Managing Cybersecurity Risk in Government: An Implementation Model
Wednesday, July 18, 2018
The increased use of technologies such as social media, the Internet of Things, mobility, and cloud computing by government agencies has extended the sources of potential cyber risk faced by those agencies.

Guest Blogger Shue-Jane Thompson

Diverse agency data stores extend the source of risk throughout government organizations, bringing the need for new approaches that move beyond traditional security precautions. Cyberattacks against government are becoming more common and and have more severe impact.

As a result, cyber is increasingly being viewed as a key component in enterprise risk management (ERM) frameworks. ERM focuses on assessing significant challenges to an organization and its operations and implementing a set of predetermined risk responses; several IBM Center reports have addressed ERM, including Managing Risk in Government: An Introduction to Enterprise Risk Management and Improving Government Decision Making through Enterprise Risk Management, addressing how ERM can overcome the shortcomings of managing risk in silos. ERM has become a key strategy to address systemic risk across an organization. Securing data and managing cyber risk must now become now critical elements in agency ERM frameworks.

In a new report from the IBM Center for The Business of Government, Managing Cybersecurity Risk in Government: An Implementation Model, authors Rajni Goel, James Haddow and Anupam Kumar from Howard University address cybersecurity risk management needs by developing a decision model that allows agencies to tailor approaches for particular cyber challenges. The authors review existing risk management frameworks in use across government, and analyze steps that agencies can take to understand and respond to those risks in a manner consistent with existing law and policy. They put this work together to develop an implementation model based on taking five steps to improve cybersecurity outcomes: Prioritize, Resource, Implement, Standardize, and Monitor–the PRISM model.

As the report notes, “the National Institute of Standards and Technology (NIST) finds that poorly managed cybersecurity risk may negatively affect performance and place an organization at risk by reducing its ability to innovate. This can occur even while leaders focus in the near term on the precise status of their organization’s cybersecurity posture and the risk of becoming a victim of cybercrime or cyberattack.” A methodology for cybersecurity risk management can help agencies become more resilient in responding to risks adequately and appropriately.

To address this challenge, the authors seek to to improve agency capacity to implement effective cyber risk management through the PRISM decision model that can lead agencies to make intelligent choices about how best to address cyber risk. The model helps agencies begin by prioritizing risk drivers and interdependencies, and linking cybersecurity goals to mission and operational objectives. The model can also assist agencies in communicating return on security investments to mitigate cyber risks. Such communications can foster discussion, assessment, and decisions and actions to tailor approaches for addressing cyber risk management in government.

We hope that this report provides a useful model for government agencies to adapt in managing cyber risks.