Bringing Risk Assessment In-House

Vermont Employs SQL Tool to Get Multidimensional View of Risk
Since becoming Vermont's first CISO three years ago, Kris Rowley's been on a quest to create an IT security culture in state government. Rowley's latest initiative, bringing risk assessment in-house, is helping build that culture.Vermont had always used outsourcers to conduct risk assessments. That's changing, and doing the work in-house has many benefits, including building trust, Rowley says. "It helps to change the image of security," Rowley tells in an interview. "People look at security as the bad guy. Security is always the one telling people, 'Oh, you can't do this or you can't do that.' We are historically the enforcers. It helps them understand why you're telling them they can't do things. ... It just builds a better collaborative relationship."

Employing a governance-risk-compliance platform from R-SAM - a SQL database that provides a centralized repository and framework documenting risk, controls and remediation activities - Vermont is beginning to conduct risk assessments of all of its agencies, a process that should be completed in 18 months. R-SAM gives Vermont officials a multidimensional view of its risk versus a more one-dimensional view offered by the paper report issued by third-party contractors.

R-SAM and a more collaborative relation between IT security personnel and the agencies results in "a wonderful transfer of knowledge," Rowley says. "It allows the security person to interact with agencies and departments, and talk about security, talk about different aspects of security that isn't discussed when you have a third party working with them."

In the interview, Rowley discusses:

  • Initial steps to institute an in-house risk assessment program.
  • Roles IT security personnel and agencies perform using R-SAM to assess risk.
  • Lessons she learned from bringing risk assessment in-house.

A former nurse who changed her career after a back injury, Rowley earned a master of science degree in information assurance from Norwich University, and has served as Vermont CISO since September 2008.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.