US Government Department Builds Cyber Risk Office

Guidehouse supported the US federal government with cybersecurity risk management



A major federal government department with a worldwide presence operated with decentralized technology and risk management governance. Internal and third-party reviews had shown it lacked strategic risk awareness and mitigation policies, and was facing some cyber hygiene issues. The organization was concerned that: 

  • Both senior leaders and mission stakeholders were not receiving risk and impact data.
  • Cyber-related policies needed updating.
  • Cybersecurity defenses could be improved.


The department partnered with Guidehouse to identify and address its cybersecurity risk management issues. Guidehouse formed a multidisciplinary team, spanning enterprise risk management, data analytics, change management, communications, and cybersecurity. Guidehouse developed a new communications schema following National Institute of Standards and Technology organizational risk guidance, enabling technical teams to share cyber and technology risk information with key stakeholders using language and framing that made its potential impacts clear. The team also developed a custom awareness campaign outlining the importance of managing cyber risk to the enterprise. This resonated with mission and business leaders, helping improve the department’s cyber hygiene issues and create buy-in across the organization.

In addition to lacking information on impacts, the department’s senior leadership were often not current on the cybersecurity risks the organization faced. To improve cybersecurity defenses and keep stakeholders informed, Guidehouse leveraged metrics reporting and guidance from the Federal Information Processing Standards and the National Institute of Standards and Technology to promote a dynamic monitoring ecosystem. Furthermore, in collaboration with Guidehouse, the department took action to embed cybersecurity risk management within its organizational structure. In an unprecedented move, the department created an innovative enterprise cybersecurity risk management office charged with leading the identification, management, and monitoring of cybersecurity risk to its mission and business processes. 


The department was ready to think of cybersecurity outside of the current compliance box and approach it from a risk perspective. Stakeholders saw the challenges posed within the accepted compliance paradigm and the risks they potentially posed to their mission, and were prepared to break new ground, including creating the first cybersecurity risk management office within the federal government. Leaders, managers, and initiative owners at every level and in all geographies, including many from outside the information technology arena, participated in the cybersecurity project. This organization-wide openness to assist with an organization-wide challenge helped build awareness, traction, and, ultimately, resilience.

Back to top