Closer integration between cybersecurity teams and enterprise risk management staff could help federal agencies avert catastrophic cyber breaches more effectively, according to a new study.
Research published Thursday by the Partnership for Public Service and Deloitte found that closer communication and coordination between the separate department functions can significantly increase the ability of department leaders to understand and prioritize cyber risks.
“ERM programs can work with cybersecurity professionals to connect information on cyber risks and vulnerabilities to information about other agency programs and strategic priorities,” the study said. “By connecting cyber risk to other agency priorities, ERM can help cybersecurity practitioners think more strategically about how to manage these risks.”
The study was produce following a discussion session held by the two organizations earlier this year, which brought together cybersecurity practitioners from across federal government.
Among those canvassed were officials from the State Department, who highlighted how the agency’s Office of Global IT Risk uses ERM principles to frame technical information about cybersecurity risks for department leaders – and also ensures that decision about risk tolerance is relayed back to technical staff.
“If we’re going to have a conversation at the organizational level, we need to have it in the context of how leaders deal with decisions on a regular basis,” said Peter Gouldmann, director of the Office of Global IT Risk. “We have to look at the strategic implications.”
In October last year, the National Institute of Standards and Technology published an overview of how agencies can integrate the two disciplines.
The document highlighted that NIST recognizes the critical relationship between cybersecurity and ERM, and detailed how an integrated approach can help agencies better identify and manage cybersecurity risk.