Ron Ross on Revised Security Controls
Video Interview: NIST's Risk Mgt. Guru Explains SP 800-53NIST's latest guidance on security controls adds new areas that reflect the rapidly changing computing environment - advanced persistent threat, cloud computing, insider threat, mobility and privacy, to name a few - but the rudiments of implementing those controls haven't changed.
See Also: How Enterprise Browsers Enhance Security and Efficiency
"The fundamentals of cybersecurity - I call it the physics of security - don't change over time," National Institute of Standards and Technology Senior Fellow Ron Ross says in a video interview with Information Security Media Group. "How we apply those controls ... is a little bit different, but the same fundamentals."
NIST last month published a draft of Special Publication 800-53 Revision 4: Security and Privacy Controls for the Federal Information Systems and Other Organizations, which was written by a team of institute computer scientists led by Ross [see NIST Updating Catalog of Controls].
In the interview on the new guidance, Ross explains why some organizations find it tough to implement controls, pointing out that it can be costly and getting buy-in from non-technology agency and business leaders presents a challenge to IT security managers. But, he says, organizations that get their information risk management infrastructure in place find it easier over time to identify and decide which security controls to implement.
"It's like building a house," Ross says. "Laying the concrete is the toughest part. Once you got the foundation, the house goes up and everything hopefully comes out well."
Ross leads NIST's Federal Information Security Management Act compliance team. A graduate of the United States Military Academy at West Point, Ross served in a variety of leadership and technical positions during his 20-year career in the Army. During his military career, Ross served as a White House aide and as a senior technical advisor to the Department of the Army. He is a graduate of the Program Management School at the Defense Systems Management College and holds a master and Ph.D. in computer science from the United States Naval Postgraduate School.