Insight by Tanium

Modern resiliency spans beyond cyber to mission, business, financial, and operational

It seems like agencies are recognizing how their risk posture is changing and how they need to adjust their approach to ERM.

Over the last nine months, the move to remote working has expanded the threat surface of agencies.

And it’s not just cybersecurity risk that agencies only have to deal with, it’s increased risks to data, to mission and to people.

A new survey from the Association for Federal Enterprise Risk Management (AFERM) found 50% of the respondents said their ERM program has been “extremely engaged” or “highly engaged” in their organization’s response to the pandemic.

The survey found organizations with a chief-risk officer-led ERM program are almost twice as likely as others to be “highly engaged” or “extremely engaged” (65%) versus organizations with non-CRO-led programs (39%).  Additionally, nearly two-thirds (64%) of respondents are anticipating implementing changes to their ERM program specifically in response to the pandemic.

It seems like agencies are recognizing how their risk posture is changing and how they need to adjust their approach to ERM.

Ralph Kahn, the vice president of federal for Tanium, said for agencies to effectively respond to COVID-19 they have to balance an ever-growing number of risks.

“I think, by-and-large, agencies are proud of their response to COVID, and it’s a multi-faceted thing. It’s one thing to get the employees up and running from home, it’s another to make sure that the same employees are doing okay,” Kahn said during the panel Strengthening Technology Risk Management in the Federal Government sponsored by Tanium. “There are a lot of factors that come into the risk equation here. But I think from a technology perspective, many of the agencies are proud of what they’ve accomplished. And they’ve pivoted very quickly from a centralized, core network model to a totally decentralized, everybody’s at home coming in through virtual private network (VPN), what security controls do we use? How do we make sure there’s some amount of monitoring and, by and large, there are a lot of different ways the agencies got there, but they all got there. And so I think there is a lot to be proud of there.”

The challenge now is how agencies can continue to apply risk management principles to address current and new threats to their mission.

Anthony Belfiore, the senior vice president and chief security officer of Aon and a Tanium Board Member, said public and private sector organizations found ways to innovate to retain continuity and address operational risks.

“Because the bad actors, the nation states, the fraudsters know that we’re in this compromised position, our employees are not working in that nice central core of a government facility with all the controls and the oversight and the monitoring that you typically have. So they’ve tried new spear phishing techniques, and new attacks against our employees, new social engineering scams, and we’ve seen a huge uptick in that space and we’ve all had to address that,” Belfiore said. “The biggest thing that COVID spawned is the fact that it’s made a lot of people cognizant of a lot of other risk areas that they weren’t typically dealing with in their day-to-day. I think it’s forced us to look at a much broader view of operational and enterprise risk across our entities. And that’s a wake-up call because guys like me who do security, historically, physical, cyber and threat intelligence, we’re starting to realize the real end game is about operational resilience, and it’s not about cyber resilience. It’s a much bigger play. And that operational resilience is really predicated on a number of other areas that need to be addressed from a risk perspective.”

Belfiore said agencies are more aware of new risk profiles that impact their operating models. But it also means organizations need to perform risk assessment to gain a better understanding from an enterprise risk perspective.

“It’s going to take a very diverse set of controls and capabilities to manage risk at scale, and post this event, post SolarWinds and what we realized here is everything from business interruption to data loss to regulatory non-compliance and punitive fines after the breach can hit you on so many different ways. It really forces you to think about a response strategy that is much more comprehensive than just people process and technology,” he said. “It’s inclusive of new products, insurance risk services, retainers with incident response companies, there’s a whole litany of things that we need to do to make sure that we are in a position to respond effectively mitigate severity in as timely a manner as possible, and get back up off the mat. Right, that’s the whole point, you got punched, get up as quickly as possible.”

Kahn said this is why agencies need to collect, analyze and use data to ensure resilience. He said it’s important for all organizations to use the data to reduce the time it takes to address new and existing risks.

“You have to put a focus on your key data, your key processes and the things that are really important to keep your mission going. I think making sure you’re instrumented to collect data about your key processes and your people and what they’re doing and the risks that they that are created by things like work from home,” he said. “And being able to see that data in real time, making sure it’s accurate so that the decisions you’re making are timely and effective. So if you need to respond, you have to do it in a timely manner. But it starts with identifying the things that are critical in the first place and making sure that you’ve got timely and effective controls and responses available in the event something does happen.”

Shape

Risk Management in Federal Agencies

The biggest thing that COVID spawned is the fact that it's made a lot of people cognizant of a lot of other risk areas that they weren't typically dealing with in their day-to-day. I think it's forced us to look at a much broader view of operational and enterprise risk across our entities.

Shape

Best Practices for Risk Management

You have to put a focus on your key data, your key processes and the things that are really important to keep your mission going. I think making sure you're instrumented to collect data about your key processes and your people and what they're doing and the risks that are created by things like work from home.

Listen to the full show:

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories