At a presentation at the University of Minnesota this morning, National Institute of Standards and Technology Fellow Ron Ross announced the publication of a new set of systems security engineering guidelines designed to help improve information security.
NIST Special Publication 800-160 was released in draft form and is now available for public comment. You can download the publication here: “Systems Security Engineering: An Integrated Approach to Building Trustworthy Resilient Systems.”
Ross said the announcement was made at the university to highlight where the skills needed to combat tomorrow’s cyber security challenges will come from. He said the University of Minnesota’s Technological Leadership Institute represents a model for preparing the next generation of information security workers, and he noted that public-private partnership — with buy-in from government, academia and industry — will be key to improving information security moving forward.
As an examples of where cyber security is headed, Ross reflected back to a time when airbags were optional add-ons for car buyers. Today, that type of safety technology (along with steel frames and other safety improvements) is standard. He sees best practices for systems security engineering processes, some of which we’ve known about for 20 or 30 years, eventually becoming the norm as well.
“Security should be a by-product of good design and development practices,” he said.
Ross admits that given today’s increasingly complex systems, preventing cyber attacks entirely is not possible. However, if we are able to make a cultural shift in the way we think about information security and better integrate it into development and management processes, he thinks businesses can become more resilient.
“It’s going to happen, even if you’re doing everything right,” Ross said. “But you can reduce vulnerabilities.”