Federal Reserve System CISO on aligning cyber risk management with transparency, trust

In this Help Net Security interview, Tammy Hornsby-Fink, CISO at Federal Reserve System, shares how the Fed approaches cyber risk with a scenario-based, intelligence-driven strategy. She explains how the Fed assesses potential disruptions to financial stability and addresses third-party and cloud service risks.

Hornsby-Fink also discusses how federal collaboration supports managing systemic threats and strengthens operational resilience.

As CISO of the Federal Reserve System, how do you assess and prioritize national-scale cyber threats that could impact financial stability?

At the Federal Reserve we take a scenario-based, intelligence-informed approach to assessing cyber threats, particularly those with the potential to disrupt financial stability. We strive to understand how evolving threats, particularly those targeting financial services and critical infrastructure, could impact our mission. We also collaborate closely with federal agencies and industry stakeholders.

To prioritize, we use an enterprise cyber risk register that maps threats to potential business and operational impacts. This helps us identify systemic risk, such as ransomware, supply chain compromise, or cloud service disruptions, and to evaluate their potential to cascade across interconnected systems. These insights directly inform investment decisions, helping us to allocate resources to the area of highest risk and greatest strategic importance. We also conduct regular exercises and cyber simulations to validate our assumptions and refine our response strategies, ensuring we remain agile and prepared in a rapidly evolving threat landscape.

How do you balance the need for strong cybersecurity controls with the Fed’s mandate for transparency and public accountability?

Transparency and security are both foundational to public trust, and I view them as complementary rather than competing priorities. Key to this balance is to build transparency into our governance by actively engaging with oversight bodies and maintaining open lines of communications with stakeholders.

At the same time, we maintain a sound security program which includes rigorous access controls, data classification, and continuous monitoring to ensure sensitive information remains protected.

How do you define and measure “operational resilience” in the context of the Fed’s technology and cyber risk landscape?

To me, operational resilience means the Federal Reserve can continue to fulfill its mission – even in the face of significant cyber or operational disruptions. It can be defined as the ability to anticipate, withstand, recover from, and adapt to adverse events, whether they stem from cyberattacks, system failures, or external events.

We measure resilience through technical metrics like recovery time objectives (RTOs), detection and response times, and the percentage of essential functions with ransomware resilient backup and restoration capabilities. Our strategy also includes cultural and structural shifts that align cybersecurity with business agility. Aligning security to move at the speed of business has enabled faster service delivery, improved flexibility, and increased operational resiliency by 70%.

Is there anything you’d like to see improved in the current cyber threat intelligence sharing ecosystem?

There has been meaningful progress in cyber threat intelligence sharing, particularly in fostering collaboration between the public and private sectors. However, there is still room for improvement. One key area is the need for more actionable, contextualized intelligence for smaller organizations that may lack the resources to interpret raw data or invest in premium threat intelligence feeds.

Standardization of formats, real-time sharing mechanisms, and better understanding of the legal protections for contributors would also enhance the ecosystem. As a CISO, I’ve found that building trusted relationships across sectors is essential. These relationships foster the kind of open, timely communications that is critical to staying abreast of emerging threats. I believe that encouraging more bidirectional sharing – where recipients of cyber threat intelligence also contribute insights – would further enrich the ecosystem and improve our collective ability to detect and respond to threats.

With the Fed’s reliance on a complex vendor and partner ecosystem, how do you manage third-party and fourth-party risk, especially with regard to cloud services?

Managing third- and fourth-party risk is an important part of our cybersecurity program. At the foundation is a holistic vendor management program that monitors the overall health and performance of our vendors. We implemented a centralized vendor threat assessment service that provides comprehensive insights into vendor risk, enabling business lines to make informed decisions quickly and confidently. We also emphasize continuous monitoring, relationship management, and performance assurance to ensure that vendor meets our evolving expectations.

While the basics of managing third- and fourth-party risk management continue to apply, we made enhancements for cloud service providers. These include integrating resiliency criteria into acquisition process, developing vendor-specific contingency plans, and identify exit triggers to guide timely transitions when risk thresholds are exceeded.

What advice would you give to CISOs across critical infrastructure sectors?

Start with resilience. While compliance is important, it is not sufficient. Focus on building systems and teams that can adapt, recover, and grow stronger. Resilience should be embedded into your strategy, operations, and culture.

Invest in your people. Technology is essential, but your team is your most valuable resources. Prioritize training, mentorship, and a culture of continuous learning to keep your workforce engaged and prepared. Empower your teams to innovate and take ownership of security outcomes.

Understand your dependencies. Map out your critical systems and vendors so you are not caught off guard during a disruption. Visibility into and understanding of systems and processes are important to effective risk management and informed decision making.

Practice your response. Run exercise, test your plans, and learn from every experience. The more you prepare, the more confident and capable the organization will be when it matters the most. Resilience is built through preparation, collaboration, and a shared commitment to excellence.

And lastly, remember that leadership through influence, trust, and communication is just as important as technical expertise.