The Cybersecurity and Infrastructure Security Agency (CISA) has launched a new cybersecurity effort: The Systemic Cyber Risk Reduction Venture on developing actionable metrics to quantify cyber risk. This information will be used to reduce shared risk to the nation's security.
The effort, in partnership with theNational Risk Management Center (NRMC), CISA will be focusing on using enterprise risk management best practices in 2021. According to Bob Kolasky, CISA Assistant Director for the National Risk Management Center, CISA is anticipating three overarching lines of effort:
Build the Underlying Architecture for Cyber Risk Analysis to Critical Infrastructure
The critical infrastructure community is underpinned by a dependent web of hardware, software, services, and other connected componentry.
Cyber Risk Metric Development
Supporting efforts to better understand the impact of cyber risk across the critical infrastructure community will require developing usable metrics to quantify cyber risk in terms of functional loss. There’s no need to get bogged down with Greek equations with decimal place-level specificity. Metrics that provide even directional or comparative indicators are enormously helpful.
Promoting Tools to Address Concentrated Sources of Cyber Risk
Central to the venture to reduce systemic cyber risk is finding concentrated sources of risk that, if mitigated, provide heightened risk management bang for the buck if addressed.
"Defending Today and Securing Tomorrow demands that we better understand and address systemic cyber risk. The steady drumbeat of the importance of cyber essentials must be complemented with a more advanced understanding of how cyber risk manifests itself in an interconnected world – this means both understanding the interconnection and developing high leverage solutions. CISA, via the National Risk Management Center’s collaborative approach, looks forward to working with the critical infrastructure and cyber research community to make progress on this important Venture," Kolasky says.