Dr. Ron Ross, a senior computer scientist and information security researcher at the National Institute of Standards and Technology (NIST), knows cybersecurity is a complicated task for organizations. But by following three steps -- simplify, specialize and integrate -- the public and private sector alike can implement effective online security controls, he says.
In this four-part SearchCompliance webcast, Ross joins Theresa M. Grafenstine, Inspector General at the U.S. House of Representatives, to discuss cybersecurity strategy. Here in part three, Ross explains the "simplify, specialize and integrate" approach to cybersecurity.
Theresa Grafenstine: We have all these challenges, whether it's threat-based, or based on whether or not we have good enterprise architecture. Our workforce demands flexibility with social media and mobile devices. What do we do to change course? I've heard you use the phrase simplify, specialize and integrate. Let's talk a little bit about that, because I think that those are probably the key ingredients to righting this ship.
Ron Ross: Well, as you said earlier, cybersecurity can be absolutely overwhelming. We have our federal agencies always trying to hire more people because the job is so enormous. It's very complicated. Sometimes it's good to take a step back and say, 'How do we get our arms around this problem?' I use these three terms as kind of a metaphor: simplify, specialize and integrate. I think if we take away nothing more from today's webinar, these are the three things that I would focus on.
We've talked about simplify. When you talk about simplification, think about enterprise architecture and reducing complexity. Having less IT is really a good goal. I call it the big spring housecleaning. Going through the house and throwing out all the clothes that don't fit and all the stuff you don't need and haven't used for the last five years. We have a lot of that equivalent on the IT side. We may not think so, but when you actually analyze your organization -- what boxes you have, what systems you have, how they're being used, what's the percentage of uptime utilization -- you're going to find that this is not as difficult as it seems.
Grafenstine: As IT professionals, it's almost counterintuitive. We love our IT stuff. You want us to get rid of it?
Ross: We may not want to do this, but with the budgets leveling off or getting smaller, we're going to be forced to do more with less. And it's not just the cost of buying the IT. When you reduce that number of components, you get an initial reduction in cost, but you get huge long-term savings. We are increasing the number of privacy and security controls from about 600 to well over 850. Most folks say they can't possibly deploy all those controls in my systems, I just don't have the bandwidth to do that, or the resources.
A lot of our systems that we've built and deployed are indefensible because of the way they've been built, architected and engineered. We're asking our CSOs and CIOs to do an impossible task.
Specialization is now necessary. We've got a new construct in our publication called overlays. Overlays allow you to take this vast catalog of controls and specialize -- which means you can select the controls that are important to your specific mission, your environment of operations and the technologies that you might deploy.
A good example is the FedRAMP program -- the Federal Risk and Authorization Management Program. The FedRAMP program defined a set of security controls for low- and moderate-impact systems that are going to be in the cloud. It's a statement of specification that goes to all cloud providers. They can then take that, implement those controls, and have those assessed for effectiveness and provide confidence that those controls are actually working in the cloud environment. That's an example of an overlay for cloud computing.
We're also building overlays for mobile. We've got overlays being built for privacy. There is an unlimited set of overlays that can be built from this large bin of security controls. The challenge for us is to make sure that at the NIST level, we keep that parts bin as current as we can to make sure that every time there's a new threat out there, we develop a defensive measure for that threat. It can then go into our security controls that you can then select and deploy in some kind of a defensive posture when that threat might be trying to exploit your vulnerabilities.
Grafenstine: So at this point now, we're into integrating.
Ross: The integration part points to the NASA example I talked about. I mentioned those four areas which are now on this slide: architecture, engineering, lifecycle and acquisition. Those are active areas within every organization. If you go into any one of those areas, you're probably going to find that enterprise architects, engineers, lifecycle folks and acquisition folks don't speak cybersecurity very well. And as cybersecurity folks, we don't speak their language very well.
Again, this goes against the grain of most organizations. When I talk about what's going to get us healthy long term with regard to cybersecurity, there are two words I use. One is leadership, and one is innovation. Leadership at the top is going to require that the head of the agency or the CEO actually embed those security professionals in these four areas. Force that integrated project team to operate as a unit. If you don't do that, your cybersecurity requirements are never going to get integrated into that lifecycle process and time. So, at the end of the build process when the system is getting ready to go operational, you're going to be asking all the cybersecurity questions at the wrong time. You can't do anything about it at that point in time.
In fact, I would argue that the reason we're in the shape that we're in today is that a lot of our systems that we've built and deployed are indefensible because of the way they've been built, architected and engineered. We're asking our CSOs and CIOs to do an impossible task. We've got to give them the ability to be successful. In order to do that, we've got to have the right systemic components in play, which is why simplify, specialize and integrate are more on the organizational side, the systemic side of the house. It can't just be solved by throwing more security controls at the problem.
Grafenstine: As we get into the next slide, you have a framework. We talked about integrating these different aspects of the business unit. Organizations are not going to exist if they can't work together towards a cohesive goal. Can we walk through this next slide and talk about sort of the strategic risk focus, and how everybody plays a role in this?
Ross: This is one of my favorite slides. It comes out of Special Pub 800-39, which is the enterprisewide risk management process. This construct was developed to make the point to organizations that if you want to build a good risk-management and cybersecurity program -- and this goes across whether it's public sector or private sector -- we're all pretty much the same with regard to these cultural aspects. You've got to start at the top of the organization.
We defined a three-tiered organizational construct. The first tier we call the organizational governance layer. This is where the organization develops what I call the risk management strategy. How are you going to assess risk within the organization? What kind of tools and techniques are you going to use? How do you evaluate the risks that you discover that you have? What's the organization's risk tolerance? In other words, when do you know that you've deployed a sufficient number of controls to protect the mission? How much risk are you willing to accept before you put your core missions and business operations into undue jeopardy?
Now, that strategy of tier one then is pushed down to tier two. This is where we start talking about enterprise architecture and the mission and business processes that are feeding the architecture. At tier one, you were also able to prioritize all of your core missions and business operations. Everything can't be important in an organization, or nothing's important. That prioritization then spawns the risk management strategy that pushes into tier two. That drives the development of the enterprise architecture and those specific mission and business processes.
Out of tier two, we get a roadmap for how do we build the information systems in tier three that are going to support those core missions and business operations. The problem we've had is that we started this whole cybersecurity discussion a decade or two ago at tier three. We started to focus on the information-system level. What happened is the enterprise got bigger and more and more systems proliferated. We had officials authorizing and accrediting these individual systems without having the enterprisewide view of the problem.
When you do that, you really frustrate the people in the trenches because, as I said earlier when we talked about the Netflix, Intel and ADP example, those CEOs had a discussion with their cybersecurity professionals and that was a tier one discussion. When Netflix was talking about the necessity to protect its intellectual property, it was a boardroom discussion. We've got this construct to help guide organizations and help them have the right discussions at the right point in time.
Grafenstine: I think those are all excellent points. It's got to be a team approach. Basically, managing risk doesn't mean we're going to fix everything.
Ross: You can't fix everything. There's not enough money. But you do have to conduct a risk assessment, and understand what your various responses to that [are]. You can mitigate. You can fix stuff. You can accept the risk. You can reject the risk. You can share the risk with other organizations.
Grafenstine: NIST has a great risk management framework if we want to kind of walk through that.
Ross: This is really, to me, one of the most useful constructs that we've put. This is out of our Special Pub 800-37. This is the new certification and accreditation process. It's now called the risk management framework. It's much more lifecycle based.
More from this webcast
Part 1: Controls to help face modern online security threats
Part 2: Use controls, strategy to address cybersecurity challenges
The way this is used by most organizations, security professionals work with the business owners to figure out how valuable the data is to the business' mission. How critical and sensitive is my data? If I lose that data, what kind of effect is it going to have on my mission and business operations? That categorized decision drives your control selection in step two. You implement the controls in step three.
You go through an assessment to figure out if the controls you selected and deployed are actually effective and doing what they're supposed to do. Then there's that risk-acceptance decision -- we call that the authorization decision. Then we go into our step six, which is the ongoing or continuous monitoring. I accepted this risk today. How do I look tomorrow, one week from now, one month from now? What's my current risk posture look like? And what am I going to do about the changes that normally happen in our environment? How do we stay healthy long term?
Grafenstine: We've covered a lot of things. I think your overall strategy is talking about defense in depth. Can we go over that a little bit?
Ross: Defense in depth really is a powerful concept. The slide is divided in two halves here. On the right-hand side we have what I call the technical control areas. Those are the things that typically appear in hardware, software and firmware; in the black box, so to speak; access control, two-factor authentication and encryption. We all know what those are.
On the other column are things more in the management and operational areas. A lot of people today think that the greatest strength that we can put into our systems is on the technical side. In reality, to have a full defense-in-depth program, it's always about people, processes and technologies working together. On the left-hand side you'll see things like having security awareness and a solid training program. Make sure your people understand what their responsibilities are when it comes to going to websites and clicking on URLs that bring in what I call a boatload of malware into the organization. It's just basic stuff that we should all know and do in our sleep: Having a good risk assessment. Completing a contingency plan. That's critically important, especially if we know we can't stop all cyberattacks. Having that contingency plan developed, exercised, and to make sure everybody knows what their responsibilities are. You can actually put it into place. Those are the things that represent the balanced defense-in-depth approach that is really critical to every organization.
Please visit SearchCompliance.com to view the next segment in this webcast on cyberthreats and how the U.S. government is addressing top cybersecurity challenges.