While many cybersecurity officials strive to achieve “no risk” when it comes to cyber risk management, officials from NASA this week explained that’s just not possible and suggested that agencies instead focus on managing risks that are important to the mission.
At the NASA SEWP (Solutions for Enterprise-Wide Procurement) SCRM Hybrid Forum 2022 on May 24, Joanne Woytek, program manager for the NASA SEWP program, explained how cyber risk management does not mean achieving zero risk.
“Risk is the important word,” Woytek said. “That is one of those keywords that people keep forgetting when they talk about this issue. It’s ‘how do I get no risk?’ and you can’t. You have to look at what’s important to the mission, versus what security is needed to then make sure it’s secure and what the level is at.”
“And certainly when you’re dealing with the entire government, there’s so many different ranges of what matters and doesn’t matter,” she added.
Renee Wynn, former chief information officer at NASA, agreed with Woytek and emphasized that it’s “critical” to understand the supply chain risk process before putting software onto one’s network.
“You have to understand what you’re deploying with that and you’ve got to get visibility. You aren’t going for no risk. You still have risk,” Wynn said. “We take risks all the time and we sometimes take blind risks.”
Wynn compared taking a blind risk to taking a ride on a bicycle or skateboard as a kid and skinning a knee after jumping over something for the first time. While that decision has “a little bit of blind risk,” Wynn said it’s about looking at the risk of possibly getting hurt and making a risk-based decision.
“What you want to do with supply chain risk management from a cybersecurity perspective… is take a look at [what] your risks are and then make a risk-based decision based on the data that is going to run through those systems and based on the use that you might have,” she said.
Wynn explained that there are differences in risk-based decisions in terms of data and users. For example, she said software in a mission control center is “very different than software being used in a scientific mission because the data for scientific missions are going to flip out to the public in 24 hours.”
“You really do have to take a look at all of that information to make a risk-based decision and then make adjustments to your controls,” Wynn said. “And in some cases, you’re going to say ‘I’m not going to use that particular product,’ because you might not actually be able to put in enough controls to guarantee that you know what’s going on with your data and that your monitoring tools will pick up if there’s an anomalous behavior.”