EDITORIAL: Risk Management has been a Failure
A Disjointed and Bureaucratic Mess
The principle of Risk Management (RM) has been a failure for the federal government’s implementation over the years. Why? Because of not just the complexity of implementing cybersecurity in its low-paced disjointed approach to cybersecurity in general, but moreover, the governments lack of commitment and resourcing of real solutions.
It has been the consummate failure of senior leadership and management to properly resource the cybersecurity effort that have been the hallmark of nearly daily reports of another compromise of a network and its precious data. For example, in 2015, the average amount afforded to cybersecurity workforce training at the US Department of Education was $600 per employee per year. (See the post: EXCLUSIVE: Dept of Education (ED): Only $600 for Cyber Training). The average cybersecurity certification course in the Washington, DC Metro area is over $3000.
This reflects the ongoing lack of commitment within the federal government and the downfall from the supposed “home of education” where professional and technical training is afforded short shrift. How can the private sector solve this problem if even the US federal government treats cybersecurity as a burden vice a responsibility?
For clarification, this failure is no fault of National Institute of Standards and Technology (NIST) and its creation of the principles of cybersecurity RM in the NIST 800-series. NIST has aptly created the varied cybersecurity frameworks and associated security controls that COULD protect critical IT systems and its data. Unfortunately, leadership accepts incredible amounts of risk without “fighting for” resources to reach a minimal state of actual or perceived security within the federal government.
Federal leadership will continue to express its voluntary-ignorance with “I-am-not-a-cybersecurity-expert” mantra. An ignorance that is expressed as a means to avoid culpability and accountability for the ongoing failures.
This has only further eroded the morale within the cybersecurity workforce, anecdotally or not. It expresses a concerted lack of interest and desire by leaders at all levels to not recognize that the cyber-threats are real, and leadership’s choice to demure its clear accountability has contributed to the ongoing successes of both internal and external threats to IT environments. It has been this complacency that has contributed to the current state of cybersecurity: failed.
–These are the opinions of the author based upon his over 20 years of federal service, and do not reflect the overall consensus or approval of the editors of this site.
Dr. Russo is currently the Senior Data Scientist with Cybersenetinel AI in Washington, DC. He is a former Senior Information Security Engineer within the Department of Defense’s (DOD) F-35 Joint Strike Fighter program. He has an extensive background in cybersecurity and is an expert in the Risk Management Framework (RMF) and DOD Instruction 8510, which implement RMF throughout the DOD and the federal government. He holds a Certified Information Systems Security Professional (CISSP) certification and a CISSP in information security architecture (ISSAP). He has a 2017 Chief Information Security Officer (CISO) certification from the National Defense University, Washington, DC. Dr. Russo retired from the US Army Reserves in 2012 as a Senior Intelligence Officer.
