by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
FCW : September 15, 2013
too common at many departments scrambling to protect their IT assets. "Our problems are bureaucratic, institutional, systemic," said Ron Ross, senior computer scientist and information security researcher at the National Institute of Standards and Technology. "Integrating security into architecture, the sys- tem development life cycle, systems engineering processes and acquisition...would go a long way [toward] enhancing cybersecurity. When you get to the point where security is done because people recognize it's central to the mission and success, then we've crossed that Rubicon and we're looking at security not as a cost but more as an investment in our productivity, survivability and everything needed to compete today." Unfortunately, the word "investment" is a major stumbling block because it means money --- a precious resource in a climate of sequestration and budget cuts. But that climate can also be a stepping stone to better cybersecurity, Ross said. "Program managers and mission and business owners care about schedule, cost and performance," he said. "So how do you get all of this started? You have to look for forc- ing functions to start down the road to thinning the herd or reducing complexity. The current declining budget and frustrations we're enduring at the federal level [are] a great forcing function for reducing the costs of IT infrastructure." Society as a whole, including the government, is swim- ming in IT. It is cheap and powerful, and as a result, everyone has more of it than they really need, Ross said. "Studies show [that] a lot of what we procure we never deploy or use effectively," he said. "This is where to focus on simplifying architecture: When you use things like enter- prise architecture, you...consolidate, standardize and opti- mize the IT infrastructure. You build a leaner and meaner IT infrastructure. That simpler architecture provides more ef cient services, is less expensive to deploy and maintain, and provides security professionals [with] a better oppor- tunity to protect what we own and deploy." But how can departments and companies get to that improved architecture? As at NASA, security professionals need to have a seat at the table, whether that is a boardroom or the boss' of ce. All too often, the people in charge of information security are not part of the decision-making process. "NASA builds their spacecraft with integrated project teams," Ross said. "Every stakeholder sits around the table, and the mission doesn't move forward until every stake- holder has given a thumbs-up. Our security teams and people need to be stakeholders at the table in order to integrate the important cybersecurity concepts, principles and tech- nologies into the systems early in the life cycle and not as an afterthought." If threats and security are part of the plan from the beginning, administrators have a much better chance of protecting systems when they do come under attack, and NASCAR drivers have a better chance of surviving when they experience a high-speed crash. That survivability is a key metric for determining the strength of an agency's defenses. "In our business, when you talk about risk management and risk assessment, you deal with four things: threats, vulnerabilities, impact to the organization if threats are exploited and how likely threats are to be exploited," Ross said. "In NASCAR, the threat is the 200 mph race car poten- tially hitting the wall. NASCAR [of cials don't] sit around wringing their hands about the threat. They can't reduce the speed; they wouldn't have any fans in the stands. So they build the threat into the business model." The latest strategy came after the 2001 death of Dale Earnhardt Sr. in a ery crash at the Daytona 500. He was the fourth NASCAR driver to die in a nine-month period. Later that year, NASCAR of cials mandated the use of head-and-neck restraints and other safety measures, and since then, no driver has died from a neck injury sustained in a race, Ross said. Those safety measures successfully addressed a critical NASCAR vulnerability, and the story underscores the need for agencies to move beyond patching systems, con guring rewalls and locking down components. Those all-important housekeeping duties do not go far enough, Ross said. "We can control only what we can control," he said. "We can't control the threat or the adversary or the attacks. What we can control is how we build and architect our systems to be stronger and more penetration-resistant. I'm passionate about integrating that into enterprise archi- tecture, with the security team working right there as a partner ensuring security controls are in place. Until we do that, security will be an afterthought." ■ 20 September 15, 2013 FCW.COM "NASCAR [of cials don t] sit around wringing their hands about the threat.... They build the threat into the business model." --- RON ROSS, NIST Risk management
August 30, 2013
September 30, 2013