Details are emerging, but DSS leadership has begun speaking in public about its desire to reform from within. Taken collectively, the new approach is quite radical for an agency that deploys legions of industrial security reps to enforce security-by-checklist.
Let’s peer through the magnifying glass to see where DSS is moving.
Au Revoir NISPOM. While acknowledging that this touchstone of industrial security has basic security baselines at its fundament, DSS is calling NISPOM a static document in need of change.
Risk Risk Baby. In place of NISPOM, DSS wants to back away from an obsession with facilities and take a risk-based approach toward the key assets that companies possess, so that they can:
- Identify what needs protection
- Consider threats and vulnerabilities
- Develop a tailored security plan for each company
Here is the five step program.
- Watch Your Assets. The first step in this process is to identify assets at each facility. It may be hard to fathom but government does not yet have a good handle on where the critical assets live out in industry -- an obvious precursor to effective risk management. They are now conducting a baseline survey based on a list maintained by the U.S. Department of Commerce.
- Prioritize. Next it will be necessary to rack and stack the most important assets and emphasize protecting those first.
- Analysis and Review of Threat, Vulnerability and Impact. DSS hopes to create a scoring system based on threat and risk analysis, much like a “FICO Score” for security.
- It Suits You Down to the Ground. DSS says it will help create a Tailored Security Program for each company.
- Assessment Phase. Performance criteria will be instituted to judge companies’ security programs.
The positives: This is a move in the right direction and is long overdue. Clearly “check the box” is not adequate when you’re talking about a security program. Threats are dynamic. Static defense cannot keep up. Not to mention, security by checklist is annoying and annoyance doesn’t speed the rate of adoption.
The roadblocks: There is a vision but DSS needs a clear roadmap that includes specific measures of effectiveness for the new program. The biggest stumbling block may in fact be DSS’ workforce that has been trained on conducting inspections based on a fixed set of criteria. We note that NISPOM’s most recent update requiring insider threat programs to be established, Conforming Change 2, doesn’t incorporate measures of risk.
Bottom line: if your company hasn’t thought about doing a threat and risk assessment of your own internal assets, well then, Cato, now is the time!