Digital Version of November/December 2014 Print Edition
Enterprise cyber-security: The case for using analytics to manage risk
Federal chief information security officers (CISOs) know that it isn’t a matter of whether their agency will be subject to a cyber-attack; it is a question of how frequently the attacks will occur.
But, the real concern that keeps CISOs awake at night is wondering when one of the attacks succeeds -- and they know one eventually will -- whether it will successfully compromise the network and disrupt operations, or even worse, result in stolen sensitive, classified or personally identifiable information (PII).
The traditional approach to addressing common system and network vulnerabilities, which includes placing the problem in silos based on the particular type of attack or its target, is no longer enough to meet the challenges posed by today’s hackers and cyber criminals. Instead, the federal cyber-security landscape requires that agencies take an enterprise approach to cyber risk management, and to do so, CISOs must be able to understand and visualize the human and technology interactions that impact the agency in cyberspace. That’s where analytics can help.
Think of it this way: remember when you were a kid? You had friends and those friends had parents. They knew who you should be hanging out with and which kids tended to get into trouble. And, everyone’s parents talked to each other. The neighborhood parents understood the risks if their kid associated with one of the kids with a propensity for getting into trouble, and made a risk-based decision about whether you could hang out with that kid.
Now, think of the same issue in the context of cyber-security. If a virus compromises your computer systems, the immediate problem may be eliminating the antivirus, but the bigger problem is how the virus succeeded in accessing your computer systems in the first place.
Instead of looking at the virus, think of the gaps in your security and harness the power of that data. For example, do you know what individuals (or IP addresses) your agency’s employees are connecting with? The IP addresses that employees shouldn’t be associating with are high risk. An enterprise risk management approach to cyber-security raises key questions like: Why is the individual associating with that risk? Is he or she an insider moving data into or out of the organization? Those are the insider risks.
The same problem applies to the need to look at the connections coming into your agency, such as partners, vendors and other key stakeholders. If you allow everything into your agency, you leave yourself open to a lot of risk. So, how do you know how much risk is too much?
CISOs must develop a cyber risk posture for their agencies, but in order to do that, they must be able to see the connections, via an analytical model, to know which ones pose a threat. This is exactly what the credit card industry has done for years. For example, every time you apply for a credit card, the company uses analytics to assess risk (e.g., the amount of debt you carry, whether you promptly pay your bills and your overall credit history). The credit card company will assess your risk to its bottom line by using an analytical model. If you have a lot of debt, a history of late payments and a small salary, the credit card company will likely reject you because you are a bad risk.
Credit risks are one thing, but the risks posed by successful hackers to our nation’s economic and national security bring the problem and the solution into focus. By leveraging analytics in cyber risk management, agency CISOs can help prevent cyber-attacks from succeeding. Analytics can illustrate the anatomy of a successful hack through a visualization of risk-based connections and keep it from occurring -- much like the credit card company was able to keep the risk-based credit applicant from negatively affecting its bottom line.
We know the attack is coming. We may not know when the attack will occur, but with a risk-based approach leveraging analytics we have the power to know where the threat may be coming from.
Chris Smith is currently director of enterprise architecture and service engagement for SAS Federal, and previously held leadership positions with National Park Service and the Departments of Labor, Education, Agriculture and Energy. He can be reached at: