of risks in the sector: Understanding the potential threats and vulnerabilities within the sector allows security teams to assess what they are up against.
  • Quantify the number of incidents that occurred: Comparing identified risks to those that materialize and are mitigated reveals risk management effectiveness. A high number of materialized risks suggests a need for improved mitigation strategies.
  • Understand the percentage of risks monitored: Utilizing security ratings can help ensure security teams can prioritize high-impact risks for mitigation, while continuous monitoring with regular assessments empowers teams to detect rising threats and address them proactively.
  • Learn from the percentage of risks mitigated: Security teams need to assess and analyze those mitigated and develop a proactive strategy to eliminate repeat incidents.

With robust risk management metrics, organizations can bounce back more quickly, maintain their reputation, and avoid paying significant recovery costs. Clarity and intelligibility are paramount when choosing these KPIs. These KPIs should be able to be turned into actionable reports that are accessible to anyone who views them, enabling colleagues and leadership teams to readily grasp and act on the information.

Overcoming data hurdles for risk management

Of course, taking all these steps also requires some amount of preparatory work, much of which is related to the common challenges associated with collecting this crucial data. Unclear ownership of data collection within teams or inconsistencies in data quality can hinder efforts to develop effective key risk metrics. Identifying these challenges and overcoming them as part of the roadmap for key risk metrics allows us to build a strong foundation for informed decision-making, ultimately leading to a more resilient and agile security posture.

Building a data-driven shield for national cyber resilience

By diligently tracking and analyzing KPIs across critical infrastructures, one would be able to gain a comprehensive picture of the nation’s overall cyber resilience. The public and private sectors would be able align their cybersecurity strategies with the National Institute of Standards and Technology’s Cybersecurity Framework 2.0, ensuring their risk management processes, security controls and incident response plans adhere to the framework’s identify, protect, detect, respond and recover functions. This alignment empowers all stakeholders to proactively identify and address vulnerabilities, optimize resource allocation, and enhance cyber resilience.

Finally, transparent sharing of these metrics and insights across public and private sectors is essential for fostering collaboration and knowledge sharing. This collaborative spirit is exemplified by initiatives like the National Cybersecurity Center of Excellence (NCCoE), a public-private partnership established in 2012 to bring industry organizations, government agencies and academic institutions together to create practical, adaptable cybersecurity solutions that address the most pressing cybersecurity challenges. By learning from each other’s best practices, stakeholders can work toward regulatory harmonization, ultimately fostering a more secure environment for government systems and citizen data.

Public trust hinges on the resilience of critical infrastructure and government agencies against cyber threats. This demands a renewed commitment to vigorous cybersecurity measures and transparent communication during attacks.

Jeff Le is vice president of global government affairs at SecurityScorecard.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories