Jeff Slotnick has been thinking about, analyzing, and predicting the future of the security industry for more than 30 years. In that time, he’s seen the industry shift into a significantly more important role; a change he saw coming while working as a senior enlisted person in the United States Army Engineer Corp.
“I’ve always been an evangelist for this community,” Slotnick observes. “The more people know about how risk assessment can help them, can help us run companies better and do things more safely, the more they become believers themselves.”
Slotnick, certified protection professional (CPP) and physical security professional (PSP), is the president of Setracon Inc. and chief security officer at OR3M, based in Washington state. He’s traveled the world consulting with organizations about their risk security profiles, and the predictions he made decades ago about the evolution of standardization in the risk assessment profession are fast becoming a reality. Compliance with ISO 31000 and ISO/PAS 28000 have become much more sought after in recent years. According to Slotnick, this is a change he saw coming years ago.
“It’s the influence of technology,” he says. “ISO 31000 and similar standards help organizations grasp an understanding of their culture, not just their data. It enables them to use all the data they collect and all the devices they have—which produce an immense amount of data—to protect themselves, their employees, customers, and businesses. It’s a very exciting time.”
The ISO 31000 family of standards includes ISO 3100:2009—Principles and Guidelines on Implementation, ISO/IEC 31010:2009—Risk Management—Risk Assessment Techniques, and ISO Guide 73:2009—Risk Management—Vocabulary. Although the standards weren’t developed with the intention for certification, Slotnick expects their popularity will increase significantly in coming years as more organizations recognize the potential of the standards to make them more secure.
“I find 60 percent of this job is education,” he says. “People don’t know what they don’t know. Simply capturing data in an audit, you’re creating a very clear value statement. I can show a company how identifying and managing risk helps them avoid problems in the future. Knowing what those dangers are and being able to create a plan to prevent or eliminate them is a very valuable skill and one that more people should learn.”
Teaching that skill is something that Slotnick is very familiar with. He serves as a faculty advisor with the University of Phoenix, where he also takes classes to continue his learning. In his roles as consultant, teacher, and student, he sees the risk assessment profession moving toward full enterprise security risk management (ESRM) and ultimately enterprise risk management (ERM). This is a shift that could have dramatic consequences to the way organizations staff their executive boards.
“This is an industry in transition,” he observes. “Traditionally, we’ve seen risk as a physical thing, something to address with physical means. Now, we’re seeing organizations meld their risk profile with their OHSAS, environmental, financial, customer and employee health, cyber, and physical risk efforts. All risk is shared. When there is risk to one part of an organization, there is going to be risk exposure to many other parts. That’s an exciting thing, and it’s been a long time coming.”
The post Security Expert Expects Rise in Security Certifications appeared first on The Auditor.
The National Institute of Standards and Technology (NIST) has released a draft of the Baldrige Cybersecurity Excellence Builder, a self-assessment tool to help organizations understand the effectiveness of their cybersecurity risk management efforts.
NIST is requesting public comments on the draft, which combines two globally recognized NIST resources and includes: the organizational performance evaluation strategies from the Baldrige Performance Excellence Program and the risk management mechanisms of the Cybersecurity Framework.
Deputy Secretary of Commerce Bruce Andrews announced the release of the draft during his remarks at the Internet Security Alliance’s 15th Anniversary Conference in Washington, D.C., in September.
“The Baldrige Cybersecurity Excellence Builder answers a call from many organizations to provide a way for them to measure how effectively they are using the Cybersecurity Framework,” Andrews said. “The builder will strengthen the already powerful Cybersecurity Framework so that organizations can better manage their cybersecurity risks.”
Using the builder, organizations of all types and sizes can:
- Determine cybersecurity-related activities that are important to business strategy and the delivery of critical services
- Prioritize investments in managing cybersecurity risk
- Assess the effectiveness and efficiency of using cybersecurity standards, guidelines, and practices
- Assess their cybersecurity results; and
- Identify priorities for improvement.
The Cybersecurity Framework provides a risk-based approach for cybersecurity through five core functions—identify, protect, detect, respond, and recovery. The framework gives order and structure to today’s multiple approaches for cybersecurity management by assembling standards, guidelines, and practices that are working effectively in many organizations. Applying Baldrige principles enables organizations to maximize the framework’s value and manage all areas affected by cybersecurity as a unified whole.
Like the Cybersecurity Framework, the Baldrige Cybersecurity Excellence Builder is not a “one-size-fits-all” tool for dealing with cybersecurity risks, and is adaptable to meet an organization’s specific needs, goals, capabilities, and environments.
The builder guides users through a process that details their organization’s distinctive characteristics and strategic situations related to cybersecurity. A series of questions helps to define current approaches to cybersecurity in areas of leadership, strategy, customers, workforce, and operations, as well as the results achieved with them.
An assessment rubric also allows users to determine their organization’s cybersecurity maturity level—classified as “reactive,” “early,” “mature,” or “role model.” The completed evaluation can lead to an action plan to upgrade cybersecurity practices and management, implement those improvements, and measure the progress and effectiveness of the process. Designed to be a key part of an organization’s continuous improvement efforts, the builder should be used periodically to maintain a high level of cybersecurity readiness.
The draft Baldrige Cybersecurity Excellence Builder was developed through a collaboration between NIST and the Office of Management and Budget’s Office of Electronic Government and Information Technology, with input from private sector representatives.
Public comments on the draft will be accepted until December 15, and can be submitted via email at firstname.lastname@example.org.
The post Comments Sought on Baldrige-Based Tool for Cybersecurity Excellence appeared first on The Auditor.
The U.S. Department of Veteran Affairs (VA) and global safety science organization Underwriters Laboratories (UL) have signed a Cooperative Research and Development Agreement Program (CRADA) for medical device cybersecurity standards and certification approaches.
The CRADA mechanism was established as part of the Federal Technology Transfer Act of 1986 to encourage the creation of teams to solve technological and industrial problems for the greater benefit of the country.
This CRADA project will support the improvement of veteran’s patient safety and security through the use and verification of UL’s Cybersecurity Assurance Program (CAP).
Working with UL, the VA’s Office of Information & Technology will refine existing and emerging standards and practices related to network connectable medical devices, medical device data systems, and related health information technology.
Both parties expect the project to accelerate the sharing of medical device cybersecurity information, standards, and life cycle requirements toward creating a safety certification framework for veterans.
The VA and UL seek to address the existing gap in the marketplace for cybersecurity standards and practical certification approaches for connected medical devices.
Historically, the ability to patch and reconfigure devices, as well as long-service lifetimes, results in devices with old, vulnerable software and presents challenges in defending medical devices against cybersecurity attacks.
UL Principal Engineer for Medical Software & Systems Interoperability, Anura Fernando, said working with the VA, they will contribute to industry-wide situational awareness of medical device vulnerabilities and threats.
“We believe that this project will positively impact the direction that manufacturers take in improving the overall security posture of medical cyber assets,” Fernando said.
This CRADA project is expected to be completed in December of this year.
The post U.S. Department of Veteran Affairs and UL Cooperate on Medical Device Cybersecurity appeared first on The Auditor.
The post Comments Sought on Proposed Cybersecurity Guidelines appeared first on The Auditor.
Global safety science organization, UL (Underwriters Laboratories), has launched its new cybersecurity assurance program – UL CAP.
Using the new UL 2900 series of standards, UL CAP offers testable cybersecurity criteria for network-connectable products and systems to assess software vulnerabilities and weaknesses, minimize exploitation, address known malware, review security controls, and increase security awareness.
To read more, please click here to login.