Ron Ross on Revised Security Controls

Video Interview: NIST's Risk Mgt. Guru Explains SP 800-53
Ron Ross on Revised Security Controls

NIST's latest guidance on security controls adds new areas that reflect the rapidly changing computing environment - advanced persistent threat, cloud computing, insider threat, mobility and privacy, to name a few - but the rudiments of implementing those controls haven't changed.

See Also: OnDemand | How To Meet Your Zero Trust Goals Through Advanced Endpoint Strategies

"The fundamentals of cybersecurity - I call it the physics of security - don't change over time," National Institute of Standards and Technology Senior Fellow Ron Ross says in a video interview with Information Security Media Group. "How we apply those controls ... is a little bit different, but the same fundamentals."

NIST last month published a draft of Special Publication 800-53 Revision 4: Security and Privacy Controls for the Federal Information Systems and Other Organizations, which was written by a team of institute computer scientists led by Ross [see NIST Updating Catalog of Controls].

In the interview on the new guidance, Ross explains why some organizations find it tough to implement controls, pointing out that it can be costly and getting buy-in from non-technology agency and business leaders presents a challenge to IT security managers. But, he says, organizations that get their information risk management infrastructure in place find it easier over time to identify and decide which security controls to implement.

"It's like building a house," Ross says. "Laying the concrete is the toughest part. Once you got the foundation, the house goes up and everything hopefully comes out well."

Ross leads NIST's Federal Information Security Management Act compliance team. A graduate of the United States Military Academy at West Point, Ross served in a variety of leadership and technical positions during his 20-year career in the Army. During his military career, Ross served as a White House aide and as a senior technical advisor to the Department of the Army. He is a graduate of the Program Management School at the Defense Systems Management College and holds a master and Ph.D. in computer science from the United States Naval Postgraduate School.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.