Complexity: Key Task for Security ProsPart 1: Roundtable Discussion on Info Risks for the New Year
"We see this as being fairly debilitating in regards to implementing good cybersecurity programs," Ron Ross, senior computer scientist at the National Institute of Standards and Technology, says in a roundtable discussion on new trends in information risk management. "We're trying to get a handle through enterprise architecture and some of our good developmental techniques to reduce the level of complexity so our cybersecurity professionals can have a better opportunity to defend what we do have."
In the first of a two-part presentation of the roundtable, the panelist discussed:
- Implementing continuous monitoring programs.
- Managing risk of widespread use of mobile technology.
- Handling the human element of information risk management.
The four panelist are:
- Ron Ross is chief author of Special Publication 800-53, NIST's security controls guidance, and leads the institute's Federal Information Security Management Act compliance team. A graduate of the United States Military Academy at West Point, Ross served in a variety of leadership and technical positions during his 20-year career in the Army. During his military career, Ross served as a White House aide and as a senior technical advisor to the Department of the Army. He is a graduate of the Program Management School at the Defense Systems Management College and holds a master and Ph.D. in computer science from the United States Naval Postgraduate School.
Rebecca Herold, principal at Rebecca Herold and Associates, advises organizations in many fields, including healthcare, on information privacy, security and compliance. She has authored about a dozen books and numerous articles and is an adjunct professor at Norwich University's information assurance graduate program. Herald co-founded a service aimed at helping healthcare organizations and their business associates to meet their HIPAA, HITECH and other information security and privacy compliance and risk mitigation requirements.
George Moore joined the State Department in November 2006 as chief computer scientist, working directly for Chief Information Security Office John Streufert. Moore was a key member of the State Department team that raised the department's IT security grade from an F to a B as assessed by the Office of Management and Budget and Congress, while cutting costs by 62 percent. His focus was on being an agent of change and finding simple, smart and direct ways to comply with the Federal Information Security Managing Act and OMB requirements and improve security. Moore has worked for several federal agencies since 1973, including the Peace Corps and the United States Agency for International Development, where he helped boost its OMB grade from an F to an A+. Moore holds a doctor of science degree from Johns Hopkins University and a master's degree from Cornell University.
John Carlson is executive vice president of BITS with oversight of the organization's cybersecurity and fraud prevention initiatives. Carlson also leads public-private collaborative efforts for BITS on the Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security, where he serves on the executive committee and is co-chair of the council's policy committee. He is a former managing director of Morgan Stanley, focusing on supplier risk management, new product approval, environmental risk and standardization of board-approved policies. Earlier in his career, Carlson worked at the Office of the Comptroller of the Currency, White House Office of Management and Budget, Federal Reserve Bank of Boston and the United Nations Center for Human Settlements. He holds a masters in public policy from the Kennedy School of Government at Harvard University and a BA from the University of Maryland.
Among the topics discussed in the second part of the roundtable discussion is automating the information risk management process.