[ISN] Security gets into the mix

From: InfoSec News (alerts@private)
Date: Fri May 02 2008 - 01:08:43 PDT


By William Jackson
GCN Interview
04/28/08 issue

Natalie Givans, a vice president at Booz Allen Hamilton.s information 
and mission assurance and resilience group, has gained experience during 
her career in analyzing and designing security for a variety of 
government and commercial information and communication systems.

 From 2000 to 2005, she was on the board of the International Systems 
Security Engineering Association, which developed the System Security 
Capability Maturity Model. Givans has said information security is a 
matter not only of technology but also of leadership, economics, policy 
and culture.

GCN: You have worked in the information security field for more than 20 
years. What changes have you seen?

GIVANS: I started at Booz Allen 24 years ago. Back then, we were working 
on crypto devices, things like the STU-3, the Secure Telephone Unit, at 
all levels of government - primarily point solutions. That was the 
extent of the security industry. I found it difficult to talk with 
commercial organizations - energy utilities, financial services 
companies - about their responsibilities to protect resources in what 
was becoming an electronic world. They didn't understand anything beyond 
scrambling the bits. We were ahead of our time in terms of our concerns. 
With the fact that everything is connected to everything now, the 
threats are coming from within the network as well as from outside. It's 
on everybody's mind now.

GCN: You have said that information security involves more than 
technology. But is the technology available today adequate for the job?

GIVANS: Information security involves protection of information in the 
classic sense, such as encrypting it. It also involves information and 
network integrity and their availability as well as the accountability 
of the processes and humans involved.

We have a lot of technology, but a lot of it is still point solutions 
focused on just one of those problems, not at their integration in an 
enterprise or at a national security level. We have a lot of crypto 
devices, firewalls, identity and access management, including 
biometrics, smart cards and audit software to see what is going on in 
the network. My real concern is the integration of that technology.

The [Defense Department] called this defense in depth years ago - it's 
not a new idea.

GCN: How do agencies get the funding they need for proper security?

GIVANS: Agencies need to be able to tie information and infrastructure 
security to the mission they are trying to accomplish. Be able to 
explain what the risks are to the organization and tie information 
security requirements to that.

Too often this focus is separate: There are a group of people who worry 
about information security but who are not linked to the rest of the 
organization. Agencies need to link different elements, to show not only 
compliance but show how the money spent on security is going to be an 
enabler of their mission.

GCN: How do you measure security? What metrics do you use?

GIVANS: I worked years ago on what has become an [International 
Organization for Standardization] standard, the Systems Security 
Engineering Capability Maturity Model. We had a large metrics working 
group on that. In the software world, it was fairly easy to demonstrate 
that higher maturity levels yielded better software.

In the security world, we had a lot of debates about that.

It wasn't really clear that the more process you had, the better the 
security would be. In fact, there were times we could prove that really 
wasn't the case.

The metrics working group had to take this on. We determined that 
security measurements typically focused on areas that were easy to 
measure and on what was obvious. Organizations easily can measure the 
number of people trained or the number of devices installed or the 
number of intrusions that are detected.

The problem is [that] the metrics that people collect do not necessarily 
point to better security; they point to better process.

I think it is important for organizations to identify the goals for 
their missions, and the threats they are seeing to those goals.

Then they tie their improvements to those. For example, we asked 
organizations to identify the specific configuration management 
weaknesses that were exploited within their organization and to train 
their personnel on how and why they needed to close those 
vulnerabilities. Then give them a deadline, give them resources and then 
audit and make them accountable.

That string of events would lead to real knowledge of security results.

GCN: How do you translate a security policy into a culture that supports 

GIVANS: It starts at the top. If you look at the nation, it starts with 
the president. What we find in any organization is that which is 
measured is improved, and what leadership talks about are the things 
people pay attention to. So first, the most senior leaders must publicly 
embrace and advocate security. They also have to ensure there is 
adequate funding to implement these policies and that people are 
adequately trained. And there has to be accountability, a way to tie the 
stakeholders. incentives to the desired level of security maturity.

GCN: Is security training being adequately addressed in most agencies?

GIVANS: Probably not, but it varies greatly from organization to 
organization. There are examples where agencies are putting a lot of 
effort into it. When we have a lot of budget constraints, training of 
any kind tends to take a back seat. There is a need to work out what 
kind of training is needed for each kind of employee. In some cases, you 
can get by with an awareness campaign; in other cases, security 
professionals must have certification.

Certification can be a driver for education. One example of that is the 
Defense directive requiring certification of the information assurance 
workforce in a certain time frame. Recently, this was picked up as a 
requirement that contractors also must achieve certification. Obviously, 
organizations still need to provide the funding for that to happen.

GCN: Are there any government success stories that stand out for you?

GIVANS: I would say [the National Institute of Standards and Technology] 
is a great example.

Under [the Federal Information Security Management Act], they have 
focused on working across the community to establish the right kinds of 
guidance, standards and tools that help normalize the requirements. They 
have everything from performance measurement guides to information 
security handbooks to recommended security controls. I think that is a 
great enabler. Another is the Information Assurance Technical Analysis 
Center sponsored by [the Defense Technical Information Center and the 
Director of Defense Research and Engineering office]. Their emphasis is 
on capturing I-A best practices and standards.

GCN: What is the greatest security challenge facing the government in 
the coming years?

GIVANS: The big area is the defense of our infrastructure.

There should be a lot of concern about the risk to our financial 
systems, our control systems and our networks from both inside and 
outside the enterprise. We see more incidents, such as the loss of 
information, but more scary is the lack of availability of the 
infrastructure when you really need it. That to me is the big threat. We 
need to focus on better tools for the prediction, prevention and 
reconstitution of our infrastructure. We need to focus on resilience, 
not just protection, because we are going to get attacked, the systems 
will go down, and what will be important is how fast you can respond and 

Attend Black Hat USA, August 2-7 in Las Vegas, 
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings 
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.  
Visit product displays by 30 top sponsors in 
a relaxed setting. http://www.blackhat.com

This archive was generated by hypermail 2.1.3 : Fri May 02 2008 - 01:27:54 PDT