Part 2: Roundtable Discussion on Info Risks for the New Year

By Eric Chabrow

As organizations move to the continuous monitoring their IT systems to assure they’re secure, they rely much more on automated processes. But don’t forget the role people play.

“Certainly, we can’t do this job of continuous monitoring without automation,” NIST Senior Computer Scientist Ron Ross says in the second of a two-part roundtable discussion on information risk management in the new year. Automation “is a necessary piece, but not sufficient, because there are a lot of things that only humans can do and humans do best.” Processes to continuously monitor insider threats require human intervention. “The combination of these activities really will work well to do what we would call a very robust continuous monitoring program,” Ross says.

In the second of a two-part roundtable discussion, moderated by Information Security Media Group’s Eric Chabrow, the four panelists discuss: 

  • Scoring employees on how effectively they implement IT security.
  • Communicating information risk challenges to senior executives and other non-IT and IT security personnel.
  • Exploiting research as well as solutions offered by other industries to improve the information risk framework process.

The four panelist are: 

    Ron Ross, chief author of Special Publication 800-53, NIST’s security controls guidance, who leads the institute’s Federal Information Security Management Act compliance team. A graduate of the United States Military Academy at West Point, Ross served in a variety of leadership and technical positions during his 20-year career in the Army. During his military career, Ross served as a White House aide and as a senior technical advisor to the Department of the Army. He is a graduate of the Program Management School at the Defense Systems Management College and holds a master and Ph.D. in computer science from the United States Naval Postgraduate School. John Carlson, executive vice prsident of BITS with oversight of the organization’s cybersecurity and fraud prevention initiatives. Carlson also leads public-private collaborative efforts for BITS on the Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security, where he serves on the executive committee and is co-chair of the council’s policy committee. He is a former managing director of Morgan Stanley, focusing on supplier risk management, new product approval, environmental risk and standardization of board-approved policies. Earlier in his career, Carlson worked at the Office of the Comptroller of the Currency, White House Office of Management and Budget, Federal Reserve Bank of Bost and the United Nations Center for Human Settlements. He holds a masters in public policy from the Kennedy School of Government at Harvard University and a BA from the University of Maryland. 

    George Moore, who joined the State Department in November 2006 as chief computer scientist, and works directly for Chief Information Security Office John Streufert. Moore was a key member of the State Department team that raised the department’s IT security grade from an F to a B as assessed by the Office of Management and Budget and Congress, while cutting costs by 62 percent. His focus was on being an agent of change and finding simple, smart and direct ways to comply with the Federal Information Security Managing Act and OMB requirements and improve security. Moore has worked for several federal agencies since 1973, including the Peace Corps and the United States Agency for International Development, where he helped boost its OMB grade from an F to an A+. Moore holds a doctor of science degree from Johns Hopkins University and a master’s degree from Cornell University. 

    Rebecca Herald, a principal at Rebecca Herald and Associates who advises organizations in many fields, including healthcare, on information privacy, security and compliance. She has authored about a dozen books and numerous articles and is an adjunct professor at Norwich University’s information assurance graduate program. Herald co-founded a service aimed at helping healthcare organizations and their business associates to meet their HIPAA, HITECH and other information security and privacy compliance and risk mitigation requirements. 

In Part 1 of the roundtable discussion (see Complexity Is Major Info Risk Challenge), the panelists tackle the information risk management challenge of complexity. Mobile and cloud comoputing, new technologies, outsourcing and growing threats from malware and people make managing risk more complex.

The discussion may be heard here.