TACIT isn't a new approach to risk assessment, but in Ross' eyes it's a better way to employ existing tools to safeguard an organization's critical assets, the "things that really make a difference to the economic and national security interest of the country."
Today, Ross says in an interview with Information Security Media Group, organizations must do more to protect against the growing sophisticated cyber-attacks assailants launched routinely. "It's a heavier lift," he says, "to make sure we are carrying out things that are necessary and sufficient to do the job."
Organizations need to be proactive, not reactive, to cyberthreats. "We would like security to become so tightly integrated into our organizational process that we don't have to think about it every day," says Ross, a fellow at the National Institute of Standards and Technology, who leads NIST's Federal Information Security Management Act Implementation Project.
In the interview, Ross discusses the:
- Role continuous monitoring performs in helping organizations to become more proactive in safeguarding their digital assets;
- Importance of getting senior leaders involved in the risk-management process;
- How TACIT could help organizations reduce complexity, which in turn, can save it money.
Besides leading NIST's FISMA Implementation Project, which includes the development of key security standards and guidelines for the federal government and critical information infrastructure, Ross heads the Joint Task Force Transformation Initiative Interagency Working Group with representatives from NIST, the federal intelligence community, departments of Defense and Commerce, the Office of the Director of National Intelligence and the Committee on National Security Systems.
Ross also serves as the architect of the risk-management framework that integrates the suite of NIST security standards and guidelines into a comprehensive enterprise security program.