Closer integration between cybersecurity teams and enterprise risk management staff could help Federal agencies avert catastrophic cyber breaches more effectively, according to a new study published on September 23 by the Partnership for Public Service and Deloitte.
The study found that closer communication and coordination between the separate department functions can significantly increase the ability of department leaders to understand and prioritize cyber risks.
“Many government agencies have robust cybersecurity programs overseen by chief information and chief information security officers. Agencies can build on that strong foundation by better coordinating their cybersecurity programs and ERM activities. In turn, agency leaders can be better positioned to fully assess, monitor, and make decisions about cybersecurity risks,” the study states.
The two organizations held working discussion sessions with cybersecurity practitioners from across the Federal government. Participants discussed the challenge of communicating complex information about threats and vulnerabilities to agency leaders who may not have in-depth technical knowledge. And according to the report, this communication gap can have serious consequences.
“If leaders don’t understand the information presented to them and the risks associated with that information, they may not make the necessary decisions or investments to safeguard the agency’s cybersecurity,” the report says.
Federal ERM programs have the tools and expertise to help agencies develop a comprehensive risk register. And according to the report, a good risk register can clearly articulate the full picture of an agency’s cybersecurity risks and serve as a resource to help agency leaders understand, prioritize, and address those risks.
Many agencies have already started this integration. As this process continues, the report offered guidance that ERM, cybersecurity, and digital transformation practitioners should keep in mind:
- Use common terminology.
- Make information actionable.
- Connect risk governance and align leadership.
- Incorporate risk appetite and risk tolerance.
- Examine risks at the organizational level.
- Connect cybersecurity and enterprise risk registers.