Ron Ross is somebody that you might consider a superstar in the arena of cybersecurity. His lengthy resume includes leading the task force that developed the Unified Information Security Framework for the federal government.
Ross was recently interviewed by Forbes and dubbed the “Most Influential Cybersecurity Guru to the U.S. Government.”
Two important discussion points from that interview included an international standard for security frameworks and the importance of business leaders understanding TACIT security, which is an acronym for Threat, Assets, Complexity, Integration and Trustworthiness.
International engineering standard for attack surface
Have you heard the term “attack surface” before? This cybersecurity phrase refers to the increase of complexity in the information technology infrastructure as we add more Internet of Things devices, more software, more operating systems and more possible zero-day vulnerabilities. A zero-day vulnerability is an unknown vulnerability that could become a threat if discovered and exploited by cybercriminals. As the attack surface expanded and zero-day vulnerabilities increased, a standard was drafted to help software engineers prevent these threats. The standard is called “System Security Engineering: An Integrated Approach to Building Trustworthy Resilient Systems.” Some of its goals include:
Put risk management frameworks in place from the start of development (some operating systems consist of fifty million lines of code!);
Avoid shipping to consumers without frameworks in place;
Use the system and software standard, IEEE/ISO 15288;
Follow the 30 process steps from the standard to build out tasks and activities that integrate security tightly into existing processes, both technical and non-technical;
Improve risk management, configuration management and quality assurance;
Comply with HIPAA, GLBA, FISMA and other policies.
The five legs of TACIT security
Threat: The world we live in now has transformed from paper-based to digital. High-technology allows an incredible increase in productivity and business success but brings with it great threats and cyberattacks. Business leaders need to understand what threats impact their organization by doing risk assessments: What will happen if it happens to you?
Assets: Information technology infrastructure brings complexity with all of its layers made up of components, applications, frameworks, etc. Can you define your business’s critical assets? Did you know that all government agencies are required to categorize their information systems into low, moderate or high impact? Once you’ve identified critical assets, take additional steps to safeguard these.
Complexity: Our systems and networks are so complex that they have surpassed our ability to understand them completely in terms of how to protect them. Your business should actually work to reduce complexity, through well-designed enterprise architecture: consolidate, optimize and standardize your IT. Cloud computing can also help reduce complexity.
Integration: Embed security personnel into the organization, instead of keeping them siloed within the IT department. Get them involved in processes where they haven’t been before, such as acquisitions.
Trustworthiness: Build systems with the top priority being penetration-resistance. Use technology built to do this, such as two-factor authentication and encrypting data.
Ultimately, your business’s success in cybersecurity comes down to you. What is your plan for protection, prevention and recovery? Make sure that you understand the threats and the technology to secure the critical assets in your business. Think of it like red-zone defense in football. You put certain tactics in place for the most important areas of your business so that if a threat gets close to your end zone, you can hold it off.