Agencies increasingly rely on social media, the Internet of Things, mobile and cloud computing to execute their missions. While those technologies have empowered employees and improved the efficiency and delivery of government services, they also have exposed agencies to greater data security risks.
Diverse agency data stores extend the source of risk throughout organizations, requiring agencies to adopt new approaches that move beyond traditional security precautions. Cyber attacks against government are increasingly common and the severity of their impact is growing. As a result, it is essential that agencies consider data security a critical element of enterprise risk management.
ERM has become a key strategy to address systemic risk across organizations, and in recent years, the IBM Center for the Business of Government has devoted considerable attention to the topic. In our most recent report, “Managing Cybersecurity Risk in Government: An Implementation Model,” authors Rajni Goel, James Haddow and Anupam Kumar from Howard University develop a decision model that allows agencies to tailor approaches for particular cyber challenges.
The authors review existing risk management frameworks in use across government, and analyze steps agencies can take to understand and respond to those risks in compliance with existing law and policy. The model is based on five steps to improve cybersecurity outcomes: prioritize, resource, implement, standardize, and monitor—the PRISM model.
As the report notes:
“The National Institute of Standards and Technology finds that poorly managed cybersecurity risk may negatively affect performance and place an organization at risk by reducing its ability to innovate. This can occur even while leaders focus in the near term on the precise status of their organization’s cybersecurity posture and the risk of becoming a victim of cybercrime or cyberattack.”
A methodology for cybersecurity risk management can help agencies become more resilient in responding to risks adequately and appropriately.
To address this challenge, the authors seek to to improve agency capacity to implement effective cyber risk management through the PRISM decision model, which can lead agencies in making intelligent choices about how best to address cyber risk. The model helps agencies prioritize risk drivers and interdependencies, and link cybersecurity goals to mission and operational objectives.
The model can also assist agencies in communicating return on security investments to mitigate cyber risks. Such communications can foster discussion, assessment, decisions and actions to tailor approaches for addressing cyber risk management in government.