I had the opportunity to listen to Dr Ross’ keynote at the opening of UTC’s Annual Conference in Phoenix last week. His ‘TACIT‘ approach can be used and adopted by any organization looking to protect themselves from cyber and supply chain threats. Here’s a quick excerpt:
T – Threat – Understand the constantly changing/modern threat
A – Assets – Understand the criticality of your assets and prioritize them to know how to apply the appropriate level of rigor and hardening. You cannot protect everything 100%.
C – Complexity – Understand where your problems lie. Technology has never been more affordable or accessible – we’ve built complex fortresses that make it very difficult to find where the networks begin and end. In this, the problems are difficult to track in a linear fashion, making mitigation programs complex to implement. Our #1 job in security is to reduce the complexity!
I – Integration – We need to integrate our cyber professionals into all business processes vs. making them a cost-center all unto themselves. Part of the challenge is that we don’t current view cyber security as part of every business process – we are more apt to view cyber security as ‘one more thing’ we need to be aware of or activity to do. No! This just drives up the cost and opportunity for later impact.
T – Trustworthiness – We need to increase the trustworthiness of the suppliers we work with as well as the products we buy. It is only by following the initial 4 steps listed above that we will be able to make advances on the ever developing and advancing threat.
Knowing that the cleanup is ALWAYS more expensive than any up front investment in security, TACIT may lead many of our readers towards the path of better choices.
________________
Dr. Ron Ross is a Fellow at the National Institute of Standards and Technology (NIST). His current areas of specialization include information security and risk management. Dr. Ross leads the Federal Information Security Management Act (FISMA) Implementation Project, which includes the development of security standards and guidelines for the federal government, contractors, and the United States critical information infrastructure. His recent publications include Federal Information Processing Standards (FIPS) Publication 199 (security categorization standard), FIPS Publication 200 (security requirements standard), NIST Special Publication (SP) 800-53 (security controls guideline), NIST SP 800-53A (security assessment guideline), NIST SP 800-37 (security authorization guideline), NIST SP 800-39 (risk management guideline), and NIST SP 800-30 (risk assessment guideline). Dr. Ross is the principal architect of the Risk Management Framework and multi-tiered approach that provides a disciplined and structured methodology for integrating the suite of FISMA standards and guidelines into a comprehensive enterprise-wide information security program. Dr. Ross also leads the Joint Task Force Transformation Initiative, a partnership with NIST, the Department of Defense, the Intelligence Community, the Office of the Director National Intelligence, and the Committee on National Security Systems to develop a unified information security framework for the federal government.
The Supply Chain Risk World 