Bob Kolasky, assistant director of the Cybersecurity and Infrastructure Security Agency’s National Risk Management Center, said cyber risk management not only requires agencies to perform information sharing but also demands an evolved approach that includes the analysis of existing and potential risks.
“It means using existing efforts around vulnerability management, threat detection and network defense as a springboard for connecting the relationship between threat, vulnerability and consequence with actionable metrics that drive decision-making,” Kolasky wrote in an article published Tuesday on FedTech Magazine.
He highlighted the need to establish the architecture to analyze cyber risks for critical infrastructure and noted that NRMC is working with the Environmental Protection Agency and other sector-specific agencies to create a “National Critical Functions risk architecture” to serve as an engine that will combine all data layers into a single analytics tool.
“Supporting efforts to better grasp the impact of cyber risk across the critical infrastructure community will involve developing usable metrics to quantify cyber risk in terms of functional loss,” Kolasky wrote.
“The goal is to more precisely understand the relationship between threat, vulnerability and consequence on critical functions, and to bring that thinking into cost-benefit analysis for mitigating risks,” he added.
He also discussed how security ratings have helped organizations measure exposure to cyber risks and the need to better understand and reduce systemic cyber risk.