May 10th, 2010 by lhaasFederal agency IT executive at the FedScoop Cybersecurity Leadership Summit reached the conclusion that — in light of the belief that they will never achieve perfect security — they need to focus on risk management.
With so many demands on security — and only limited resources to achieve them — federal agencies are rapidly reaching the conclusion that the holy grail of secure perimeters must be put aside in favor of a more practical, risk-oriented set of security priorities, the speakers said. The key: identify the highest risks — both in terms of data sensitivity and likelihood of attack — and secure that data first.
“We’re looking at risk-based approaches, rather than security perfection,” Bhagowalia said. “It’s more about information assurance than about security. It’s more about continuous monitoring than about compliance.”
NIST’s Ross agreed. “We’ve developed a structure for enterprise-wide risk management,” he said. “How do you monitor risk over time? How much risk can you tolerate? Once you’ve answered these questions, then you can set up your missions and business processes.”
via Federal Agencies Wrestle With Cybersecurity’s Harsh Realities – DarkReading.
