Managing Risk: Why It's a Hot Topic

NIST's Ron Ross Tackles the Risk Management Framework

By , December 14, 2010.
Managing Risk: Why It's a Hot Topic
Read Transcript

NIST's Ron Ross Tackles the Risk Management FrameworkMany organizations - whether in government or the private sector - are exploring the establishment of a risk management framework as a critical element of how they safeguard their information technology assets.

This is especially true in these financially challenged times because the basic reason to implement IT security is to protect an organization's core undertakings and business operations. "That's the real reason we do security, is to protect those missions, to make sure we can have mission success, and the business can go on, whether it's e-commerce or whether it's protecting a key federal operation," says Ron Ross, a senior computer scientist at the National Institute of Standards and Technology who heads NIST's Federal Information Security Management Act compliance project and serves as principal architect of NIST's risk management framework.

Ross, in an interview with says the risk management frameworks helps organizations decide which security controls are the best ones to apply to "get the best bang for our buck."

"That really, to me, is what the risk management framework does best," Ross says, "help decision makers come to credible, risk-based decisions on how they should protect their organizations."

In the interview, conducted by's Eric Chabrow, Ross:

  • Outlines the genesis and core principals behind the risk management framework,
  • Explains how the risk management framework can involve organizational business leaders to help develop and support IT security initiatives and
  • Addresses how organizations can get started in implementing a risk management framework.

The Department of Commerce, which oversees NIST, this fall awarded Ross and five colleagues - Kelley Dempsey, Peggy Himes, Arnold Johnson, Marianne Swanson and Patricia Toth - gold medals for significantly improving U.S. computer security by designing, developing and disseminating the risk management framework in support of the Federal Information Security Management Act.

Ross also supports the State Department in the international outreach program for information security and critical infrastructure protection. He previously served as the director of the National Information Assurance Partnership, a joint activity of NIST and the National Security Agency.

A graduate of the United States Military Academy at West Point, Ross served in a variety of leadership and technical positions during his 20-year career in the Army. While assigned to the National Security Agency, he received the Scientific Achievement Award for his work on an interagency national security project and was awarded the Defense Superior Service Medal upon his departure from the agency. He's a two-time recipient of the Federal 100 award for his leadership and technical contributions to critical information security projects affecting the federal government. During his military career, Ross served as a White House aide and as a senior technical advisor to the Department of the Army.

Last year, the Information Systems Security Association named Ross its distinguished fellow, the group's highest tribute, for his leadership in the development of influential information security documents.

Ross is a graduate of the Program Management School at the Defense Systems Management College and holds a master and Ph.D. in computer science from the United States Naval Postgraduate School.

Please check out earlier interviews conducted with Ross:

Follow Eric Chabrow on Twitter: @GovInfoSecurity

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE St. Louis Fed Confirms DNS Hijacking

The Federal Reserve Bank of St. Louis says its DNS settings were hacked, and visitors redirected to...

Latest Tweets and Mentions

ARTICLE St. Louis Fed Confirms DNS Hijacking

The Federal Reserve Bank of St. Louis says its DNS settings were hacked, and visitors redirected to...

The ISMG Network