From: FierceGovernmentIT
By David Perera
A computer scientist at the National Institute of Standards and Technology says the advent of advanced persistent threats means years of lip service to the idea of integrated system security must be replaced with real action.
The notion of incorporating security risk mitigating measures early on during critical system development and implementation in order to ensure trustworthiness and resilience in the face of almost inevitable attacks–which determined hackers can push past network defenses–is hardly new.
“We talk about ‘baking it in’ and ‘building it in’–we’ve been running those phrases by for two or three decades now. We always say it, but we never do it,” said Ron Ross, head of the Federal Information Security Management Act Implementation Project at NIST. Ross, who oversees revisions of the NIST special publications guiding agency cybersecurity risk management and security controls, is promoting integrated security in a series of speeches internationally and domestically.
Security should be a by-product of good design and development, Ross believes. “Ideally, the discipline of computer security would go away. If we were really successful, it would be so tightly integrated into mainstream processes, we wouldn’t even be talking talk about security as a separate discipline,” he said during an interview.
Ross is promoting a security concept to address organizational and cultural obstacles to security-at-the-onset he dubs “TACIT,” which stands for “Threat, Assets, Complexity, Integration, Trustworthiness.”
Leave a Reply