The General Services Administration and the Energy Department are taking two different paths to achieve the same goal—reducing cyber risk.
GSA is using the power of its procurement purse.
Energy is evaluating which investments in people, processes or technologies will bring its risk score down.
Emery Csulak, Energy’s chief information security officer, said while this discussion about reducing cyber risk isn’t new, agencies have a better understanding of how to mitigate and manage these challenges.
“We are trying to change that conversation. We are trying to figure out how best to apply quantified risk management. How can we evaluate whether or not a $1 million investment will give me a $1 million in reduced risk to do a modernization project or will it give me a $30,000 reduction in risk? You have to be able to have those conversations,” Csulak said during the recent 930Gov conference, which was a Live Ask the CIO event. “At Energy, we are looking at how historically we’ve spent a lot of time teaching the CFO or COO about how we talk about IT security, but we’ve barely…
