Cybersecurity Risk Management

Cybersecurity risk management assumes that perfect security is impossible, and focuses on business priorities, given available resources. Representations of risk management principles have various formulations.

Elements of Risk Management

Prioritize Assets and Processes

What are the most important government services? What are the critical public systems, and which data requires the strongest protections? What are the critical private sector systems, and which data does the government have a role in protecting?

Identify Cyber Risks

Which priority services, systems and data are vulnerable to cyber threats? Plan Security Controls and Response Plans How can the state make priority services, systems and data more resilient to cyber risk? What are the technical, administrative and procedural controls needed to reduce the risk of attacks? What are the controls needed to respond quickly to attacks that do occur?

Plan Security Controls and Response Plans

How can the state make priority services, systems and data more resilient to cyber risk? What are the technical, administrative and procedural controls needed to reduce the risk of attacks? What are the controls needed to respond quickly to attacks that do occur?

Implement Security Controls and Response Plans

Who oversees implementation? Do they have the necessary authority? Do they have the necessary relationships? What are the timelines for implementation?

Monitor the Progress

The image on this page proposes a framework for governors to understand their risk management.

Metrics Are a Must: Assessing Progress in Cybersecurity

All cybersecurity programs share a common challenge: demonstrating a return-on-investment. If a security breach does not occur, it is difficult to determine whether security measures deserve the credit. Was it mandatory cybersecurity training, or a new software program? A decline in a type of malware found in a network does not imply that policies implemented by the state resulted in that decline. It could simply be luck; the threat may have never materialized. A breach could have gone undetected or unreported. When defenders do discover breaches, critics may charge that security investments were pointless, even if those measures stopped many other unknown attacks. Lastly, assessing a state’s cybersecurity posture based on attacks does not account for non-technical programs, such as workforce pipeline policies.

How Do You Develop Risk Score Cards?

Minnesota assesses agencies’ security risks using a “score card” that provides a high-level overview of security across agencies for executives who may not be subject matter experts. Agency heads can examine the 60 sub-metrics in each score card (aligned to the five core functions of the NIST Framework) and focus on boosting specific scores.

What is a “Cyberattack?”

Be careful in assessing a state’s cybersecurity posture based on the number of attacks that were prevented. The definition of “attack” varies. Media reports often use it as a catch-all, but states should define it more precisely if they are going to use it as a metric. Does it include digital probes ( i.e., a “knock at the door”) to see if anyone is home? Or is it when an attacker enters the state network? What if the intrusion is detected before it can cause damage?
How do Governors Monitor Progress?
In cybersecurity, measuring success requires measuring processes by assessing change in characteristics such as:
For state agencies specifically (where data collection is easy)
  1. Alignment with established standards, e.g., NIST Framework or the CIS Security Controls (See Illinois’ Cybersecurity Strategy and Governors’ Guide – Developing a Cybersecurity Strategy);
  2. Average staff time dedicated to security incidents;
  3. Frequency of security policy violations by employees;
  4. Percentage of agencies that exercise response plans;
  5. Elapsed time from incident discovery to resolution; and
  6. Frequency of recurring incidents.
For other aspects of state cybersecurity (where data collection is hard)
  1. Number of unfilled cybersecurity positions;
  2. Participation in cyber response exercises by non-state partners;
  3. Participation in state information sharing initiatives.