Systemic Cyber Risk Reduction: A Q&A with the Department of Homeland Security’s Bob Kolasky

Fueled in part by high-profile ransomware attacks that have resulted in major losses, cybersecurity is now a top priority at just about every type of business - including financial services firms. Indeed, as banks move more and more toward digitization, their potential exposure to cyberattacks will likely only increase.

Today, they must be ready to identify (and, when necessary, respond to) a slew of different types of cyberattacks, ranging from ransomware to phishing-type scams to business email compromise (BEC) schemes. Otherwise, they risk becoming part of alarming statistics that depict a 69 percent growth in cybercrime complaints in 2020, and which forecast global cybercrime damages skyrocketing from $6 trillion in 2021 to $10.5 trillion in 2025.

Against this backdrop, the U.S. Department of Homeland Security has developed a comprehensive plan for managing and reducing cyber risk, mainly through its Cybersecurity and Infrastructure Security Agency (CISA). Recently, to learn more about the DHS’s perspective on trends, threats and best practices in cybersecurity, we spoke with Bob Kolasky, the head of the National Risk Management Center - a division of CISA.

The best approach to cyber risk mitigation, the importance of sharing information and avoiding silos, and the collaborative work CISA has done in the cybersecurity space were among the issues that were top-of-mind for Kolasky.

Christopher Hetner (CH): So, Bob, tell me a little about the Cybersecurity and Infrastructure Security Agency and the National Risk Management Center, which resides within CISA.

Bob Kolasky (BK): CISA is the newest agency within the Department of Homeland Security. We work to drive risk reduction to risks to critical infrastructure and critical operations. We help a wide variety of stakeholders address national-level cyber and physical risks, as well as emerging hybrid threats.

While our mission at CISA is primarily focused on threats to our national critical infrastructure, at the end of the day, cybersecurity is an inherently shared risk that requires our nation to work across government and industry to share information and best practices in an effort to reduce the risk. Within the National Risk Management Center, which I lead, we are doing just that.

In January of this year, we launched a Systemic Cyber Risk Reduction Venture to organize how we look at cyber risk and start to measure its impact on national security. Ultimately, it is our goal through this effort to connect the dots on how to systemically manage cyber risk impacts across and within critical infrastructure sectors, industries and critical functions in a more targeted, prioritized and strategic manner.

CH: This certainly sounds exciting, and, given the current cyber risk environment, something that could certainly benefit government and industry alike. Can you elaborate a little more about the Venture and what you are hoping to achieve?

BK: What we have put a focus on within the National Risk Management Center is defining what we call National Critical Functions (NCFs), which are the things that absolutely must work against the challenge of cyber incidents. The ability to transport materials, supply water, operate core communications networks, conduct elections, protect intellectual property, and manage the financial system are among these functions. They are all underpinned by a dependent web of hardware, software, services and other connected componentry.

As seen with recent events, major consequences of a cyber incident impacting NCFs are very real. So, as part of our risk-defining process within the Venture, we are building out a model to better understand the level of cyber threats and cyber vulnerabilities, as well as their impact on NCFs. This allows us to prioritize where it's most important to invest and improve IT security and IT operations, and to better understand both core operational technologies and industrial control systems.

We are working across government and industry to develop and share innovative analytics, quantifiable metrics and enterprise risk management best practices. The goal is to connect the dots on how to systemically manage cyber risk impacts across and within critical infrastructure sectors, industries and critical functions in a more targeted, prioritized and strategic manner.

For example, as part of the President's most recent Executive Order on Improving the Nation’s Cyber Security, CISA is looking at what software is most important to the federal government for our daily operations. By determining software criticality, it will help us in understanding what we should put a priority on in terms of protection and information collection.

This process will, moreover, not just impact the federal government. It’s no secret that we all use similar software products. Our efforts to ensure these products meet the highest level of security for our federal networks will inevitably increase the level of security and decrease the level of cyber risk to critical infrastructure and other private sector software customers.

CH: It seems like CISA has a good plan for reducing cyber risk to the nation. How should corporate leaders be thinking about cyber risk?

BK: First, leaders need to ask the following questions: What are the risks to your most critical processes? What are the things most important to your business or for your organization? What do you require on a daily basis that customers rely on? And, most importantly, what is the cost of a cyber incident impacting that system or critical process?

You have to pursue that line of thinking, because it will help you make better business decisions on where, and at what level, to invest in cyber improvement.

While not an easy endeavor by any means, efforts need to be made to evaluate the cyber impact against traditional metrics, and then push that analysis further upstream to evaluate incidents and controls in terms of their impact on outcomes. This kind of thinking will help us to better evaluate the merit of additional investments in cyber controls and other forms of cyber resilience.

At CISA, we are practicing what we preach. We are getting better sources of data information to assign metrics to critical functions against the cyber challenges we're facing. In doing so, we are having conversations at the national level about the tradeoff of making more investments in cybersecurity. This is something being done through a national security perspective, but I hope other organizations are on a similar journey.

CH: What about information sharing? How does that fit into this effort? I think we all understand the potential challenges with working in silos.

BK: You’re right, Chris. Cyber risks cannot be managed in silos, fragmented among specific individuals or departments (e.g., IT, finance, legal, etc.) responsible for a piece of an organization’s risks with little or no in-between interaction. By sharing information, organizations can fully realize the possible extent of their vulnerabilities.

In other words, in a world when your risk can be my risk and vice versa, sharing data provides valuable insight into how cyber risk manifests itself in an interconnected world - and sheds light on possible collateral damage it can do. Rather than simply having a list of security-related elements to check off, organizations can use shared data to develop metrics that assess the effectiveness of security controls in place. Moreover, they can conduct cost-benefit analysis to avoid a risk, and calculate the costs - if that risk were to occur - with more accuracy and reliability.

CH: I think that’s great guidance and something that I hope our members can take away from this discussion. So, what’s next for this Venture? Any final words of advice for an organization starting a similar journey on cyber risk reduction?

BK: The success of the Venture relies on the continued expertise and advice from stakeholders across the cyber risk and critical infrastructure communities. As we build out models and share research and best practices, we want to continue to engage with organizations like GARP to ensure we are engaging a broad set of stakeholders and working together in a unified approach to reduce cyber risk.

Five years from now, I want us to be able to look at our cyber ecosystem and feel we are more secure, and more resilient as a nation – that we have, in fact, reduced cyber risk, and that our adversaries can't do things that are going to fundamentally impact our economy, our national security and our overall community well-being. Working together, I believe that can become a reality.

Christopher Hetner is a risk management expert with more than 25 years of experience in cyber risk, regulatory compliance and corporate governance. He currently serves as an expert advisor to the Institute for Defense Analyses (U.S. Department of the Treasury), a special advisor for cyber risk for NACD, and a national board member of the Society of Hispanic Professional Engineers. Previously, he worked as the senior cybersecurity advisor to the Securities Exchange Commission Chairs Mary Jo White and Jay Clayton. He can be reached at chetner10@gmail.com.