Risk management in the modern age is largely about cyber hygiene, said Wanda Jones-Heath, Chief Information Security Officer (CISO) for the U.S. Air Force’s Office of the Deputy CIO, today.
At the CXO Tech Forum on the State of Cyber, Jones-Heath said that the service branch’s risk management strategy estimates that 80 percent of the problem is cyber hygiene, and that’s where the bulk of the strategy should be aimed.
The Air Force’s risk management strategy starts with cyber hygiene, but it also includes penetration testing and continuous monitoring, Jones-Heath said. This allows for the service branch to evaluate its present state, and see where it wants to go.
“When we do an assessment on a legacy system, we ask: ‘what can we fix?’” the deputy CISO said, adding that cost issues can prevent organizations from fixing everything.
Manuel Castillo, Senior IT Security Advisor for the Federal Bureau of Investigation, said a key component of risk management is understanding the size of an organization’s appetite to tolerate risk – because risks will never go away.
Panelists at today’s event also discussed supply chain risks, and how to approach management of those.
Adrian Monza, Cyber Defense Branch Chief for the Department of Homeland Security’s U.S. Citizenship and Immigration Services (USCIS), said that because the organization doesn’t operate much in the IoT (internet of things) space, it has to leverage the work of third party vendors and other agencies in the physical supply chain, while USCIS focuses on the software supply chain.