Cybersecurity risk management assumes that perfect security is impossible, and focuses on business priorities, given available resources. Representations of risk management principles have various formulations.
What are the most important government services? What are the critical public systems, and which data requires the strongest protections? What are the critical private sector systems, and which data does the government have a role in protecting?
Which priority services, systems and data are vulnerable to cyber threats? Plan Security Controls and Response Plans How can the state make priority services, systems and data more resilient to cyber risk? What are the technical, administrative and procedural controls needed to reduce the risk of attacks? What are the controls needed to respond quickly to attacks that do occur?
How can the state make priority services, systems and data more resilient to cyber risk? What are the technical, administrative and procedural controls needed to reduce the risk of attacks? What are the controls needed to respond quickly to attacks that do occur?
Who oversees implementation? Do they have the necessary authority? Do they have the necessary relationships? What are the timelines for implementation?
The image on this page proposes a framework for governors to understand their risk management.
All cybersecurity programs share a common challenge: demonstrating a return-on-investment. If a security breach does not occur, it is difficult to determine whether security measures deserve the credit. Was it mandatory cybersecurity training, or a new software program? A decline in a type of malware found in a network does not imply that policies implemented by the state resulted in that decline. It could simply be luck; the threat may have never materialized. A breach could have gone undetected or unreported. When defenders do discover breaches, critics may charge that security investments were pointless, even if those measures stopped many other unknown attacks. Lastly, assessing a state’s cybersecurity posture based on attacks does not account for non-technical programs, such as workforce pipeline policies.
Minnesota assesses agencies’ security risks using a “score card” that provides a high-level overview of security across agencies for executives who may not be subject matter experts. Agency heads can examine the 60 sub-metrics in each score card (aligned to the five core functions of the NIST Framework) and focus on boosting specific scores.