Cybersecurity has emerged as a key priority for information technology leaders. From the top levels of government, pressures are increasing to protect U.S. critical infrastructure and collaborate across sectors. But being secure isn’t just about thwarting attacks – it’s also about being prepared to react once you fall victim to a cyberattack.
Dealing with cybersecurity best practices was the main focus of a recent GovLoop live event held in Washington, D.C. Dr. Ron Ross, a fellow at the National Institute of Standards and Technology (NIST), keynoted the event — and gave his plan for how agencies can improve ways to manage cybersecurity risk.
“Cybersecurity as a discipline should go away and just be integrated within everything we do,” said Ross. “We shouldn’t walk down the hall and say, where’s the cybersecurity office? It should be everywhere in every process.”
For Ross, being prepared in cybersecurity terms is all about the understanding that security must be a byproduct of good design AND good development practices.
“In my first car, seat belts were optional. And a long time ago if I wanted to buy an airbag I ahd to pass on it, it was $500,” said Ross. “Today, all that is mandatory and part of the design of the automobile. Consumers don’t have to worry about it. Why can’t you deliver consumers the same level of protection for our security systems?”
Ross argues that in order to create this standard of integrated cybersecurity protection for consumers and agencies, you must address five main themes: threat, assets, complexity, integration and trustworthiness — which form the acronym TACIT.
Threat: “We must develop a better understanding of the modern threat including capability of our adversaries to launch sophisticated targeted cyberattacks that exploit specific vulnerabilities,” said Ross. This also includes external and insider threat assessments.
Assets: Ross said that organizations must conduct a comprehensive criticality analysis of organizational assets including information and information systems, and subdivide high, moderate and low impact levels to provide greater fidelity on risk assessments.
Complexity: “We have to reduce the complexity of the information technical infrastructure including IT component products ands information systems,” said Ross. “Employ cloud computing architectures to reduce the number of IT assets that need to be managed. If we don’t get a handle on this we will continue to see all of these vulnerabilities that you see every day.”
Integration: Ross advised integrating information security requirements and security expertise of individuals into your organization developments AND management processes.
Trustworthiness: “Invest in more trustworthy and resilient information systems supporting organization missions and business functions,” said Ross. “Isolate critical assets into separate enclaves, implement solutions with greater strength of mechanisms, and increase developmental and evaluation assurance.”
“Cybersecurity is the great challenge of the 21st century without a doubt in my mind,” said Ross. “The question today is: are we prepared to do the heavy lifting, or just continue down the easy road without worrying? Keep in mind: two thirds of attacks are off your radar. We’re going to have to do something different if we want a different outcome.”