one of the features ranked in its annual survey released in September. Nonetheless, a report by Interior’s inspector general in March cited a number of holes in Interior’s cyber defenses.
“These issues occurred because the Department incident response program had not evolved to address today’s often sophisticated cyber threats,” the IG report said. “Using a process that does not fully analyze and completely contain active cyber threats increases the risk that bureaus’ sensitive data will be lost and mission operations disrupted.”
The problem, Kupcinski said, is that today’s cyber threats are changing dramatically. Maintaining
a consistent and up-to-date threat profile is a challenge.
“We spend a lot of time helping organizations frame cyber risk as a component of enterprise risk management. Security doesn’t need to start and
stop at the security operations center and is a factor that needs to be embraced by the business” he said. “An agency’s cyber posture should be derived from how much risk an organization is willing to take on, which will change over time.”
One of the ways this can happen is through application of Cyber Threat Intelligence (CTI), which helps organizations understand the nature and likely impact of the threats they face. CTI is a combination of understanding external threats, internal vulnerabilities, and information of value to an attacker. This includes strategic, operational, and technical data points that are gathered, correlated, assessed, and fused into threat intelligence.
Using a continuous cycle approach, CTI analyzes data to identify gaps in security posture, which in turn leads to action to mitigate or prevent malicious activity from happening. It’s a value-added resource
 C-Suite Leaders and the Language of Cyber Security
An effective, long-term cyber security threat-analysis program must involve C-suite leaders and other executives at an agency. The problem, according to KPMG’s John Kupcinski, is one of communication. For too long, cyber security professionals have used the language of threats, tools and procedures “that doesn’t necessarily resonate at the C-level,” he said.
Misaligned communication is a systemic problem, according to Kate Charlet, director of
the Carnegie Endowment
for International Peace’s Technology and International Affairs Program. One of the biggest informal indicators of how well an agency does on managing cyber risk is the level
of engagement from the agency head, Charlet wrote in an April 2018 paper.
“Successful agency heads develop an awareness of cyber risk, see cybersecurity as core to executing their missions, and hold their agency accountable,” she said. “Yet this doesn’t come naturally to many, given
that cyber risk is difficult to internalize and because agency heads face so many competing demands.”
Fusion centers in agencies can help by including C-level executives in the discussion. Those conversations should include plain language that describes potential actions and mitigation strategies and effects.
Kupcinski said, “We need
to connect the strategic and tactical. This begins with better articulating the cyber risks in real business terms. This in turn will allow executives to make better decisions. Cyber is not an IT issue, but a business issue, and using CTI can be one aspect of helping frame this conversation.”