Grabbing my ear as we ate lunch at Hilton Head’s Westin Resort, an information security exec from a mid-sized health care organization said, “I never thought I’d ever get the chance to sit down with the information assurance lead of the NSA.”
Yet there he had been for the last hour at our recent SC Magazine Executive Forum, talking with Tony Sager, the 31-year veteran of the National Security Agency (NSA) and a keynote speaker at the event. The conversation touched on private/public collaboration efforts and the benefits of using NSA and the National Institute for Standards and Technology (NIST) guidance to assist in risk management planning. Indeed, after Sager’s talk the first night of the event, there were plenty of attendees clamoring to speak to him given his position as the chief of the NSA’s Information Assurance Directorate’s Vulnerability Analysis and Operations Group.
It is in this role that Sager and his crew have been working quite hard with other federal government agencies, private sector vendors, end-user companies, and other industry bodies to establish and disseminate standards to help organizations better organize risk management plans and partner more cohesively with vendors. This past year, for example, it was Sager’s group that worked with the U.S. Air Force and Microsoft to examine and provide security-setting recommendations for Microsoft’s Vista operating system. And, as he discussed in his talk, they are looking to shape the development of additional security standards for vulnerability naming and identification, creating the Open Vulnerability and Assessment Language (OVAL), Common Vulnerability and Exposures (CVE), and Common Weakness Enumeration (CWE) standards, for example.
The new model for at least this division of the NSA, then, is to give these useful standards and checklists away, said Sager in his keynote speech, so that a robust public/private partnership can be more firmly established and nurtured. And while such efforts, which often involve a number of stakeholders, sometimes can become “classic cat herding exercises,” the outcomes are well worth the efforts.
Sager’s immense popularity at the SC Magazine event may indicate that there will be even more collaboration to come that will benefit not only the internal and often guarded workings of the government, but also the regularly over-taxed information security leaders hitting events like ours in search of useful and practical advice and best practices.