Distinguished Practitioner

speaker photo

Opening up a Second Front on Risk Management: Integrating Cyber Security Requirements into Main Stream Organizational Mission and Business Processes

Ron Ross, Fellow, National Institute of Standards and Technology, USA

For decades, we have been developing comprehensive cyber security standards and guidelines in both the public and private sectors. Yet, despite our best efforts, we have yet to realize the full potential of the standards, guidelines, and associated technologies because of an inability to fully integrate cyber security requirements into main stream organizational governance structures and mission/business processes--the way business is conducted.

We continue to treat cyber security as if it is distinct from enterprise architecture, the system development life cycle, systems engineering processes, and acquisition/procurement processes. Cyber security programs, initiatives, and investments must be closely linked to the routine cost, schedule, and performance objectives that are the main focus of mission/business owners and program managers. Senior leaders must be able to effectively manage risks within their enterprises in an age of sophisticated cyber adversaries and advanced persistent threats so that investment decisions and tradeoff analyses can address the whole spectrum of information security risks affecting organizational missions and business operations. All levels of management must be held accountable for managing cyber security risks as an integral part of their duties.

The National Institute of Standards and Technology (NIST), in developing its cyber security and risk management publications, is attempting to change the strategic focus on cyber security investments to support risk management decisions at the enterprise level. This strategic focus is exemplified by the Joint Task Force Transformation Initiative, a partnership among NIST, the Department of Defense, and Intelligence Community, to develop a unified information security framework for the federal government, its contractors, and the critical information infrastructure. A key component of the security framework will address the issues of trustworthy computing, information system resilience, and methods to increase the level of assurance in commercial information technology products and systems.

Ron Ross is a Fellow at the National Institute of Standards and Technology (NIST). His current areas of specialization include information security and risk management. Dr. Ross leads the Federal Information Security Management Act (FISMA) Implementation Project, which includes the development of security standards and guidelines for the federal government, contractors, and the United States critical information infrastructure. His recent publications include Federal Information Processing Standards (FIPS) Publication 199 (security categorization standard), FIPS Publication 200 (security requirements standard), NIST Special Publication (SP) 800-53 (security controls guideline), NIST SP 800-53A (security assessment guideline), NIST SP 800-37 (security authorization guideline), NIST SP 800-39 (risk management guideline), and NIST SP 800-30 (risk assessment guideline). Dr. Ross is the principal architect of the Risk Management Framework and multi-tiered approach that provides a disciplined and structured methodology for integrating the suite of FISMA standards and guidelines into a comprehensive enterprise-wide information security program. Dr. Ross also leads the Joint Task Force Transformation Initiative, a partnership with NIST, the Department of Defense, the Intelligence Community, the Office of the Director National Intelligence, and the Committee on National Security Systems to develop a unified information security framework for the federal government.

In addition to his responsibilities at NIST, Dr. Ross supports the U.S. State Department in the international outreach program for information security and critical infrastructure protection. Dr. Ross previously served as the Director of the National Information Assurance Partnership, a joint activity of NIST and the National Security Agency. A graduate of the United States Military Academy at West Point, Dr. Ross served in a variety of leadership and technical positions during his over twenty-year career in the United States Army. While assigned to the National Security Agency, he received the Scientific Achievement Award for his work on an inter-agency national security project and was awarded the Defense Superior Service Medal upon his departure from the agency. Dr. Ross is a three-time recipient of the Federal 100 award for his leadership and technical contributions to critical information security projects affecting the federal government and is a recipient of the Department of Commerce Gold and Silver Medal Awards. Dr. Ross has been inducted into the Information Systems Security Association (ISSA) Hall of Fame and given its highest honor of ISSA Distinguished Fellow. Dr. Ross has also received several private sector cyber security awards and recognition including the Vanguard Chairman's Award, the Symantec Cyber 7 Award, InformationWeek's Government CIO 50 Award, Best of GTRA Award, and the ISACA National Capital Area Conyers Award. During his military career, Dr. Ross served as a White House aide and as a senior technical advisor to the Department of the Army. Dr. Ross is a graduate of the Defense Systems Management College and holds Masters and Ph.D. degrees in Computer Science from the U.S. Naval Postgraduate School specializing in artificial intelligence and robotics.

Industry Keynote

speaker photo

Is Cloud Computing the End of Security and Privacy As We Know It?

Eran Feigenbaum, Director of Security, Google Enterprise

Cloud computing is a technology that is transforming how many of us do business today. However, there is still much speculation around the security and privacy implications of applications in the cloud. With speculation comes fear, and with fear comes misinformation and myths. This keynote will address many of these myths and uncertainties about the apps in cloud. It will provide guidance for how businesses can evaluate cloud vendors from a security and privacy perspective and will offer a glimpse into how Google protects the data and the privacy of our users.

As the Director of Security for Google Enterprise, Eran defines and implements security strategy for Google's suite of solutions of Enterprise Products. Prior to joining Google in 2007, Eran was the US Chief Information Security Officer for PricewaterhouseCoopers(PwC). At PwC, he led a team responsible for all aspects of network, server, application, and desktop computer security, as well as security policies, architectures, standards and enforcement. Earlier, Eran spent several years designing and implementing high-performance cryptosystems for electronic commerce solutions for Fortune 1000 clients and government agencies. Eran holds a bachelor's degree in electrical and computer engineering from the University of California at Irvine, and an MBA from Pepperdine University. In his spare time, he enjoys performing magic and mentalism and was featured on the NBC television show Phenomenon.

Invited Essayist

speaker photo

Trust Engineering — Rejecting the Tyranny of the Weakest Link

Susan Alexander, Director, Safe and Secure Operations, Intelligence Community Advanced Research Projects Activity (IARPA)

About ten years ago, NSA's soon-to-be Director of Information Assurance asked me, the soon-to-be Director of Information Assurance Research what we could do to deal with software, which was making more-frequent surprise (and unwelcome) guest appearances in security-critical systems. Today, the loss of control that made software so hard to trust then applies to the rest of the supply chain as well. The discipline whose name we coined in the 2002 internal paper, Trust-engineering: An Assurance Strategy for Software-based Systems, no longer seems heretical today, even at NSA. Ten years later, we revisit the principles of trust engineering, compare the mechanisms available to us today with the practices of the past, and explore the construction of systems that are stronger than their weakest link.

Susan Alexander is the Director of the Safe and Secure Operations Office at IARPA, the Intelligence Community's advanced research arm. In pursuit of its goal to enable IC missions to maneuver freely and effectively in a networked and often hostile environment, SSO sponsors research in information assurance, quantum information sciences and advanced computing technologies and architectures.

After graduating from Yale, Susan trained as a cryptanalyst and worked extensively in foreign intelligence before turning to the harder problem of information assurance. In support of the latter mission she has also served as NSA's Associate Deputy Director for Information Assurance Strategy, Director of NSA's National Information Assurance Research Laboratory (NIARL), Chief Technology Officer for Cyber, Information and Identity Assurance in the Office of the Secretary of Defense, and senior advisor to the director of the Joint Interagency Cyber Task Force overseeing the Government's Comprehensive National Cyber Initiative (CNCI).

Classic Book

speaker photo

Security Economics, Ten Years On

Ross Anderson, University of Cambridge, UK

Ross Anderson is professor of security engineering at Cambridge and known for seminal contributions to a number of areas of security engineering. In 2002 he presented at ACSAC the paper "Why Information Security is Hard - An Economic Perspective" which kicked off the study of security economics, a fast-growing discipline that models what's likely to go wrong with complex systems, measures what's actually going wrong and comes up with ideas of what to do about it. He's also the author of the bestselling book "Security Engineering - A Guide to Building Dependable Distributed Systems".

Additional ACSA Events:
NSPW – New Security Paradigms Workshop
LASER – Learning from Authoritative Security Experiment Results