Ron Ross on Revised Security Controls

Video Interview: NIST's Risk Mgt. Guru Explains SP 800-53
Ron Ross on Revised Security Controls

NIST's latest guidance on security controls adds new areas that reflect the rapidly changing computing environment - advanced persistent threat, cloud computing, insider threat, mobility and privacy, to name a few - but the rudiments of implementing those controls haven't changed.

See Also: Roadmap for Identity Management in the Modern Organization

"The fundamentals of cybersecurity - I call it the physics of security - don't change over time," National Institute of Standards and Technology Senior Fellow Ron Ross says in a video interview with Information Security Media Group. "How we apply those controls ... is a little bit different, but the same fundamentals."

NIST last month published a draft of Special Publication 800-53 Revision 4: Security and Privacy Controls for the Federal Information Systems and Other Organizations, which was written by a team of institute computer scientists led by Ross [see NIST Updating Catalog of Controls].

In the interview on the new guidance, Ross explains why some organizations find it tough to implement controls, pointing out that it can be costly and getting buy-in from non-technology agency and business leaders presents a challenge to IT security managers. But, he says, organizations that get their information risk management infrastructure in place find it easier over time to identify and decide which security controls to implement.

"It's like building a house," Ross says. "Laying the concrete is the toughest part. Once you got the foundation, the house goes up and everything hopefully comes out well."

Ross leads NIST's Federal Information Security Management Act compliance team. A graduate of the United States Military Academy at West Point, Ross served in a variety of leadership and technical positions during his 20-year career in the Army. During his military career, Ross served as a White House aide and as a senior technical advisor to the Department of the Army. He is a graduate of the Program Management School at the Defense Systems Management College and holds a master and Ph.D. in computer science from the United States Naval Postgraduate School.

About the Author

Eric Chabrow

Eric Chabrow

Executive Editor, GovInfoSecurity & InfoRiskToday

Chabrow, who oversees ISMG's GovInfoSecurity and InfoRiskToday, is a veteran multimedia journalist who has covered information technology, government and business. He's the former top editor at the award-winning business journal CIO Insight and a long-time editor and writer at InformationWeek.

Around the Network