As head of the federal National Risk Management Center (NRMC), Bob Kolasky stands at a busy crossroads: It's where government and industry intersect, as do policy goals and real-world constraints. But it also allows Kolasky to flex considerable muscle in an important security discipline: measuring and managing risk.
"I'm good at being able to cross different disciplines," says Kolasky, who adds he frequently bridges technical and intellectual issues into policy. "Obviously, I'm closer to the policy process now. But one of the challenging things I work with are experts in 16 different critical infrastructure – security, electrical grids, voting machines, banks – and they all know how that stuff works better than I do."
Still, he enjoys being part of the mechanisms that allow government and industry to work together, all in the name of reducing risk and improving security. "I like to speak risk language rather than security language so as not to overplay a threat or incident or stifle the ability of security professionals to do their work," Kolasky says. "I'm also not a technical person, so understanding business and policy and connecting that to risk helps me evaluate and make decisions."
As director of the NRMC (part of the Cybersecurity and Instructure Security Agency, which is itself part of the Department of Homeland Security), Kolasky oversees cross-sector risk management to cyber and physical threats to the 16 sectors the government considers critical infrastructure (energy, communications, and manufacturing, among others). The center's main mission is to offer a central venue for government and industry to talk, share, and plan where operational and strategic risk management are concerned.
'Lasting Public Value'
Since college, Kolasky worked in journalism, then got a master's degree in public policy focusing on macroeconomics. He worked on homeland security issues during three years at Booz Allen as an analyst and has spent the past 10 years in various risk management positions within the federal government.
"I've wanted to spend my career doing something meaningful and to contribute to lasting public value," Kolasky says. "But I'm not somebody who equates working for the government as the only way to be a public servant or create public value. You can do that in the private sector, too."
He believes risk management and critical infrastructure can be viewed from a couple of different perspectives. One is to examine the extent to which entities within a sector are interconnected. "The more interconnected they are, the more cyber-risk is created," he explains, adding he factors in how concentrated the sector is – a few players or thousands of entities, for example.
Kolasky also views risk through the prism of how regulated a sector is. "Regulated entities work differently with government and have a different understanding of security and risk," he says. The legal frameworks under which these organizations are licensed or operate typically translate to higher security standards, not to mention greater reporting and transparency.
One of Kolasky's notable efforts to bring more risk mindedness to a sector occurred in the aftermath of the 2016 presidential election, when there was a lot of debate about whether the election infrastructure was critical infrastructure. The head of DHS at the time, John Kelly, tried to reach out to state and local officials, but it didn't go well, according to Kolasky.
"I started in 2017 trying to rebuild that relationship from mistrust and distrust and use lessons from other critical infrastructure. I talked to secretaries of state, and it wasn't a pleasant conversation," Kolasky says. He acknowledged the distrust in some of those conversations, but also emphasized his risk management experience in other sectors and belief in the ability to work together.
"The information the US had [about Russian meddling in the election] wasn't perfect, so we had to work on educating ourselves about what we had and didn't, and work through the protocols of information sharing and communication," he explains.
He says it was important to address the fear of federal overreach and also deliver something valuable. "We saw the best results when our partners saw there was something of value here and that they could communicate to their constituents to secure elections and fulfill their responsibilities," he says.
Bigger picture? "If you can do all that in the moment of stress, you can do it all in moments of less stress to reduce risk and improve security," Kolasky adds.
• What his co-workers don't know about him: I actually know how to relax.
• Electronic must-haves: Podcasts, big-screen TV.
• Favorite hangout: Buck's Fishing and Camping or somewhere else for dinner, drinks, and good conversation.
• Comfort food: Something I cook myself (pasta bolognese being my first choice).
• On his music playlist right now: New Josh Ritter album (Fever Breaks), always Bruce Springsteen.
• Ride: 2013 Toyota Prius
• After hours: Kids' sports fields – soccer, basketball, and baseball to watch my three children, 15, 13, 10.
• Favorite team: Washington Nationals.
• Signature style: Whatever is in my closet/drawers.
• Actor who would play Kolasky in film: Jason Segel.
• Next career after security: Entrepreneurship.
- Russian-Speaking APT Recycles Code Used in '90s Cyberattacks Against US
- Digital Transformation Exposes Operational Technology & Critical Infrastructure
- Cyber and Physical Convergence is Creating New Attack Opportunities for Cybercriminals
- DHS: No Investigation Planned for Electrical Grid Incursions
(Image: Adobe Stock)