Best Cyber Breach Protection: NIST RMF Professionals

Transcription

Mission Critical Institute for Cybersecurity Staff Member: Welcome everyone. We are so pleased to have you here. Thank you for joining tonight’s webinar, the best cyber breach protection, which of course is certified NIST RMF professionals. Our panel tonight will include Dr. Ron Ross, Mr. Richards Spires, and Dr. Victor Berlin, who will also be co-moderating with me. I’m Christine Olyer, the director of Academic Programs for Mission Critical Institute. Before we get started, I would like to address just a few housekeeping items. To prevent background noise you’ll notice that all participants are muted throughout the session. You may, however, type some questions into the questions link that you see there where it says questions from the audience, and we will try to get to all of those if time permits. We will have a Q&A session at the end.

Mission Critical Institute for Cybersecurity Staff Member:: With that let’s get started. Our agenda for tonight surrounding NIST RMF professionals and breach prevention, covers these six topics. We really want to hit not only breach prevention, but how the expanding utilization of the NIST RMF is happening throughout all the different industries that we have here. Now we’ll also talk about how folks need to use NIST RMF in their cybersecurity investment decisions, so that’s all C-Suite, and then we’ll be talking about NIST RMF specialists and effective utilization of the NIST RMF. We’ll also be talking about the skills that NIST RMF specialists need to be effective, truly effective, and how to become an effective NIST RMF specialist. With that, I’d like to turn it over to Dr. Ron Ross as he talks about the role of NIST RMF in preventing breaches.

Dr. Ron Ross: Thanks very much, and thanks everybody for joining tonight, and thanks to our host, the Mission Critical Institute and Learning Tree International. I think before we get into the details, I always like to set the context for what we’re going to be talking about tonight, and it’s very easy in the world of cybersecurity to get lost in the details. It’s a very challenging career field to be in. I think today there’s no skill or there is no profession that is of greater importance than the cyber security profession.

Dr. Ron Ross: Today we have computers literally going into everything that we care about from our power plants to our financial institutions to all the Internet of things devices, the things that you have around your house, everywhere those computers move. I call it moving to the edge. Those computers are driven by software and firmware and they’re built into systems that all of us [inaudible 00:03:00] every day. They give us great capability. They allow us to do things we never anticipated before, but with all this great new technology and all the great new capability that we use within the federal government and also in the private sector, within the critical infrastructure, all of that gives us tremendous capability, but there’s also a very important side of this that we have to talk about tonight is that how do we protect all of the things that we deploy in our systems and all those technologies that allow us to be successful in whatever mission or business area we’re trying to pursue?

Dr. Ron Ross: The NIST RMF, the Risk Management Framework actually started in the early 2000s, and it made its first appearance … it used to be part of what we call certification and accreditation. Those of you who go back several years will remember that term, and we designed the RMF really to give organizations a way to build security programs and to have a disciplined and structured approach in how they can protect their systems and their critical assets and also prevent these unending set of cyber attacks that are constantly bearing down in organizations.

Dr. Ron Ross: The RMF originally was the six steps that you see today. It’s all about a disciplined instruction process to understand what kind of assets do I have to protect, what kind of data am I using day to day to help me carry out my critical missions and business operations. What kind of security controls do I need to actually protect that information? And we go through the implementation, the assessment to make sure those controls are effective, and then it ends up in an authorization decision. That’s the decision that actually the senior leadership gets involved in, make a risk based decision on whether that system is worthy of putting into operation or continuing in its operation. And then of course all of you have heard about the continuous monitoring program that DHS now is running. We’ll talk about that a little bit later, but the RMF plays a very central role in helping to prevent breaches and responding when you have a breach and making sure that you get the systems back to operational state.

Dr. Ron Ross: Now, as many of you know the RMF is just one of those elements in the federal government, and the private sector uses the RMF a lot on a voluntary basis. We now also have a new thing called the cybersecurity framework, which came out of an executive order and that cybersecurity framework now has become very well accepted across the public and the private sector. In fact, the federal government now has to manage our risk using the NIST cybersecurity framework, and a lot of people really are asking questions: how do these two frameworks relate?

Dr. Ron Ross: And we’ll be talking about that a little bit more tonight as well, but in general the cybersecurity framework is the way you communicate with the C-Suite, the senior leadership in an organization. These are very busy people, they have a lot on their mind, and sometimes coming at them with the very detailed things that you deal with on a system level of security controls and all the different things that you have to do on a day to day basis, it doesn’t resonate with the senior leadership. So the NIST cybersecurity framework is a way to have that discussion with the senior leadership and then push out some of the direction that you get from the senior leadership into the systems level work that the RMF is actually covering.

Dr. Ron Ross: That’s pretty much the RMF and the continuous monitoring, and it also leads to this notion of how much should I be paying to protect my critical assets? The investment decisions that you make at an organizational level will be informed both by the cybersecurity framework and also the NIST risk management framework. So there I think I’ll stop and hand it over to my colleague Richard Spires to see if he has anything to add to my comments on this slide.

Richard Spires: Yeah, yeah. Thank you Ron. Yeah, this is Richard Spires and in some of my previous work, I happened to be the CIO at a couple different federal agencies, first at the IRS and also at the US Department of Homeland Security and got to work closely with Ron and NIST typically that role. Just a couple of additional comments, a little bit more color having been in this CIO role, the robustness of the risk management framework has always been there since the early 2000s and very, very helpful in helping define what are the security controls that you should be implementing at a system level. In complex IT environments such as I was managing in government agencies, you can’t do it all, and it becomes very, very difficult. You only have so much budget. Of course there’s a lot of call for that budget to be put into two new functionality for the mission and business owners or on the private sector for the business owners.

Richard Spires: And so there’s this always this balance that you’re trying to strike and that’s where I think the addition of the cybersecurity framework that NIST did, not just by itself, but really working across the world looking at best practices on how to do these risk based decisions and then get the senior leadership engaged. I think and that’s one of the reasons why the cyber security framework together with a risk management framework is now really becoming in many ways the de facto standard for how you look at risk management and control within cyber security across many industries, not just government but mainly private sector industries.

Richard Spires: I think that maturation of that being able to go from the very lowest level of control at a system level all the way up to a CEO or a head of an agency and being able to talk about what are the risks that you need to mitigate and put priorities on those risks so that you’re focused on the most important things. You’re focused on those crown jewels of data that you need to protect because those of us who have done this, it’s very, very difficult to protect everything that you have survey over when you’re dealing with a large government organization or a large commercial sector company. So let me pause there.

Mission Critical Institute for Cybersecurity Staff Member:: Thank you, Richard. I have a couple of questions myself, Ron, so you were one of the original architects back in 2004 of the NIST RMF. What have been some of the surprising changes or the growth that you’ve seen just over the past few years?

Dr. Ron Ross: Well, there’s been a lot of interesting things happen with the RMF world. I really want to echo what Richard just said about the … these are very complex environments. And one of the original design criteria for the RMF was to give agencies like Richard was involved in, the DHS and the IRS, the flexibility to design their security plans to match the environment where they’re actually working.

Dr. Ron Ross: Every organization has different missions and different operational environments and the RMF was designed with that flexibility in mind. Now that characteristic that we designed into the RMF back in the early 2000s really set the stage for the adoption of the RMF by the Defense Department and the United States intelligence community back in 2009. That was our first entrée into what we called the joint taskforce where NIST became a partner with the DOD and the intelligence community, all 16 agencies and the office of the director of National Intelligence. That flexibility allowed the DOD and the intelligence community to use the same framework because we had developed a very broad spectrum of security controls, and that was one of the things that was put into the original design because everybody knows that works in these federal environments that one size literally does not fit all. Every agency is unique and they’re all using the information technology that comes out of the commercial marketplace, and so that flexibility was really key to expanding the RMF and allowing new customers to come in and use the RMF.

Dr. Ron Ross: I will say that one of the disappointments, everything doesn’t always go as planned, and I think Richard can probably attest to this that we wanted agencies to really be more aggressive at tailoring the control sets that we publicize and making sure that they are really fine tuned to their organizations. And a lot of times what happens though when you have IGs and auditor’s involved in the process, organizations are very reticent to eliminate certain controls. So the tailoring didn’t occur as much as we would’ve liked so were trying to fix that in some of the updates to our publications that are occurring in 2018. So it’s a very interesting process to reflect back on. And now that we have the cybersecurity framework and we’re linking that to the risk management framework the cybersecurity framework is going worldwide. I think this is leading us to common solutions, which is good for business, it’s good for government, and it’s good for security.

Victor Berlin: Let me ask you another question. In terms of the expansion of utilization, as you’ve both mentioned, the NIST RMF and the [inaudible 00:12:43] frameworks are being adopted voluntarily in the private sector. What do you see as the primary motivations for why the private sector is doing that?

Richard Spires: Well, I’ll jump in first. Victor, it really is about having a scarcity of resource and a really important problem to solve. I mean, there isn’t a CEO who doesn’t worry about, if not on a daily basis, certainly on a frequent basis, the cybersecurity posture of his or her company. And yet I go back to what I was saying: any large organization or even the medium size organizations today, the complexity factors you’re dealing with when you’re looking at your IT environment are significant. And so this notion, and it used to be that we took the view of let’s protect all of this, okay, with perimeter controls and firewalls and the like, but the world’s changed so much and so quickly.

Richard Spires: You look at things today as an example, I could be using Software as a Service, SaaS based applications where I’ve got sensitive customer data out in the cloud and I’ve got users using that sensitive data through a SaaS based application and none of that data ever actually resides or actually crosses into my own enterprise virtually. It never crosses my firewalls. It never really touches my own infrastructure. Think about that environment. How do you protect in that environment? The world has changed so quickly. You need some type of a framework, the right term by which to be able to assess all of this and truly make prioritize business decisions.

Richard Spires: And that’s what I’m so pleased to see the maturation of these frameworks help us make those priorities business decisions at the C-Suite level about, “Hey, these are the four or five systems that are so critical to our business that have such sensitive data that these are the ones that we must protect, that we must take those extra steps. These are the other systems that, okay, important to the business, certainly want to protect, but they’re not going to be as high a priority and therefore we’re going to not make as much investment in them. You’ve got to make those kinds of decisions. And I think for the first time, but the last few years we’ve seen the maturation of these frameworks to enable us to make those decisions. And then with the robustness of the RMF be able to actually know what those controls are that we should put in place for those various types of prioritized decisions. Let me turn it back over to the Ron to add to that [crosstalk 00:15:39]-

Dr. Ron Ross: Yeah. I think I would echo everything that Richard said and I would add I think there has been a realization. The federal government and the private sector, although they appear very different when you’re looking from the outside in, we’re all using the same basic commercial technology, and what puts the federal government at risk and all of our critical services and applications is the same types of things that can put a company, a corporation, even a small mom-and-pop company at risk.

Dr. Ron Ross: The reality today is we’re living in a very dangerous world of very sophisticated cyber attacks and I think every company now who depends on this technology for their mission and business success, realizes that same capability which drives them to greater heights in their business, can also bring them down in literally a nanosecond because these attacks move at the speed of light. And you don’t have a lot of time to prepare or even recover some time so or defend in these very, very high end attacks that are occurring more frequently than we’d like to imagine today. I think that reality started to sink in in the last couple of years and it’s not a very hard sell in today’s world to talk to any company out there who deals with the high technology and make the argument that they understand that this is really a top priority to make sure they survive, and they can take advantage of the technology, but also not be brought down by that same technology.

Mission Critical Institute for Cybersecurity Staff Member:: So I have a question for you, Richard. Ron, thank you so much. As we’re talking about the expansion of this, some of your experience is the vice chair of the Federal CIO Council. How did that impact your awareness of how useful this would be to some of the other sorts of businesses and agencies that are out there?

Richard Spires: Yeah. Well, it’s interesting, and picking back up on a theme that Ron brought up, [inaudible 00:17:45] every agency, and in extension, every business is unique. They have unique missions or clear unique circumstances. They have unique IT environments, although to Ron’s point as well, there’s a lot of commonality of use of products and solutions, but the way they’re configured, the way they’re used … And you saw that at the Federal CIO Council. We actually had a working group in cybersecurity, and we’d get together on a fairly regular basis and share, if you will, lessons learned and practices and the like. On the one hand you like to try to do things as standard as you possibly could, but very quickly you realize that you needed to tailor. In order to really do this effectively you need the experts in your staff that understand how to implement these frameworks and then the control suite that you need to implement for that particular enterprise. And I think that extends well beyond the federal government.

Richard Spires: Another point I’d make is it’s amazing to me when you read about these breaches and it just recently, whether it be Equifax or in government SEC recently or of course you can go back to the OPM data breach and you and you look at what happened in these things and a lot of it comes down to not doing things well on the management side, like not patching systems, [inaudible 00:19:17] like some of the basic things, but it also in my mind raises this point about prioritization. When you got incredibly sensitive data like a date on people, PII, and you’re not taking the most basic steps to protect that data, it says you’re not going through the right kind of thinking process, even up at the C-Suite as to the steps you need to take the prioritize and to make the investments were it is very important to you from a cybersecurity perspective. I [inaudible 00:19:52] with the point about that’s where the cybersecurity framework together with the RMF marrying those two together and using them can make a world of difference for an organization.

Mission Critical Institute for Cybersecurity Staff Member:: Well, then thank you. That leads us right into … Ron, will give us that high level kind of vision of what the RMF is in relationship to the CSF. How do they kind of work together? Why are there two separate pieces?

Dr. Ron Ross: Well, in a perfect world there wouldn’t be two, but the reality is that we started the RMF over a decade, almost a decade and a half ago, and the cybersecurity framework came out of an executive order that was maybe 10 years after that. The frameworks are both frameworks. They both have that word in common, but they do different things. And the way I like to characterize it is I think exactly what Richard was alluding to earlier. The cybersecurity framework is a better tool to communicate with senior leaders. And I think one of the big impediments to our security profession is that a lot of times we get wrapped around the axle as security professionals thinking it’s all about us.

Dr. Ron Ross: It’s easy to get a pretty big head today with all the talk is about cybersecurity and in reality the best cyber security professional has really two very critical characteristics. One they’re very skilled and we’re going to talk about what kinds of skills those are in a little bit. They’re very skilled at their profession, and that goes for any profession. But understanding the fundamentals of how to protect systems, what are the basic things that they can lead you to a better protection regimen within your organization.

Dr. Ron Ross: The second characteristic is understanding that you as a security professional are part of an organization, which has a mission. In other words, we don’t do security just to do security. We do security to make sure the mission is well protected, and a lot of times a lot of people in our business forget that. And that’s important because the cybersecurity framework is the framework that we use to communicate both ways from the C-Suite. They use that framework to understand more about the general notion of security. It gives us a common language. We talk about the high level function of identify, protect, detect, respond, recover. Those are terms that the C-Suite understands. And from there we develop very understandable categories and subcategories of security things that are very much understandable by the people who are making those important business decisions within an enterprise.

Dr. Ron Ross: Now, from there, at some point you have to go down and talk about things at the control level. So in some sense, the cybersecurity framework allows you to customize and have a discussion at the 30,000 foot level, and it allows the senior leaders to convey their intent down to the people who are going to be implementing those security programs down at ground level. And so the RMF was always designed to work more at the system level because we talk about selecting controls, we talked about implementing controls at the system level. We talk about assessing controls and all the things that are really done on a tactical level, but the ability to marry the risk mentioned framework at the tactical level, marry that up with the cybersecurity framework at the strategic level. That is the secret sauce that makes this stuff all work because for many years there’s been a divide between the C-Suite and the people on the ground.

Dr. Ron Ross: I know in Richard’s organization he had the pleasure of working in a very large department of Homeland Security, which I think if I’m not mistaken, there were 23 agencies that came under one umbrella. That is complexity. And having the ability to have that common language, and to convey those … kind of like the commander’s intent in the military downstream to all the people in the trenches who have to actually carry those things out. Well that’s something that you can’t put a price tag on it. It’s just invaluable. And so that’s how those two frameworks are going to work together. They were invented at different times, but we found a way to use both of them to make our security and our privacy programs more effective.

Victor Berlin: Yeah. Let me, let me interject a question at this point, which, which seems appropriate. We’re talking about the two frameworks and how they relate. And I guess the next issue is the effective implementation of NIST RMF, both in the public and private sectors. What does it take for an organization, and enterprise to think about implementing it from the top management level, to the staffing level, to the budget level. Do you want to take a cut at that, Richard?

Richard Spires: Well, sure. I mean, I’ll start off with the management support and the good news is I think this has changed a lot even over the last few years, and I applaud President Trump in this case that the cybersecurity executive order that he signed out, I guess it was earlier this spring. A mandate … the RMF was already mandated for our use at Federal Government, but now it was like, “Hey, you need to use the cybersecurity framework as well to do just what Ron was describing, to be able to effectively work with the C-Suite, and this case the agency leadership so that you can have the right kinds of discussions, and you can make the right kinds of a mission and business decisions from your protection posture and your privacy posture.

Richard Spires: And so I think that top level support in government is now there, and frankly in the private sector. I recently read that Gartner estimated that the cybersecurity framework is going to be used by, I think, more than 50% of commercial organizations in the United States here within the next couple of years. So, what it does is it enables the C-Suite in private sector organizations to start to get their arms around what it effectively means that they start to view it as a true risk management decision. We’ve always had risk management decisions on physical things, natural disasters, and things like that, and it’s been difficult up to this point to have that same kind of rigor around your cyber security posture and your risk. And that’s where I believe that these two frameworks coming together really, really helped solve that.

Richard Spires: So I think top level support management support is now there in most organizations. But then to your point, we’ve had this divide that Ron was talking about and I lived in at DHS where it was very difficult to have the right kind of discussions because you’d have some very, very capable expert people doing cybersecurity, but at a system, at a control level, and then you’d have this voice so to speak, and then you’re trying to talk to agency’s leadership or in the private sector, for example, trying to talk to the C-Suite. And so what the idea is is now they have individuals that really you’re going to have those experts, some of them are going to be able to, if you will, help translate and using a common language provided by these frameworks to be able to better communicate in a way that those senior leaders can understand, and that we don’t have to dive into the tremendous level of complexity right away.

Richard Spires: IRS is a great example. We had more than 350 operational systems. Every single one of them, okay … we had to use the risk management framework against, which is good, but the head of the agency is going to talk to us about 350 systems. They’re going to talk to us about, okay, where are major cybersecurity risks and what are we doing about those? And that’s where you’re having the analysts that can be able to translate from the system level per system level up through using the risk management framework and then the cyber security framework in order to be able to have that discussion so that we could place those bets, or if you will, those protection dollars where they would best be utilized is a skillset that I think needs to be developed in order to more effectively use these frameworks. Let me [crosstalk 00:28:46]-

Dr. Ron Ross: So those are great points, and I think to give you just two quick examples of how the cybersecurity framework is being used in concert with the risk management framework. Your listeners can go to the NIST website and they can download the … There’s a brand new discussion draft of NIST special publication 837. That is the RMF special pub, and you can see that discussion draft. You’ll see that we’ve made some significant improvements that address the cybersecurity framework in the, I call this, RMF 2.0, and the two big changes I think you’ll notice is that the cybersecurity framework is going to be used to inform the detailed level execution of the RMF.

Dr. Ron Ross: And this is one of the things that has been a major failing because as Richard described the IRS, 300 and some systems down there, everyone’s doing their job trying to understand the RMF is working on a system by system basis, but where is that top level guidance coming from that we need things like a risk management strategy, developing a risk tolerance, doing things that would identify security controls that are common controls that she’d be the responsibility of the enterprise and not the individual system owners.

Dr. Ron Ross: All of that guidance coming from the top level of the organization is absolutely essential. It buys in to the problem space. It gets the C-Suite involved in the risk based decisions that are essential in their role. If you don’t have that guidance coming from the top, then your individual system owners are going to continue to struggle on tailoring those controls that they’re trying to work with, but they really don’t understand what kind of guidance they’re getting from above to make those effective decisions. In essence, you’re giving those system owners top cover for making important decisions on a system by system basis.

Dr. Ron Ross: The other thing that we did is out the other end of that, once you execute the RMF and you produce the authorization package, that’s the risk based decision making package that every senior leader gets. That’s the basis of their risk based decision. All of that information to include all of your vulnerabilities and all of the plans of action and milestone elements that you’re going to be executing to fix things that are not right. All of that information gets conveyed back up to the senior leaders through the categories and subcategories and the functions of the cybersecurity framework.

Dr. Ron Ross: So in some sense it gives the senior leaders … they can see where certain vulnerabilities are clustering. Maybe it’s around the protect function or maybe they see a lot of problems in the detect function of the cybersecurity framework. This allows you to see trends across a large and complex organization, and so you can see the value in informing the people who are in the trenches and then allowing the people in the trenches to communicate. This is two-way communication up and down to the C-Suite, communicating what they’ve done and the potential impact on the organization going forward to include continuous monitoring. Now you’ve got an effective way to manage a cybersecurity program that is really, if it’s not real time, it’s near real time and that’s something we absolutely have to have in today’s modern world of these very quick and high end cyber attacks.

Victor Berlin: So it sounds like-

Richard Spires: [crosstalk 00:32:13]

Victor Berlin: … there’s a-

Richard Spires: Just picking up on that, if I could just this notion that these trending … You’re right on the continuous monitoring, getting the real time, but also on the trending, seeing where you have issues over time that gives you insight up to the C-Suite so that you can continue to improve. So the framework, this idea of maturing your ability over time, you’re not going to be perfect the first time you implement these frameworks, but it’s important to get started even if you can’t do it all the first time, but then to continue to iterate on these, and continue to improve your cybersecurity posture over time.

Dr. Ron Ross: Yep. That’s a critical point. When you study the cybersecurity framework there, there’s more than just the core that we talked about, the functions and categories and subcategories. As Richard mentioned, there’s this notion of the tiers, and I kind of equate them to maturity levels. They’re not actually maturity levels, but they indicate organizations are not all the same. They have different skill sets. They have different levels of maturity in how good their programs are. And so the cybersecurity framework allows you to start out at a very immature level and work your way up through continuous improvement to a very high level of adaptive and repeatability, which are things that every good cybersecurity program strives to be.

Dr. Ron Ross: The other thing the cybersecurity framework gives you is this notion of profiles. It means that you can customize that framework to whatever sector you’re in to whatever type of federal agency you might find yourself, and whatever your mission space might be, and I think that’s another very important characteristic of a good framework. It allows you to customize to make sure that you are fine tuning your program to be effective in wherever you have to operate. Today we don’t have a lot of extra budget and dollars to be wasting money on additional controls or things we don’t need. And so the frameworks working together, when we talk about budget and investment decisions, senior leaders want to know where am I weak, where do I need to get healthy, what’s it going to cost to get me there, and how effective do we think that’s going to be in protecting the things that we value the most? That’s really why we do what we do.

Victor Berlin: I wanted to just-

Mission Critical Institute for Cybersecurity Staff Member:: Now we’ve gotten. Oh Victor, we’ve gotten a question that’s relevant to this discussion from the audience and I just was going to ask just really quickly, is there a document that describes the alignment between the two? I know that the three tier model is in 837.is there something else that talks about the alignment between these two frameworks?

Dr. Ron Ross: Yes. There’s a NISTIR. We have several types of publications at NIST as many of you know. We have our Federal Information Processing Standards, the FIPS. We have special publications in the 800 series, and then we have something called NISTIRs, they’re inter-agency reports. Some people call them NIST Internal Reports, and we produced a report about, I think, it’s almost been six or seven months now, and it’s a NISTIR that described the cybersecurity framework, and how it relates to the other NIST risk management publications that we produced. You mentioned the three-tiered model, the three-tier pyramid risk management. That’s actually an 800-39. The risk management framework-

Mission Critical Institute for Cybersecurity Staff Member:: [crosstalk 00:35:44]-

Dr. Ron Ross: … the six step RMF is in 837. We have our security control catalog in 853 and actually we have privacy controls in there now too. And then we have the assessment guideline. All of these are addressed in NISTIR. I think it’s 8170. There’s so many numbers now in our NIST documents. I believe it’s NISTIR 8170, but you can Google the NIST cybersecurity framework and the supporting publication. And if anybody has any trouble, you can send me an email at ron.ross@nist.gov and I’ll make sure you get a copy of it.

Mission Critical Institute for Cybersecurity Staff Member:: Thank you so much. Victor, I’m sorry for interrupting you. Let me turn it over to you.

Victor Berlin: Yeah. Well, I guess the critical variable here seems as if you have individuals who are capable of applying the NIST RMF at the system level, but then you need individuals who can revive the aggregative analysis for the C-Suite so they know how to understand what the risk posture is, where the organization wants to go, and relate what’s happening at the system level. So there’s that communication role or analysts role that it sounds like needs to be filled to effectively lengthen NIST RMF to the CSF at the C-Suite. Is that accurate?

Dr. Ron Ross: Yes, that’s very accurate, and it’s probably a good time to talk about the cyber workforce framework. I know that a lot of your listeners now either are in positions where they have to understand and execute the RMF or they might be considering careers as security professionals and thinking this might be a good field to go into. I think the cyber workforce framework … we have a program at NIST, it’s called the national initiative for cybersecurity education. The acronym is NICE N I C E, and we worked with Department of Homeland Security. This goes back to Richard’s days when he was there at the DHS to produce what we call a cyber workforce framework, and it’s a beautiful website that lays out every potential position, role, responsibility that you could possibly have in a security program within an organization. And these apply both to federal agencies as well as private sector organizations.

Dr. Ron Ross: That’s why if you’re considering a career that’s the first place I would go because you might already find yourself in one of those positions that’s described within the workforce framework, and it’ll tell you a lot about the kind of skills you need to have for that position. And that may lead you to a curriculum of study or maybe different types of degrees you want to pursue to make sure you continue to build on those skills. The other thing it can do, it can be a great catalog, and you browse through there and see what things catch your eye. There’s nothing better than having a passion for what you do in whatever field you choose to go into, and I know it’s been a passion of mine for the last 30 years in cybersecurity. I wasn’t always in this business, but when I found that passion, it makes everyday getting up a pleasure to go to work because you just love what you’re doing.

Dr. Ron Ross: But in order to find that niche, you’ve got to go through and explore and see all the different things that you possibly could do under this umbrella called cybersecurity and there’s a lot as Victor just mentioned. Maybe you’re more on the technical side. Maybe you’d like to understand more about encryption or access controls or two factor authentication. Maybe you’re more into the policy area where you’re working at a higher level. We need people in every area and as you all know, we have a very, very severe shortage of cybersecurity professionals. So yes, you can learn about all those things. Whether you’re looking at the top of the C-Suite and trying to understand more about the cybersecurity framework or if you’re down under the hood taking the engine apart with the RMF, the cyber workforce framework is a great place to go to start your education or to continue your education.

Richard Spires: And Ron, this is Richard. Let me pick up on that. I agree with everything you just said and could flip the model, which is if you’re an employer or if you’re a SysOp, right?-

Dr. Ron Ross: Yep.

Richard Spires: … And you’re trying to assess your organization. I would turn to the NCWF right away and use that as kind of your guide. These are the skills and competencies and the roles that you need to have in a fully functioning robust cybersecurity practice for your organization, whether it be a government agency or whether it be a private sector firm. And this gives you a way to begin to assess where you probably have gaps. I think it’s very hard given the shortage to point to organizations that can say they have at all; very few, if any, do, but it’s really important to understand where you have gaps, and then you can go to work in trying to fill those gaps through hiring, which is quite difficult many times to find those skilled people or develop staff through the right kind of training, right kind of education programs that we’ll be talking about a little bit here with Victor.

Victor Berlin: Now let me just say that that Mission Critical Institute also uses them as tools to help us both develop the programs focusing on the NIST RMF that we develop and to make sure that they are developing the skill sets that are required by the different roles. It’s also useful tool for assessing the education program to make sure that they are producing the kinds of individuals who can effectively implement the NIST risk management framework. So there are tools not only for the employers and the students, but also for educational institutions who want to make sure that they are producing the graduates who can be effective.

Dr. Ron Ross: Yeah, I agree with everything that’s just been said. I think the one thing, no matter what field you end up going into, what particular role in cyber security, no matter what you choose, I would always recommend that you absolutely invest in the fundamentals of whatever profession you choose, and within that profession, if you’re going to specialize, be the best specialist that you can possibly be. You want to separate yourself from everybody else and that takes time. It takes commitment. There are no easy paths in cybersecurity because in general it’s a fairly difficult and challenging field if you’re getting down to some of the technical things that we have to do, but anybody can get there with the right level of commitment and once you’re there you will reap the benefits forever and ever.

Christine Olyer: Well, that is a perfect dovetail into getting really down into the nitty gritty, really drilling down into what do you really need to have to become a certified NIST RMF professional, and Victor, I’ll let you cover that.

Victor Berlin: Thank you, Christine. I hope you’ll interject because you have a lot of knowledge about this also, but-

Christine Olyer: Thank you, [crosstalk 00:42:43]-

Victor Berlin: … as Mission Critical Institute looked at the requirements of both the private sector and the public sector have and speaking with employers to understand what they’re looking for and building a pipeline of job ready NIST RMF talent, clearly one of the things that are important starting out in this field you have to understand the policy and the law. You have to understand the foundation for the NIST Risk Management Framework as Ron goes back almost 14 years and there’s been a lot that has evolved. So you have to understand that foundation, and then you have to learn how to use the NIST RMF. You have to learn how to produce the deliverables for the six steps because on the job if you’re assessing the risk exposure of a system, all the steps lead you to that [inaudible 00:43:40], which points out what remediation must take place.

Victor Berlin: But as you’ve heard, communication is critical not only in terms of communicating with stakeholders, system owners, system users, but also communicating to mid level management and senior management on what are the risks and what are the resource requirements making investment decisions using NIST RMF is an excellent tool. And there is not unlimited funding and so you have to make trade-offs in terms of, okay, what should we invest in, what should we not invest in, how much would should we invest in a particular cybersecurity technology, a particular cyber security program? But in addition, then the C-Suite needs you to be able to assess what has been the on investment for that cybersecurity allocation, that cyber security budget. So these are the kinds of competencies that employers are looking for in order to be able to effectively implement the NIST RMF. And certainly project management competencies are critical for carrying out any NIST RMF project, whether it’s in the private sector or the public sector. I’d like you to, Richard and Ron, chime in and tell me your perspective on this.

Richard Spires: Yeah, well stated Victor. I [inaudible 00:45:06], and as Ron was explaining and talking about the workforce framework, there are many different skills that are needed across cybersecurity today, and I do think that in many ways where we tend to fall down is in some of these skills that are some of the softer skills like the communications and ability to really translate very technical information into a way that mid and senior level managers can digest that and understand it and deal with it and make good decisions. I think you need individuals that have those kinds of skills, and to your other point, you also need individuals that … a lot of these things turn out to be projects when you get into it, and you’re going to be implementing, let’s say, a new identity management solution for your company or you’re going to be implementing a modernized [inaudible 00:46:09] firewalls, whatever it is.

Richard Spires: These are true projects in and of themselves, and you need that project management discipline as well to carry those things out when you get down to the actual implementation of the action plans that come out of the [inaudible 00:46:24] framework that then lead to the Risk Management Framework.

Dr. Ron Ross: Yeah. I would echo everything that Richard just said. I think many of you know I’m a huge NASCAR Fan. I like to think of things in terms of a NASCAR team or any kind of an auto racing team where you’ve got a team owner, who’s the … might be the equivalent of a C-Suite, and then you’ve got a whole series of individuals that are really responsible for designing that high performance race car, building it, engineering all the components. And then once that car is built in and it goes out to race on the weekends, you have a driver, and then you’ve got a whole pit crew, and there’s a crew chief that actually runs the operation. So it’s very similar in some sense to how an organization runs their cybersecurity program. All those skills down to the guy who changes the tire, in the pit stop. They’re all critical. They all have different skills. They all hone those skills to the best of their ability, but it takes all of those folks working together to make the program work.

Dr. Ron Ross: And sometimes, it’s all about process, procedure, technologies, people, process tech, all of those things have to come together, and sometimes we rely a little bit too heavily on technology and we forget that people are still a critical part of any good cybersecurity program as, I think, Richard was just alluding to.

Richard Spires: Well, in thinking [inaudible 00:47:52] great analogy with the race car. I think about it’s kind of stunning when you think about some of these cyber breaches that we read about like Equifax and the fact that they had process breakdown. That was an operational [inaudible 00:48:10]. They’re supposed to be these patches that were supposed to be done and even to the point where eventually the CEO blames an individual down in the security shop, “Oh, that individual didn’t do their job well.” Well, you can’t have a cybersecurity practice for a major company like that where it’s relying on one individual. Where’s the process discipline that the checks and balances to make sure that those things were carried out effectively, and that the checks were there, and the testing was there. All of the operational detail and that practice and procedure to do it right is critical as part of … well, it’s kind of like your race car. I’m taking the thing out and running it on the weekends in the race. And so all those disciplines, the planning discipline, the policy, the very technical discipline, the project management disciplines, they all need to work together effectively.

Richard Spires: And by the way, that’s no different than the IT operations. And one of the things I say is the best cyber you can start with is have a very effective IT operation that does it well and at least that gets … that does not solve everything for cybersecurity, no way, but it does help you better improve your cyber security posture and then you can build from there.

Victor Berlin: Yeah. I think you bring up a very good point, Richard, and I think this is one of the major areas where these frameworks have a big impact, and you have to establish that the culture of security. I think the example you gave with Equifax is you need an organizational culture that understands the importance and is sensitive to everyone’s responsibility to protecting the information assets that an entity, an enterprise has. and building that cultural … and using the framework and promulgating that across multiple levels helps establish that culture.

Dr. Ron Ross: Victor, I really agree with that. The culture of security is one of the things that I’m not sure we’re all there yet. I know we talk a lot about security, but that culture, it has to be built into the organization, literally built in, and the best example I can use, again, I’m a NASCAR Fan.

Dr. Ron Ross: I’m also a big NASA fan. I used to follow the space program and one of the things that stuck with me for many, many years was President Kennedy made a trip down to the Johnson Space Center when we were getting ready to put a man on the moon, and he was walking down the hall and he came across this janitor sweeping the floor, and he stopped and said, “Sir, what do you do here at NASA?”, and the janitor looked up and said, “Mr. President, I’m helping put a man on the moon.”, and I thought that was really reflective of the culture that NASA built. Everybody down to the janitor was invested in that mission of putting a man in the moon. I think that’s what we have to get to in the security business where everybody understands the security is not just a bunch of people running around putting in security controls. This is about the life and death of a mission or a business in a world where we are totally dependent on information technology.

Dr. Ron Ross: So we have a long way to go, but all the things that we’re talking about tonight are pieces of how we build and maintain that culture over time.

Victor Berlin: Well, that’s great. That’s a great note to end this discussion and turn it over to Christine so we can have some Q&A and hear some of the questions that have been raised and it gets me specific answers out.

Mission Critical Institute for Cybersecurity Staff Member:: Yeah. So I will start asking some of the questions that we have here, but what I want to highlight on the screen right now is if any of you are interested, of course, please email us at cybercareers@mci-cyber.org to request your free cybersecurity career planning tool. We will leave this email up for the duration of this Webinar, but I wanted to call your attention to that first.

Mission Critical Institute for Cybersecurity Staff Member:: So let’s just start getting some answers to some of the questions that are out there. So, first question, I want to qualify to become a NIST RMF specialist or an ISSO. How can I acquire those skills and project experience that’s needed to get employed in this position? So [crosstalk 00:53:02]-

Victor Berlin: Applying-

Mission Critical Institute for Cybersecurity Staff Member:: [crosstalk 00:53:02]

Victor Berlin: Go ahead.

Mission Critical Institute for Cybersecurity Staff Member:: No, Victor. Yeah, I think you’d be a great person to answer that.

Victor Berlin: Well, I think number one, you need to look at what it is that employers are looking for, and make sure you really understand it. I think again, as a Ron and [inaudible 00:53:19] looking at the careers framework, workforce framework is one way to do it, but you need to join a program or getting into a program where you can learn how to apply the NIST RMF, and then you also have to get to use it. You must not only learn how to use it, but you must perform some projects, produce some deliverables that enable you to demonstrate your capability to use it. At the same time, employers are always asking for certifications, especially that demonstrate you know how to detect and assessed vulnerabilities. So you want a program where, again, you get that opportunity to get prepared for certifications as well as get the practical experience of applying the NIST RMF framework.

Mission Critical Institute for Cybersecurity Staff Member:: Well, okay, so let me ask some follow on questions that because those both beg the question … First of all, which certifications. And second of all, do you have a program that you can give us an example of a program that really works well to meet these particular needs?

Victor Berlin: Well, I have obviously a personal bias about that, but the certifications, and again, I always start out by what is your target career and what your target job, where do you want to be, and what do those employers want you to have? But in the risk management arena, certainly the certified authorization professional, the CAP, is one certification that relates to that. But if you’re … as both Richard and Ron indicated if you’re going to move up in management of the CISSP, is another certification that also helps you.

Victor Berlin: And then finally, if you’re going to be looking at vulnerabilities, is the CDA certification is a relevant certification. Mission Critical Institute has launched the Certified Cloud Security Risk Management Professional Certification, which is actually one of the few hands on certifications that are based on the candidate actually producing the deliverables of a NIST risk management framework. And so there’s no exam, but you must actually perform those projects and demonstrates you can perform those projects.

Victor Berlin: So I would say that that’s an example of a program. Baker College, whom Mission Critical Institute supports, offers a program like this. And what’s interesting about the Baker College does, is it’s embedded the NIST risk management framework in an MBA program so that you not only are learning how to apply the NIST RMF, but you’re developing the competencies that both Richard and Ron mentioned about communicating with the C-Suite. What are the business and management competencies you need to be able to effectively communicate the risk management findings that you’re developing as you move up the move up in the organization. So there’s a specific example you can take a look at.

Christine Olyer: Well, and so a listener is going to look at the program through Baker College. What should they be comparing against other programs that are out there because we know there are other programs?

Victor Berlin: Well, they should be looking at the program. They should be comparing programs in terms of what kind of practical experience of getting to demonstrate their competencies. They should be looking at what kind of preparation they get for certifications. They need to see if they’re covering all the steps of the NIST RMF if that’s what they want to focus on. There’s the key elements they should be taking a look at it.

Mission Critical Institute for Cybersecurity Staff Member:: Great. I think that’s really helpful. We’ve got some other questions here. Here’s one from someone who has been in cybersecurity for over two years and wants to move up into cloud security. So cyber to cloud security. He is being told that he needs NIST RMF or FEDRAMP experience. What are some of the ways he can get that experience?
Victor Berlin: Well, I guess, again, you must get obviously an opportunity to work on projects that both with on premise system and cloud systems where you get to apply the NIST RMF and the FEDRAMP framework, which is obviously integrates the NIST risk management framework with it, but again, that practical experience is what employers are looking for. They want to know that when you come in to the position, you can do step two, step three, step four, whatever is required on a particular project.

Mission Critical Institute for Cybersecurity Staff Member: So let me ask Richard or a Ron. Some of these cyber security programs, they’re kind of expensive. Do either of you think it’s worth it for folks to participate in those so that they can enter into the cybersecurity arena?

Dr. Ron Ross: Well, I think everybody has to make their own decisions in that regard. I know education in general today, whether you’re talking about cybersecurity or any kind of education can be fairly expensive, very expensive in many cases, but there’s always the self study. I’m a big proponent of going to the source documents to start out. It doesn’t cost anything to go to NIS website to get a copy of 837 or 853 and or any of the other documents that we have that can just get you familiar with the topic of the RMF. A lot of times people may have an impression of what it’s like to be an RMF expert, but when they get into, it’s just not exactly for them. On the other hand, they can dive into that and that can reinforce some of the things that they’ve been thinking they would like to do. And again, source material is critical. Getting to the fundamentals of the RMF and reading about them.
Dr. Ron Ross: By the way, anybody can call anytime. If you’re looking at the RMF or any of the NIST documents, you can send me an email or call me up anytime, and I do this quite frequently with people, or just have a discussion. If you have a question about one of the steps in the RMF or whether you think this is a good career movie, you can use NIST as a resource to answer technical questions or even get advice on careers, and I’m sure the folks at Mission Critical Institute would be willing to do the same thing. But there’s got to be an investment on your own time first before you shell out the big bucks for a degree or a program or a certificate. Just makes sure that you’re in the right place because that means it’s going to be a good investment for your future. And it will be money well spent.

Richard Spires: Yeah, and I’ll just pick up. Well-stated, Ron. You do need to understand and do your own self study and of course there are some of these certification programs like the [inaudible 01:00:43] or CISP or the Certified Ethical Hacker, as an example. Now they do require typically you would take a class. There maybe four or five day classes together with an exam. Now some of them also require some years of practical experience before you can get fully certified in those, but I think those could be good augmentation strategies together with the education kinds of things that Baker college is offering in a real program tied to like an MBA program as well. So there’s different things you can do in order to get into the cybersecurity field that don’t necessarily require a full degree, especially if you already have technical background. If you already have an Undergrad technical degree for instance, these are augmentation strategies with certifications that can help you.

Victor Berlin: Yeah, I can add one other piece to that. I think in taking a lesson from what you have to do as a cybersecurity practitioner, you need to do your own personal return on investment analysis. You need to look at what is it you hope to gain both in terms of career impact, but also in terms of compensation and what do you have to invest, and that’s your investment decision. It’s a personal investment decision, but you can do that analysis and Mission Critical Institute often helps candidates make that decision and figure out does it make sense for them or do they have the capability, as Ron indicated, of self study.

Mission Critical Institute for Cybersecurity Staff Member: Well, we are out of time. We’ve run over in our Webinar by a couple of minutes, and this webinar will automatically end in about a minute. So I wanted to thank Dr.

Mission Critical Institute for Cybersecurity Staff Member: Ron Ross, Richard Spires, CEO of Learning Tree, and Dr. Victor Berlin for your time and your expertise. We genuinely appreciate it and look forward to the next Webinar.

Dr. Ron Ross: Thank you all too. Appreciate it.

Richard Spires: Thank you.