http://www.gcn.com/print/27_9/46166-1.html By William Jackson GCN Interview 04/28/08 issue Natalie Givans, a vice president at Booz Allen Hamilton.s information and mission assurance and resilience group, has gained experience during her career in analyzing and designing security for a variety of government and commercial information and communication systems. From 2000 to 2005, she was on the board of the International Systems Security Engineering Association, which developed the System Security Capability Maturity Model. Givans has said information security is a matter not only of technology but also of leadership, economics, policy and culture. GCN: You have worked in the information security field for more than 20 years. What changes have you seen? GIVANS: I started at Booz Allen 24 years ago. Back then, we were working on crypto devices, things like the STU-3, the Secure Telephone Unit, at all levels of government - primarily point solutions. That was the extent of the security industry. I found it difficult to talk with commercial organizations - energy utilities, financial services companies - about their responsibilities to protect resources in what was becoming an electronic world. They didn't understand anything beyond scrambling the bits. We were ahead of our time in terms of our concerns. With the fact that everything is connected to everything now, the threats are coming from within the network as well as from outside. It's on everybody's mind now. GCN: You have said that information security involves more than technology. But is the technology available today adequate for the job? GIVANS: Information security involves protection of information in the classic sense, such as encrypting it. It also involves information and network integrity and their availability as well as the accountability of the processes and humans involved. We have a lot of technology, but a lot of it is still point solutions focused on just one of those problems, not at their integration in an enterprise or at a national security level. We have a lot of crypto devices, firewalls, identity and access management, including biometrics, smart cards and audit software to see what is going on in the network. My real concern is the integration of that technology. The [Defense Department] called this defense in depth years ago - it's not a new idea. GCN: How do agencies get the funding they need for proper security? GIVANS: Agencies need to be able to tie information and infrastructure security to the mission they are trying to accomplish. Be able to explain what the risks are to the organization and tie information security requirements to that. Too often this focus is separate: There are a group of people who worry about information security but who are not linked to the rest of the organization. Agencies need to link different elements, to show not only compliance but show how the money spent on security is going to be an enabler of their mission. GCN: How do you measure security? What metrics do you use? GIVANS: I worked years ago on what has become an [International Organization for Standardization] standard, the Systems Security Engineering Capability Maturity Model. We had a large metrics working group on that. In the software world, it was fairly easy to demonstrate that higher maturity levels yielded better software. In the security world, we had a lot of debates about that. It wasn't really clear that the more process you had, the better the security would be. In fact, there were times we could prove that really wasn't the case. The metrics working group had to take this on. We determined that security measurements typically focused on areas that were easy to measure and on what was obvious. Organizations easily can measure the number of people trained or the number of devices installed or the number of intrusions that are detected. The problem is [that] the metrics that people collect do not necessarily point to better security; they point to better process. I think it is important for organizations to identify the goals for their missions, and the threats they are seeing to those goals. Then they tie their improvements to those. For example, we asked organizations to identify the specific configuration management weaknesses that were exploited within their organization and to train their personnel on how and why they needed to close those vulnerabilities. Then give them a deadline, give them resources and then audit and make them accountable. That string of events would lead to real knowledge of security results. GCN: How do you translate a security policy into a culture that supports security? GIVANS: It starts at the top. If you look at the nation, it starts with the president. What we find in any organization is that which is measured is improved, and what leadership talks about are the things people pay attention to. So first, the most senior leaders must publicly embrace and advocate security. They also have to ensure there is adequate funding to implement these policies and that people are adequately trained. And there has to be accountability, a way to tie the stakeholders. incentives to the desired level of security maturity. GCN: Is security training being adequately addressed in most agencies? GIVANS: Probably not, but it varies greatly from organization to organization. There are examples where agencies are putting a lot of effort into it. When we have a lot of budget constraints, training of any kind tends to take a back seat. There is a need to work out what kind of training is needed for each kind of employee. In some cases, you can get by with an awareness campaign; in other cases, security professionals must have certification. Certification can be a driver for education. One example of that is the Defense directive requiring certification of the information assurance workforce in a certain time frame. Recently, this was picked up as a requirement that contractors also must achieve certification. Obviously, organizations still need to provide the funding for that to happen. GCN: Are there any government success stories that stand out for you? GIVANS: I would say [the National Institute of Standards and Technology] is a great example. Under [the Federal Information Security Management Act], they have focused on working across the community to establish the right kinds of guidance, standards and tools that help normalize the requirements. They have everything from performance measurement guides to information security handbooks to recommended security controls. I think that is a great enabler. Another is the Information Assurance Technical Analysis Center sponsored by [the Defense Technical Information Center and the Director of Defense Research and Engineering office]. Their emphasis is on capturing I-A best practices and standards. GCN: What is the greatest security challenge facing the government in the coming years? GIVANS: The big area is the defense of our infrastructure. There should be a lot of concern about the risk to our financial systems, our control systems and our networks from both inside and outside the enterprise. We see more incidents, such as the loss of information, but more scary is the lack of availability of the infrastructure when you really need it. That to me is the big threat. We need to focus on better tools for the prediction, prevention and reconstitution of our infrastructure. We need to focus on resilience, not just protection, because we are going to get attacked, the systems will go down, and what will be important is how fast you can respond and recover. _______________________________________________ Attend Black Hat USA, August 2-7 in Las Vegas, the world's premier technical event for ICT security experts. Featuring 40 hands-on training courses and 80 Briefings presentations with lots of new content and new tools. Network with 4,000 delegates from 50 nations. Visit product displays by 30 top sponsors in a relaxed setting. http://www.blackhat.com
This archive was generated by hypermail 2.1.3 : Fri May 02 2008 - 01:27:54 PDT