- Donald E. Hester
Managing Cyber Risks in Local Government: The Need for Comprehensive Risk Management Programs
As the world continues to move towards digital government, there is a growing need to ensure that cybersecurity is adequately addressed. This requires a comprehensive risk management program that is integrated into an organization's overall enterprise risk management program. One way to do this is to incorporate a cyber risk assessment into budget requests and staff reports to demonstrate that the impact of proposals has been fully assessed, including any associated cyber risks.
When staff presents new solutions or innovations to the council or board, they should anticipate questions about cyber risks and their mitigation plans. In local government, staff usually prepare a staff report - essentially a business justification - to seek approval from the council or board. Such reports typically highlight the benefits that the solution will bring to the organization, focusing on innovation, efficiency, and effectiveness and sometimes linking them to the organization's mission, goals, or objectives. They also describe the financial impact of the solution, which is necessary. However, what is often missing is a clear identification of the risks associated with the solution and how staff plans to address them.
To begin informing the board about cyber risk, one effective approach would be to include a brief cyber risk assessment in the budget requests, thus integrating cyber risk into the staff report. Staff members should exhibit their grasp of the complete impact of the proposal and justify the expenditure based on the risks and benefits it will provide to the organization. This will demonstrate their awareness of cyber risks that the proposal may introduce to the organization.
Different stakeholders have different concerns when it comes to risk management. The council is concerned about receiving well-considered proposals from staff. The public wants to ensure that their tax dollars are being utilized efficiently. Investors want to ensure that the government can avoid unforeseen losses.
To have a clear understanding, it is important to recognize that cybersecurity is an organization's way of responding to cyber risks. Equally important is the recognition that cyber risk is a business risk, not just an IT issue. Cyber risks need to be managed like any other enterprise risk, and there are established frameworks like COSO that can guide organizations in dealing with such risks.
To ensure effective cyber risk management, it is not sufficient to only evaluate risks at the time of procurement, as cyber risks are constantly evolving. Therefore, councils should follow the guidance of the COSO framework, which includes periodic cybersecurity risk assessments. The framework's five components should be applied to cybersecurity risk management, including control environment, risk assessment, control activities, information and communication, and monitoring activities.
One crucial factor to take into account is highlighted in the ICMA article "A Look at Local Government Cybersecurity in 2020," which notes that City Managers often downplay risks when communicating to councils. Therefore, it becomes essential for councils to ask challenging questions about cyber risks, and establish a framework and audits to ensure that cyber risks are identified and addressed. This is no different from how local governments are advised to tackle financial risks.
The COSO framework is a widely recognized and applied risk management framework that comprises five internal control components and 17 related principles. Boards and councils can use the COSO framework to help them oversee cyber risk management by aligning it with their strategy, execution, and monitoring activities. For example, boards can use COSO principles to develop a cyber risk assessment process that identifies and evaluates cyber threats, establishes risk tolerances, and implements control activities to mitigate cyber risks.
ICMA article "A Look at Local Government Cybersecurity in 2020"
The article discusses the importance of cybersecurity for local governments and highlights some of the key challenges they face. It notes that cybercriminals often target local governments due to their perceived vulnerability and that they may lack the resources to protect themselves adequately. The article recommends that local governments implement a comprehensive cybersecurity strategy that includes employee training, risk assessments, and regular security audits. It also suggests that local governments consider partnering with other organizations and sharing information about cybersecurity threats and best practices.
COSO-guided Cybersecurity: Risk Assessment
This article explains how to use the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework to perform a cybersecurity risk assessment. The framework consists of five interrelated components: control environment, risk assessment, control activities, information and communication, and monitoring activities. The article provides guidance on how to apply each component to cybersecurity risk management and offers examples of how the framework can be used to identify and mitigate cyber risks. The article emphasizes the importance of integrating cybersecurity risk management into the organization's overall risk management strategy and processes.
Using the COSO Framework to Mitigate Cyber Risks
This article discusses how the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework can be used to help organizations mitigate cyber risks. It outlines the five components of COSO: control environment, risk assessment, control activities, information and communication, and monitoring activities. The article also provides specific examples of how each component can be applied to address cyber risks. Additionally, the article emphasizes the importance of having a comprehensive cyber risk management program that is integrated into an organization's overall enterprise risk management program.