NIST's Ron Ross on How a Career EvolvesInformation Risk Management Leader Sees New Challenge in 2015
After 20 years in the Army and nearly that long as an information risk management leader at the National Institute of Standards and Technology, Ron Ross still has dreams about furthering his career.
Ross, for the past dozen years, has led NIST's Federal Information Security Management Act Implementation Project, which develops security standards for government agencies, contractors and critical infrastructure. Ross also has served as the principal architect of NIST's risk management framework.
But next year, Ross says, he expects to switch his focus at NIST to helping enterprises in and out of government adapt NIST guidance - Special Publication 800-160 - that applies the disciplines systems engineers follow to build bridges and jetliners to implementing information security and risk management initiatives (see Applying Engineering Values to InfoSec).
"One of my dreams and goals now is to take the body of work that we completed at NIST during the FISMA years, the last 12 years, and integrate those security best practices into the mainstream organizational processes that people use every day," Ross says in an interview with Information Security Media Group. "There's a lot of work to be done there, and I'm really excited about the potential for that to go forward in 2015."
In the interview, Ross also discusses:
- The trajectory of his career, which began in 1969 when he left his home in Southern California to travel nearly 3,000 miles east to attend the U.S. Military Academy at West Point.
- How, after a promised job in the Army didn't materialize, he opted to accept an assignment at the National Security Agency, his entrÃ©e into the world of information assurance. "One of the things I always tell young people - you have to be flexible and agile in your career because you never know what is going to happen," Ross says.
- The communications skills NIST technical staffers need to perform their jobs. "Being able to communicate important concepts is really critical to everybody who works at NIST [in order] to try to get the message out to as many people as possible," he says. "I use the term: 'winning the hearts and minds.' You have to be able to do that to get people on board so they can use the guidance to the maximum extent possible."
Ross says he was attracted to the computer security and information risk management profession by the challenges it poses. "It's the difficult nature of the problems and the importance of getting it right," he says. "Getting it right is critical because it relates directly back to our national and economic security interests."
Ross, the lead author of most of NIST's guidance on risk management and risk assessment, also heads the Joint Task Force Transformation Initiative Working Group, a partnership of NIST, the Defense Department, the intelligence community and the Committee on National Security Systems, to develop a unified information security framework for the federal government.