Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Edge Articles

7/23/2019
07:00 AM
Terry Sweeney
Terry Sweeney
Edge Features
Connect Directly
Facebook
Twitter
RSS
E-Mail
50%
50%

DHS's Bob Kolasky Goes All in on Risk Management

As director of the DHS's National Risk Management Center, measuring and managing risk for critical infrastructure across 16 industrial sectors, Kolasky stands at a busy crossroads.

As head of the federal National Risk Management Center (NRMC), Bob Kolasky stands at a busy crossroads: It's where government and industry intersect, as do policy goals and real-world constraints. But it also allows Kolasky to flex considerable muscle in an important security discipline: measuring and managing risk.

"I'm good at being able to cross different disciplines," says Kolasky, who adds he frequently bridges technical and intellectual issues into policy. "Obviously, I'm closer to the policy process now. But one of the challenging things I work with are experts in 16 different critical infrastructure – security, electrical grids, voting machines, banks – and they all know how that stuff works better than I do."

Still, he enjoys being part of the mechanisms that allow government and industry to work together, all in the name of reducing risk and improving security. "I like to speak risk language rather than security language so as not to overplay a threat or incident or stifle the ability of security professionals to do their work," Kolasky says. "I'm also not a technical person, so understanding business and policy and connecting that to risk helps me evaluate and make decisions."

As director of the NRMC (part of the Cybersecurity and Instructure Security Agency, which is itself part of the Department of Homeland Security), Kolasky oversees cross-sector risk management to cyber and physical threats to the 16 sectors the government considers critical infrastructure (energy, communications, and manufacturing, among others). The center's main mission is to offer a central venue for government and industry to talk, share, and plan where operational and strategic risk management are concerned.

'Lasting Public Value'
Since college, Kolasky worked in journalism, then got a master's degree in public policy focusing on macroeconomics. He worked on homeland security issues during three years at Booz Allen as an analyst and has spent the past 10 years in various risk management positions within the federal government. 

"I've wanted to spend my career doing something meaningful and to contribute to lasting public value," Kolasky says. "But I'm not somebody who equates working for the government as the only way to be a public servant or create public value. You can do that in the private sector, too."

He believes risk management and critical infrastructure can be viewed from a couple of different perspectives. One is to examine the extent to which entities within a sector are interconnected. "The more interconnected they are, the more cyber-risk is created," he explains, adding he factors in how concentrated the sector is – a few players or thousands of entities, for example. 

Kolasky also views risk through the prism of how regulated a sector is. "Regulated entities work differently with government and have a different understanding of security and risk," he says. The legal frameworks under which these organizations are licensed or operate typically translate to higher security standards, not to mention greater reporting and transparency.

One of Kolasky's notable efforts to bring more risk mindedness to a sector occurred in the aftermath of the 2016 presidential election, when there was a lot of debate about whether the election infrastructure was critical infrastructure. The head of DHS at the time, John Kelly, tried to reach out to state and local officials, but it didn't go well, according to Kolasky. 

"I started in 2017 trying to rebuild that relationship from mistrust and distrust and use lessons from other critical infrastructure. I talked to secretaries of state, and it wasn't a pleasant conversation," Kolasky says. He acknowledged the distrust in some of those conversations, but also emphasized his risk management experience in other sectors and belief in the ability to work together.  

"The information the US had [about Russian meddling in the election] wasn't perfect, so we had to work on educating ourselves about what we had and didn't, and work through the protocols of information sharing and communication," he explains.

He says it was important to address the fear of federal overreach and also deliver something valuable. "We saw the best results when our partners saw there was something of value here and that they could communicate to their constituents to secure elections and fulfill their responsibilities," he says. 

Bigger picture? "If you can do all that in the moment of stress, you can do it all in moments of less stress to reduce risk and improve security," Kolasky adds. 

PERSONALITY BYTES

• What his co-workers don't know about him: I actually know how to relax.

• Electronic must-haves: Podcasts, big-screen TV.

• Favorite hangout: Buck's Fishing and Camping or somewhere else for dinner, drinks, and good conversation.

• Comfort food: Something I cook myself (pasta bolognese being my first choice).

• On his music playlist right now: New Josh Ritter album (Fever Breaks), always Bruce Springsteen.

• Ride: 2013 Toyota Prius

• After hours: Kids' sports fields – soccer, basketball, and baseball to watch my three children, 15, 13, 10.

• Favorite team: Washington Nationals.

• Signature style: Whatever is in my closet/drawers.

• Actor who would play Kolasky in film: Jason Segel.

• Next career after security: Entrepreneurship.

Related Content:

(Image: Adobe Stock)

Terry Sweeney is a Los Angeles-based writer and editor who has covered technology, networking, and security for more than 20 years. He was part of the team that started Dark Reading and has been a contributor to The Washington Post, Crain's New York Business, Red Herring, ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
   OVER THE EDGE
Building Cybersecurity Strategies in Sub-Saharan Africa

Filmed for Dark Reading News Desk at Black Hat Virtual.

LAURA TICH: We have that imbalance, where the big organizations are more protected, where the smaller ones -- which are the most common businesses in the region -- they are least protected... Sometimes they do get the tools, they do get the funding to buy some critical tools, but there's a lack of skills to handle or people who understand how to work those tools. So there are a lot of factors that contribute to our growth -- or lack thereof -- in the cybersecurity industry.

 

Name That Toon: Tough Times, Tough Measures
Latest Comment: Wear a mask, please!
Flash Poll