The Department of Homeland Security (DHS) this week announced the formation of a new National Risk Management Center (NRMC) to be led by Bob Kolasky, currently an acting Assistant Secretary in the National Protection and Programs Directorate (NPPD). As a longtime senior executive in cyber security with decades of experience planning, creating, running, merging, and even closing similar centers, I wanted to offer some advice to the DHS team.
The first backdrop here is that the culture at DHS involves publicly announcing the creation of new programs and initiatives (with long acronyms), versus allowing functional capabilities to grow organically and be quietly nurtured based on practical, operational experiences. This DHS approach is typical of any political organization, but it differs with industry, where SOC teams can often learn and grow at a reasonable pace without fear of public embarrassment.
A second backdrop issue is that DHS already runs similar centers and organizations, each with comparable mission statements. The National Cybersecurity Communications and Integration Center (NCCIC) and the National Infrastructure Coordinating Center (NICC) are both already functioning under NPPD, so some organizational risk (ahem) emerges for mission creep and overlap. Every CISO I know would be concerned if this were occurring in their company.
A third backdrop is that the NRMC appears to be a merge of two existing team at DHS – the Office of Cyber and Information Analysis (OCIA) and the Office of Cybersecurity and Communications (CS&S). Everything I know about merging existing groups into a new center, suggests the intense need for careful planning and management – hence, my advice in this note. (By the way, are you having fun with all these government acronyms yet?)
That said, I sincerely recommend that Mr. Kolasky, and his supervisor, Undersecretary Chris Krebs, Head of the NPPD, focus closely on three management considerations – Governance, Automation, and Action – as they begin to attend to our nation’s cyber risk in the NRMC. I’ll explain what I mean by each of these three factors below, including how the NPPD can optimize the potential for a successful deployment.
Focus the NRMC on Governance – Every expert in the world working in cyber risk will tell you – over and over and over – that governance is the absolute key to a successful operation of any risk management program. By governance, I mean on-going guidance and oversight, by all key stakeholders, of how cyber risks are identified, managed, assessed, scored, communicated, and ultimately dealt with by operational teams.
What this means for NPPD is that Mr. Kolasky must invest as much time and effort into identifying the optimal set of key governance stakeholders, as perhaps all other activities in the planning process for the new center combined. Get the governance stakeholder team right, and you’ll have a well-functioning NRMC; get it wrong, and you’ll have little more than an empty government acronym.
Utilize Risk Automation – Despite the conventional view of cyber risk as a soft, non-technical issue, our industry has established a modern discipline supported by advanced, automated tools for managing cyber risk in a highly effective manner. Excellent platforms exist today that support auto-ingest of relevant governance, compliance, and risk data, with amazing analytic and visualization capabilities to support rapid risk management decision-making.
What this means for NPPD is that Mr. Kolasky must quickly select, procure, and deploy an automated tool – perhaps a world-class GRC platform – to serve as the underlying automation support for all NRMC activities. The good news is that many excellent platform options exist, and DHS should have no trouble selecting a good one. (That said, I do worry that the GSA procurement process will take too long. Mr. Kolasky should find a short-cut if possible.)
Focus on Risk Action – The worst thing that can happen in any risk management center is the creation of a culture of inaction. That is, if the identification of risks is itself the goal, rather than a means toward some more actionable and mitigation-focused objective, then the NRMC becomes an interesting academic artifact. Companies generally avoid this risk, because if a center is not actionable, executives will cut off funding quickly.
What this means for NPPD is that Mr. Kolasky should depend on sister DHS organizations, especially CS&S, to guide the process of connecting identified risks with actionable mitigation. Since this will certainly involve public-private partnership, one would expect the governance stakeholders for the NRMC to include representatives from our private critical infrastructure industries including financial services, telecommunications, and so on.
I am hopeful that the NRMC will be provide successful support for our nation’s cyber risk, and I am bullish on the selection of Mr. Kolasky as its new lead. He has the correct experience and expertise to make this center work. That said, I am certain that if any of the CISOs I know, or that I coach in my consulting practice, were given the assignment of making the NRMC succeed in the context of the DHS NPPD, I’ll bet they would be carrying a few extra packs of Tums.
My best wishes to the DHS team for a successful deployment. We will be watching.