It is no secret to say that a key part of risk management is efficiently applying limited resources to maximum effect. The goal is to prioritize what needs protecting and understand what they need protection from. As anyone who does risk management knows, this is a deceptively complicated task for any enterprise, but when your responsibility is to secure the homeland, this task is immensely complicated.
To address this, several years ago the federal government worked with critical infrastructure sectors to develop a “Risk Assessment” for most sectors. These were sector-wide risk assessments, focused on the sector and not individual companies. The idea was that the results of each sector’s assessment would be fed into DHS. DHS would then aggregate and prioritize, and feed the results into national planning, budgeting and R&D to assist sectors in developing risk management plans.
While well-intentioned and a necessary first step, this approach did not achieve the success many had hoped. A key reason for this is that there was great variation in methodologies and results. For example, some sectors focused on physical assets while others, such as IT, focused on “functions” the sector provides. Although this effort led to the development of the “Tier 1 and Tier 2” lists, efforts to fully integrate the various sector risk assessments and understand interdependencies fizzled.
However, last summer the Department of Homeland Security announced that it was adjusting its national risk management approach by deploying a functions-based approach. This is a significantly improved approach to addressing the national risk management puzzle. While physical security remains a core component of sound risk management, a functions-based approach is the most appropriate model for national risk management since it better recognizes the interconnectedness of our critical infrastructure and economy.
To understand the difference between the approaches, let’s consider a hypothetical scenario. If the headquarters of a bank is destroyed in a fire, it certainly is bad news for that bank. However, the ability of that bank to continue to service customers likely will be minimally impacted since customers could still visit branches to deposit and withdraw money. Credit card payments would still be processed, and online banking would still be available.
However, consider the disruption that would be caused if that same bank lost the ability to process transactions. The function of processing transactions is more important than the asset of the physical bank building. In the same way, the global headquarters of an IT company might be destroyed in an earthquake, without disrupting the service or function that company provides. Their software or service will still work despite their headquarters being destroyed.
One advantage of the functions-based approach is that it helps prioritize what matters at the national and even global level. A functions-based approach helps identify the critical from the important. Further, it will more easily identify interdependencies across sectors and throughout the economy. This will enable more informed consequence management planning.
The IT-ISAC is proud to have chaired the development of the functions based IT Sector Baseline Risk Assessment. We continue to actively engage with the IT Sector Coordinating Council in its work with DHS to identify critical national functions. This is an important project, and we are optimistic about where it will lead.
Scott Algeier is the Executive Director of the IT-ISAC.