DigitalGov shared this...thought some of you might mull over it.
Rethinking Cybersecurity from the Inside Out
After four years of research and development, National Institute of Standards and Technology (NIST) has published a groundbreaking new security guideline that addresses the longstanding problem of how to engineer trustworthy, secure systems — systems that can provide continuity of capabilities, functions, services, and operations during a wide range of disruptions, threats, and other hazards. In fact, I think that Special Publication 800–160, Systems Security Engineering, is the most important publication that I have been associated with in my two decades of service with NIST.
Our fundamental cybersecurity problem can be summed up in three words — too much complexity. There are simply too many bases — all the software, firmware, and hardware components that we rely on to run our critical infrastructure, business, and industrial systems — for us to cover as it is, and we’re adding to the number of bases all the time.
Increased complexity translates to increased attack surface — providing adversaries a limitless opportunity to exploit vulnerabilities resulting from inherent weaknesses and deficiencies in the components of the underlying systems that we have built and deployed. We can characterize this predicament as the N+1 vulnerabilities problem.