Budgets are a big issue today for those managing their risk management frameworks, says NIST's Ron Ross, who offers his advice on using cloud as a means to save money and improve IT infrastructure.
Ross, a senior fellow at the National Institute of Standards and Technology, encourages the use of automation to increase consistency, effectiveness and timeliness of security control implementation within organizations. However, he points out that some automation tools are very expensive.
To overcome certain challenges, he encourages enterprises to consider a cloud approach, which allows for standardization, optimization and consolidation in the IT infrastructure.
"When you translate that it means you build a leaner and meaner infrastructure which hopefully can save significant amounts of money with regard to the IT that an organization deploys," he says in an interview [transcript below], excerpted from a webinar he conducted for Information Security Media Group entitled Risk Management Framework: Learn from NIST.
By reducing an enterprise's digital footprint, it can lead to reduction and better management of complexity. The money saved through the cloud, Ross says, can be reinvested into stronger cybersecurity measures, including automated tools.
"Make a list of the things that are most important," he says. "Buy those automated tools first and they're going to give you the greatest return on your investment."
In the webinar, Ross shares his insights on how to:
- Understand the current cyberthreats to public and private sector organizations;
- Develop a multi-tiered risk management approach built upon governance, processes and information systems;
- Implement NIST's risk management framework, from defining risks to selecting, implementing and monitoring information security controls.
Ross - lead author of NIST Special Publications 800-30 and 800-37, the authoritative guidance on risk assessment and management - specializes in security requirements definition, security testing and evaluation and information assurance. He leads NIST's Federal Information Security Management Act Implementation Project, which includes the development of key security standards and guidelines for the federal government and critical information infrastructure.
He also heads the Joint Task Force Transformation Initiative Working Group, a joint partnership with NIST, Defense Department, intelligence community and Committee on National Security Systems, to develop a unified information security framework for the federal government.
Ross serves as the architect of the risk-management framework that integrates the suite of NIST security standards and guidelines into a comprehensive enterprise security program.
ERIC CHABROW: In your webinar, you spoke of encouraging the use of automation to increase consistency, effectiveness and timeliness of security control implementation. But many organizations today are under severe budget restraints. How expensive are these automated tools and how can those managing their risk management framework justify the additional costs to their bosses?
RON ROSS: [It's a] big issue today - budgets - and making sure we're lean and mean and cost-effective is going to be the order for everybody. Automated tools, some are very expensive. Some are not expensive. They have a range of different prices across the board. There are different types of tools to do different things. Some can check your inventory by doing a scan of the network looking at all the different pieces on the network. You can have a scanning tool that would look at the different configuration settings.
My advice where you're concerned about resources is that instead of going out and bringing a laundry list of things to the boss that you want to buy that may or may not pass muster, I think you have to go back to the three tiers on the risk management process in 800-39 and look at them. At tier two, we talk about the enterprise level, enterprise architecture today, and this also relates to cloud computing. Enterprise architecture allows us to standardize, optimize and consolidate the IT infrastructure. When you translate that it means you build a leaner and meaner infrastructure which hopefully can save significant amounts of money with regard to the IT that an organization deploys. If you can demonstrate those good savings with enterprise architecture and possibly go into cloud computing where we have ranges of different cloud deployment models from public to private to hybrid to community, cloud computing can save a considerable amount of resources as well.
That's where I would start, because if you can reduce the digital footprint it reduces and allows us to manage complexity. We can save money on the IT infrastructure and then possibly reinvest some of that money into stronger cybersecurity measures to include some of the automated tools. Now that doesn't mean you have to wait until you re-engineer the entire enterprise architecture. I would just be very judicious in which tools you select. Make a list of the things that are most important. Buy those automated tools first and they're going to give you the greatest return on your investment and then rack and stack like everybody always has to do when we have to make tough decisions. That's the way I would recommend starting the process.
Cloud Approach to Risk Management
CHABROW: You mentioned cloud computing. How does cloud computing change the way organizations approach the risk management framework?
ROSS: This applies whether it's a public or a private cloud on each of those ends of the spectrum. It's about not having all of the information resources owned by the individual's organization. Whether it's applications, computing power, secondary storage space or the facility that houses all of the IT, all of that in cloud computing can be done in an on-demand type of a process. If you look at all the IT we own and operate today, there are a lot of dead times. The IT is not being used 24/7 in most cases. That's one of the greatest, I think, drives toward the cloud computing model.
It's kind of like "just-in-time" in the supply business where you only keep enough supplies on hand to manage your business activities day-to-day. You don't have a lot of excess inventory. That's the same principle and if you can do this in a very good enterprise architecture focus, which means you're streamlining the operation, consolidating, standardizing and optimizing all the IT assets, you then get a tighter group if you will. You get a much more effective way of deploying the information technology and that reduction in complexity can lead to better cybersecurity solutions. We in essence know a lot more about how the IT is connected, how it's working and we can deploy our safeguards and countermeasures more effectively. There's great promise in the cloud.
ERIC CHABROW: If you do your risk management assessment you could see where you're balancing the savings that the cloud offers with potential other risks, and then you can make an intelligent decision.
RON ROSS: This is all about building a trust relationship. Defining good sets of requirements for the providers, putting the expectations exactly where you want them and then having a process by which the providers can come back and tell you what they've done - that's the trust relationship that has to be there so any customer can feel good about sending their critical data out to that cloud system.