Risk Management: How to Put Theory into Practice. That's the title of a panel discussion I'm moderating Wednesday morning, Feb. 27, at the RSA security conference in San Francisco.
What do I mean by theory? Theory, in this case, represents guidance and standards, such as the National Institute of Standards and Technology Special Publication 800-30: Guide for Conducting Risk Assessments, and SP 800-37: Guide for Applying the Risk Management Framework to Federal Information Systems.
I'm sure my friends at NIST can make a persuasive argument that their guidance goes beyond theory and represents practical advice to minimize risk. But when I talk to IT security practitioners - most of whom praise the work NIST performs, including its guidance - they admit that they struggle at times with the detailed information found in the special publications and other guides produced by the Commerce Department institute.
The purpose of our panel is to bring together the "theorist" with the practitioners to discuss and identify ways to implement the information risk management framework in a straightforward way.
The "theorist" on our panel is NIST's top information risk guru, Ron Ross, the key author of a number of NIST special publications focused on information risk management. Ross leads the institute's FISMA Implementation Project, playing a key role in setting cybersecurity requirements for federal agencies. Ross, a NIST fellow, heads a joint task force to develop a unified security framework for defense, civilian and intelligence agencies in the U.S. federal government.
The practitioners on the panel are John Streufert, director of federal network resilience at the Department of Homeland Security, and Justin Somaini, onetime chief information security officer at security provider Symantec and web portal Yahoo.
Streufert earned the reputation as one of the federal government's top CISOs when he developed a risk scoring program as deputy chief information officer at the State Department.
Somaini, at Symantec, implemented its first information security enterprise risk management process. At Yahoo, he drove the first relationship between corporate business goals and security initiatives, a vital component of risk management.
Preparing for the panel discussion, the three IT security and information risk management experts identified topics that we intend to discuss in detail at RSA:
- Providing leadership for information risk framework implementation.
- Assessing risk in a volatile environment.
- Mitigating conflicting approaches.
- Defining roles of the CISO and other executives and managers in deploying the framework.
- Keeping stakeholders informed about the progress of the initiative.
- Determining how corporate or agency culture affects risk.
- Deciding how to execute an information risk management framework when resources are lacking.
If you're attending the RSA conference, please join us from 9:20 to 10:20 a.m. PST Wednesday in Room 133 in the Moscone Center. I promise you a riveting discussion.
On more thing, my Information Security Media Group colleague Tracy Kitten will moderate an RSA panel discussion on banking fraud. Her panel will address the question: When a business banking account is breached, who is liable - the customer whose credentials were stolen or the bank that failed to catch the transaction?
Panelists will debate also address impact of recent court rulings. Panel members include fraud victim Mark Patterson of PATCO Construction; attorney Joseph Burton, Financial Services Information Sharing and Analysis Center President Bill Nelson and fraud expert George Tubin.
Tracy's panel meets from 9:20 to 10:20 a.m. PST Thursday in the Moscone Center's Room 302.