Federated Cyber-Risk Management: An Origin Story

Even in cybersecurity, necessity can breed invention. As the Director of Information Security Compliance at the University of Arizona Information Security Office (UA ISO), I found myself grappling with a paradoxical situation. Our centralized team was responsible for managing cyber risks across the entire university, yet we lacked the resources and context to effectively address the diverse needs of each department. It was daunting enough to keep me awake at night, wondering how we could possibly bridge this gap.

Amidst this struggle, a glimmer of hope emerged during a series of discussions with IT Directors from various units. As I traveled across the Tucson and Phoenix campuses, visiting departments ranging from the records archive to the poison control center, I was struck by the untapped potential within these teams. The IT Directors possessed a deep understanding of the risks they faced and a keen awareness of the consequences that could unfold if those risks were left unaddressed, but felt helpless to act.

During these meetings, I felt a profound sense of empathy for their situation. Like many of them, I had experienced the frustration of being unheard and the pressure of navigating complex risks with limited resources. They were threading a delicate needle, striving to convince budget owners to take cybersecurity seriously while simultaneously working to prevent incidents with the tools they had available.

As I delved deeper into the root causes of our challenges, it became clear that the lack of clarity around risk ownership was a central issue. Many resource owners assumed that the CISO held sole responsibility for cybersecurity, while the CISO recognized the impossibility of managing resources she often didn't even know existed with budgets she didn't control. This dynamic led to a breakdown in communication and collaboration, with IT Directors caught in the middle, fearing they would be scapegoated if a breach occurred.

It was in this context that the idea for what would one day evolve into the Federated Cyber-Risk Management (FCR) approach began to take shape. I envisioned a model where risk management would become a shared responsibility, with each unit empowered to assess and address their own unique risks and resource owners understanding their responsibilities.

Over the course of years, I developed methods and tools and iterated with early adopters until it was clear that we were onto something big and that it deserved my full attention. With that in mind, I left the university so I could dedicate all of my time to figuring out how shared responsibility for cyber-risk management could be made manifest. With my departure, the collaboration didn't end, though. The University of Arizona remained my first test subject and a key partner.

Eventually, we hit the major milestone I was waiting for. The University of Arizona achieved 100% participation. That meant the security team had developed well-defined partnerships with all of the qualifying units, meaning those with resources to protect. All 59 units had formed their own cross-functional risk management teams, had surveyed their areas to identify resources, and were actively managing cyber risk for those resources.

A key element of FCR is centralized orchestration, which means that all 400 of the security plans being managed across the university were coordinated with centralized teams and the security team could generate metrics and reports that would help them to understand the needs of their newfound community of collaborators.

Unexpectedly, because we designed tools specifically to enable the new methodology and put them to work at the university, the security team didn't need to hire additional people to make this happen. They don't even have anyone assigned full time to cyber risk management and, amazingly, were able to launch four new programs to assist their collaborators with mitigations using the time they saved compared to their prior approach.

The cherry on top, though, is that the approach has changed the culture at the university; making stakeholders more cybersecurity aware and converting the mindset from security as a barrier to security as a shared responsibility.

Now, years after this initial realization, I am using the experiences I've gained and the process tools I developed to help other organizations realize the same benefits faster.