Framing Security- Centric Integrated Risk Management Framework

Risk Group Founder, Jayshree Pandya Ph.D, discusses ” The Need for Security-Centric Integrated Risk Management Framework” with Prof. Daniel Shoemaker, the Director of the Masters of Science Information Assurance Program (for Cyber-security), and a Principal Investigator for the Center of Academic Excellence Program with the National Security Agency on Risk Roundup. Introduction Everything has risks and risks are inevitable. It is the ability to take risks that gives each nation: its government, industries, organizations, academia and individuals (NGIOA-I) the possibility of progress and advancement. Progress and advancement is all about risk taking. But when risk transcends initiatives, industries, borders, cultures, nations, societies and human existence, taking timely risk initiatives, is a necessary forward-looking move. As today’s risks are tomorrow’s crisis, there is a need to make transition from a reactive approach to proactive for identifying, evaluating and managing risks. Having said that, all the tools, technology, processes, guidelines and framework in the world won’t help, if risks cannot be accurately identified, objectively evaluated and effectively managed! In addition, what risks are managed depends on what risks have been identified. The cyberspace has brought complex, chaotic, and challenging time for each nation: its government, industries, organizations and academia (NGIOA) in cyberspace, geospace and space (CGS). As cyberspace is deeply embedded across each component of a nation: its government, industries, organizations and academia, its crowded interconnections has caught nations off guard. These interconnections and interdependencies raise an important question, on whether our current risk management framework, tools, technologies and processes are effective in managing the security risks of the cyberspace. For e.g. the on-going battle between government and technology companies for the back door access is a perfect example of ineffectiveness in our current approach to risk management. Concerns About Lack of Effectiveness in The Current Approach to Risk Management Over the years, there has been heightened concern and focus on the lack of effectiveness in the current approach to risk management due to critical threats brought on by the rapidly changing global fundamentals and the inability of the risk management programs to predict critical risks at all levels. It has become increasingly clear that a need exists for re-evaluation of the approach to risk management. In addition, when the computer code, the connected computers and the ecosystem that make the cyberspace began to bring complex challenges and complexities to everyone and to everything, from geospace to space, the need for a new way of identifying, evaluating and managing risks became even more clear and urgent. This tectonic shift on the nature of risks brought on by the cyberspace is creating complex challenges for every NGIOA. As the computer code and connected computers blur the line between geospace, cyberspace and space, it needs to be understood that the current approach to risk management cannot give any entity within any NGIOA an ability to manage risks effectively while bringing security and sustainability for its initiatives—for managing cyberspace and cyber-security risks requires not only integration of cyberspace to geospace and space (CGS) but also requires a fine balance of cooperation and collaboration between, within and across NGIOA, and from their people, processes, proficiency, and prudence. How to Define Cyber-Security Risks? In the context of cyberspace, cyber-security risks are those risks that arise from the potential of losing the value of the current as well as strategic entities,