By William Jackson
Natalie Givans, a vice president at Booz Allen Hamilton.s information
and mission assurance and resilience group, has gained experience during
her career in analyzing and designing security for a variety of
government and commercial information and communication systems.
From 2000 to 2005, she was on the board of the International Systems
Security Engineering Association, which developed the System Security
Capability Maturity Model. Givans has said information security is a
matter not only of technology but also of leadership, economics, policy
GCN: You have worked in the information security field for more than 20
years. What changes have you seen?
GIVANS: I started at Booz Allen 24 years ago. Back then, we were working
on crypto devices, things like the STU-3, the Secure Telephone Unit, at
all levels of government - primarily point solutions. That was the
extent of the security industry. I found it difficult to talk with
commercial organizations - energy utilities, financial services
companies - about their responsibilities to protect resources in what
was becoming an electronic world. They didn't understand anything beyond
scrambling the bits. We were ahead of our time in terms of our concerns.
With the fact that everything is connected to everything now, the
threats are coming from within the network as well as from outside. It's
on everybody's mind now.
GCN: You have said that information security involves more than
technology. But is the technology available today adequate for the job?
GIVANS: Information security involves protection of information in the
classic sense, such as encrypting it. It also involves information and
network integrity and their availability as well as the accountability
of the processes and humans involved.
We have a lot of technology, but a lot of it is still point solutions
focused on just one of those problems, not at their integration in an
enterprise or at a national security level. We have a lot of crypto
devices, firewalls, identity and access management, including
biometrics, smart cards and audit software to see what is going on in
the network. My real concern is the integration of that technology.
The [Defense Department] called this defense in depth years ago - it's
not a new idea.
GCN: How do agencies get the funding they need for proper security?
GIVANS: Agencies need to be able to tie information and infrastructure
security to the mission they are trying to accomplish. Be able to
explain what the risks are to the organization and tie information
security requirements to that.
Too often this focus is separate: There are a group of people who worry
about information security but who are not linked to the rest of the
organization. Agencies need to link different elements, to show not only
compliance but show how the money spent on security is going to be an
enabler of their mission.
GCN: How do you measure security? What metrics do you use?
GIVANS: I worked years ago on what has become an [International
Organization for Standardization] standard, the Systems Security
Engineering Capability Maturity Model. We had a large metrics working
group on that. In the software world, it was fairly easy to demonstrate
that higher maturity levels yielded better software.
In the security world, we had a lot of debates about that.
It wasn't really clear that the more process you had, the better the
security would be. In fact, there were times we could prove that really
wasn't the case.
The metrics working group had to take this on. We determined that
security measurements typically focused on areas that were easy to
measure and on what was obvious. Organizations easily can measure the
number of people trained or the number of devices installed or the
number of intrusions that are detected.
The problem is [that] the metrics that people collect do not necessarily
point to better security; they point to better process.
I think it is important for organizations to identify the goals for
their missions, and the threats they are seeing to those goals.
Then they tie their improvements to those. For example, we asked
organizations to identify the specific configuration management
weaknesses that were exploited within their organization and to train
their personnel on how and why they needed to close those
vulnerabilities. Then give them a deadline, give them resources and then
audit and make them accountable.
That string of events would lead to real knowledge of security results.
GCN: How do you translate a security policy into a culture that supports
GIVANS: It starts at the top. If you look at the nation, it starts with
the president. What we find in any organization is that which is
measured is improved, and what leadership talks about are the things
people pay attention to. So first, the most senior leaders must publicly
embrace and advocate security. They also have to ensure there is
adequate funding to implement these policies and that people are
adequately trained. And there has to be accountability, a way to tie the
stakeholders. incentives to the desired level of security maturity.
GCN: Is security training being adequately addressed in most agencies?
GIVANS: Probably not, but it varies greatly from organization to
organization. There are examples where agencies are putting a lot of
effort into it. When we have a lot of budget constraints, training of
any kind tends to take a back seat. There is a need to work out what
kind of training is needed for each kind of employee. In some cases, you
can get by with an awareness campaign; in other cases, security
professionals must have certification.
Certification can be a driver for education. One example of that is the
Defense directive requiring certification of the information assurance
workforce in a certain time frame. Recently, this was picked up as a
requirement that contractors also must achieve certification. Obviously,
organizations still need to provide the funding for that to happen.
GCN: Are there any government success stories that stand out for you?
GIVANS: I would say [the National Institute of Standards and Technology]
is a great example.
Under [the Federal Information Security Management Act], they have
focused on working across the community to establish the right kinds of
guidance, standards and tools that help normalize the requirements. They
have everything from performance measurement guides to information
security handbooks to recommended security controls. I think that is a
great enabler. Another is the Information Assurance Technical Analysis
Center sponsored by [the Defense Technical Information Center and the
Director of Defense Research and Engineering office]. Their emphasis is
on capturing I-A best practices and standards.
GCN: What is the greatest security challenge facing the government in
the coming years?
GIVANS: The big area is the defense of our infrastructure.
There should be a lot of concern about the risk to our financial
systems, our control systems and our networks from both inside and
outside the enterprise. We see more incidents, such as the loss of
information, but more scary is the lack of availability of the
infrastructure when you really need it. That to me is the big threat. We
need to focus on better tools for the prediction, prevention and
reconstitution of our infrastructure. We need to focus on resilience,
not just protection, because we are going to get attacked, the systems
will go down, and what will be important is how fast you can respond and
Attend Black Hat USA, August 2-7 in Las Vegas,
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in
a relaxed setting. http://www.blackhat.com