Full Program »
Distinguished Practitioner Keynote
Wednesday, 5 December 2012
08:45 - 10:00
Opening up a Second Front on Risk Management: Integrating Cyber Security Requirements into Main Stream Organizational Mission and Business Processes
Ron Ross, Fellow, National Institute of Standards and Technology, USA
For decades, we have been developing comprehensive cyber security standards and guidelines in both the public and private sectors. Yet, despite our best efforts, we have yet to realize the full potential of the standards, guidelines, and associated technologies because of an inability to fully integrate cyber security requirements into main stream organizational governance structures and mission/business processes--the way business is conducted.
We continue to treat cyber security as if it is distinct from enterprise architecture, the system development life cycle, systems engineering processes, and acquisition/procurement processes. Cyber security programs, initiatives, and investments must be closely linked to the routine cost, schedule, and performance objectives that are the main focus of mission/business owners and program managers. Senior leaders must be able to effectively manage risks within their enterprises in an age of sophisticated cyber adversaries and advanced persistent threats so that investment decisions and tradeoff analyses can address the whole spectrum of information security risks affecting organizational missions and business operations. All levels of management must be held accountable for managing cyber security risks as an integral part of their duties.
The National Institute of Standards and Technology (NIST), in developing its cyber security and risk management publications, is attempting to change the strategic focus on cyber security investments to support risk management decisions at the enterprise level. This strategic focus is exemplified by the Joint Task Force Transformation Initiative, a partnership among NIST, the Department of Defense, and Intelligence Community, to develop a unified information security framework for the federal government, its contractors, and the critical information infrastructure. A key component of the security framework will address the issues of trustworthy computing, information system resilience, and methods to increase the level of assurance in commercial information technology products and systems.
Ron Ross is a Fellow at the National Institute of Standards and Technology (NIST). His current areas of specialization include information security and risk management. Dr. Ross leads the Federal Information Security Management Act (FISMA) Implementation Project, which includes the development of security standards and guidelines for the federal government, contractors, and the United States critical information infrastructure. His recent publications include Federal Information Processing Standards (FIPS) Publication 199 (security categorization standard), FIPS Publication 200 (security requirements standard), NIST Special Publication (SP) 800-53 (security controls guideline), NIST SP 800-53A (security assessment guideline), NIST SP 800-37 (security authorization guideline), NIST SP 800-39 (risk management guideline), and NIST SP 800-30 (risk assessment guideline). Dr. Ross is the principal architect of the Risk Management Framework and multi-tiered approach that provides a disciplined and structured methodology for integrating the suite of FISMA standards and guidelines into a comprehensive enterprise-wide information security program. Dr. Ross also leads the Joint Task Force Transformation Initiative, a partnership with NIST, the Department of Defense, the Intelligence Community, the Office of the Director National Intelligence, and the Committee on National Security Systems to develop a unified information security framework for the federal government.
In addition to his responsibilities at NIST, Dr. Ross supports the U.S. State Department in the international outreach program for information security and critical infrastructure protection. Dr. Ross previously served as the Director of the National Information Assurance Partnership, a joint activity of NIST and the National Security Agency. A graduate of the United States Military Academy at West Point, Dr. Ross served in a variety of leadership and technical positions during his over twenty-year career in the United States Army. While assigned to the National Security Agency, he received the Scientific Achievement Award for his work on an inter-agency national security project and was awarded the Defense Superior Service Medal upon his departure from the agency. Dr. Ross is a three-time recipient of the Federal 100 award for his leadership and technical contributions to critical information security projects affecting the federal government and is a recipient of the Department of Commerce Gold and Silver Medal Awards. Dr. Ross has been inducted into the Information Systems Security Association (ISSA) Hall of Fame and given its highest honor of ISSA Distinguished Fellow. Dr. Ross has also received several private sector cyber security awards and recognition including the Vanguard Chairman's Award, the Symantec Cyber 7 Award, InformationWeek's Government CIO 50 Award, Best of GTRA Award, and the ISACA National Capital Area Conyers Award. During his military career, Dr. Ross served as a White House aide and as a senior technical advisor to the Department of the Army. Dr. Ross is a graduate of the Defense Systems Management College and holds Masters and Ph.D. degrees in Computer Science from the U.S. Naval Postgraduate School specializing in artificial intelligence and robotics.