Insight by Tanium

Reducing technology risk requires real-time data

The idea and application of enterprise risk management has taken off across the government over the past four plus years. The Office of Management and Budget made it a requirement in the 2016 update of Circular A-123.

While it’s nice to have a circular that tells you to do something, new data shows agencies are seeing the value.

The Association for Federal Enterprise Risk Management (AFERM) found in a new survey that just under 83% of the respondents say they are working in an agency that has a formal ERM program. That is up from 77% a year ago.

AFERM says the top three benefits of enterprise risk management are: enhanced decision making; reduced duplication of risk assessments or compliance activities; and the prevention of a negative event from occurring.

It’s no surprise respondents say cybersecurity and privacy risk remain the area that needs the most management attention, while operational risk and human capital risk round out the top three.

Technology risk management is a subset of enterprise risk management and it’s gaining more attention across the government as non-IT executives realize just how critical of a role technology plays in their mission areas—we saw that over the last nine months of the pandemic.

TRM applies risk management methods to the technology of an organization like cloud and mobile devices. TRM enables their IT teams to make faster risk management decisions and hopefully move with more agility to reduce the likelihood of disruptions from occurring.

Ralph Kahn, the vice president for federal at Tanium, said TRM lets organizations better ensure that the technology is doing what agencies need it to do.

Kahn said technology risk management is about using data to better understand all risks the organization faces from operational to security to financial.

“One of the things we are noticing in the financial world when you want to provide data by trust, you audit. That audit process takes a long time, but it allows people to have a high degree of trust in the data you provided and to make a decision with it,” he said. “In the IT world, it’s very rarely that audit step. In many cases we see the data you get is from many sources and it’s conflicting. One of the strengths of many of the CIOs that I’ve met is being able sort through this data and figure out what is good and what isn’t.”

Maj. Gen. Maria Barrett, commander of Army Network Command, said if an agency has too much data, the good information can fall on the floor.

She said that’s why having someone as a dedicated data manager who assesses, curates and assesses it for accuracy is key to making the data more valuable.

“If you don’t have someone dedicated to helping you think through that, not just the folks who will develop the analytics of the data, but someone who understands [these challenges], your decision making off this really sophisticated effort that you put together is going to be flawed,” Barrett said. “This is where we are at right now in terms of making better decisions with the data we have.”

Technology Risk Management

As we do this risk management framework and apply this in the deployment of a technology, we can’t forget the assessment has to be continually. There is no product, that I know of, that has never found a vulnerability once it’s been developed. We have to be cognizant and our system has to accept that. We will continually have to modify the products that exist in our network.

Data Preparation

Risk drifts over time. You accumulate new risk and you need to go back and check it frequently. If you're paying a lot of money for security software, but it's not staying configured, that creates a pretty significant risk from a cyber perspective.

Data-Driven Decisions

Because if you can't believe the narrative, you don't have trust. And if you don't have trust that's really the coin of the realm in terms of being able to evoke change.

Listen to the full show:

Panel of experts

  • Jeff Schilling

    Chief Information Officer, National Cancer Institute, National Institutes of Health

  • Nicole Puri

    Chief Risk Officer, Bureau of the Fiscal Service, Treasury Department

  • Ted Okada

    Chief Technology Officer, FEMA, Department of Homeland Security

  • Maj. Gen. Maria Barrett

    Commanding General, NETCOM, U.S. Army

  • Ralph Kahn

    Vice President, Federal, Tanium

  • Jason Miller

    Executive Editor, Federal News Network

Sign up for breaking news alerts