Risk Management Elevated as an Infosec ChallengeNIST's Crucial Role in the Risk Management Discussion
Managing IT security, fundamentally, comes down to weighing risks. And, in the past week, the National Institute of Standards and Technology has focused on risk management with two significant announcements.
First, the issuance of Special Publication 800-39, Managing Information Security Risk: Organization, Mission and Information Systems View. Second, the announcement that by mid-December, NIST will issue a major revision of its premier guidance, SP 800-53: Recommended Security Controls for Federal Information Systems and Organizations, which details how security controls serve as valuable tools in managing risk.
Risk can be synonymous with gamble, but the guidance from NIST basically eliminates the gamble from the risk equation, in part, by expanding those involved in making the risk assessment to include technologists and non-technologists alike. Risk management isn't the responsibility of a single entity within an IT organizations but a task that must be shared throughout the enterprise, as SP 800-53 states:
"It is important that the organization realistically assesses the risk to organizational operations and assets, individuals, other organizations and the nation that arises by placing the information system into operation or continuing its operation."
That's a point embraced by Oregon Chief Information Security Officer Theresa Masse, who is working to get non-IT officials in her state government more engaged in IT risk management (see Giving Non-IT Execs Onus for IT Risk):
"Agency directors tend to think of information security only from a technology perspective, so we want to help them become more engaged in understanding that protecting their info assets is an executive leadership responsibility. And it's not appropriate for the IT management to determine risk for that agency."
Ron Ross, a NIST senior computer scientists and risk management framework principal architect, says managing risk must be the responsibility of senior leaders from the get-go (see Managing Risk: Why It's a Hot Topic):
"It really does take the involvement of everyone up the chain in command, especially with today's advanced persistent threats that have the through some well placed malware to really bring down an entire organization's operations. The realization of this by senior leaders now has energized them and has gotten them involved in the process of managing risk."
A generation ago, information technology became omnipresent in the enterprise; simply, you couldn't separate IT from the business process. Today, the same holds true with IT security; organizations can't function unless everyone is involved in IT security. And, from a leadership function, that also means risk management.