Building a house requires a blueprint. When it comes to building systems, National Institute of Standards and Technology’s (NIST) documents about security by design are some of the most reliable blueprints. As systems become more complex, they’re also more likely to be fragile. Meanwhile, we continue to add new devices, apps and tools into our daily lives faster and faster. These two conditions create the perfect landscape for constant change. They also drive invention in cybersecurity and, generally speaking, the future of digital defense.

So, if cybersecurity experts should expect this rapid pace of change to continue into the future, what is the best way to create an effective blueprint for it? An answer lays in the security by design (sometimes referred to as SBD and SbD) approach, clearly spelled out in NIST SP 800-160 Volume 1, Systems Security Engineering, Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. It’s a great document, but people in the industry don’t value it enough; it should be seen and applied more often.

So, let’s take a look at an 80,000-foot view of NIST SP 800-160.

This article is the first of a four-part series. We’ll draw out some high-level key thinking behind NIST SP 800-160, briefly touching on the introduction and the core concepts covered in the first two chapters. The following three pieces will cover parts of chapter three, which focuses on the system life cycle process.

The Stages of Constant Change

Before diving into NIST SP 800-160 and the security by design principles, understand the information technology world we live in. Living in disruption all the time is like going through the stages of grief:

  • You are prone to compromise because systems are at risk by design (denial).
  • Attacks on your system will frustrate you (anger).
  • You will try to short circuit the frustration by using a quick fix (bargaining).
  • You will realize this is a hard battle to win (depression).
  • You understand there are no quick fixes and you just have to manage this thing called information security (acceptance).

If you haven’t reached the acceptance stage, you may not be ready for your NIST 800-160 journey. The reason is because the security system engineering thought process helps you manage existing and future cybersecurity challenges from a paradigm that is only recently gaining traction: looking at your network as a complex, connected system of systems, acting and operating as one.

History and Purpose of NIST SP 800-160

NIST created SP 800-160 because the powerful and complex digital systems developed by the U.S. are linked to economic and national security interests. The Department of Defense acknowledged that cyber threats are serious and concluded that cybersecurity had several main risks. Threat actors were breaking into networks, red teams could cause disruption with relative ease and our networks and systems had a weak defensive posture. The Defense Science Board noted the two top tiers of vulnerabilities — unknown vulnerabilities and those created by threat actors — were almost always hidden from the groups they affected. Therefore, the key is to minimize cyber risk by looking at information security challenges through a security design-first perspective.

To shore up these weaknesses, NIST addressed the issue from an engineering perspective. This perspective would not only help defend the system, but also make it survive. By approaching the issue with the lens of security design, information security systems and cybersecurity innovations could not only be resilient, but they could become antifragile. In other words, they strengthen when tested.

NIST SP 800-160 was able to achieve this feat by building upon established international standards. It brings them all together to create a ‘system of systems’ that focuses on security engineering techniques, methods and practices. The system of systems’ approach is critical to knowing the principles outlined in NIST SP 800-160, as it forces you to think through the entire life cycle of your operations.

Think of Security by Design Like a Human Body

Your body may have a lot of different parts, but put together, they are a system of systems that work together and help you get through your daily life. As part of that daily grind, our bodies have methods of protection, namely by using systems in tandem.

For example, if you cut your finger and develop an infection, the body doesn’t give up on your finger and grow a new one. Rather, your immune system heals the area around the finger to protect the rest of the body. This is why hygiene — and cyber hygiene — is vital. When you’re using security by design principles, the end state is very much like a human body. All systems work together as one.

Key Principles of Security by Design

So, where do you start with NIST SP 800-160 to apply these principles to your own systems? Chapters 1 and 2 lay out the definitions and concept of the security by design method. Pay special attention to when these two chapters lay out the thinking behind definitions and concepts. One of the hidden gems of this document is that it outlines the principles and core concepts in a manner that forces you to apply the concepts to your own needs. This format also helps you customize them. These clearly stated principles mean you can understand why the document defines things the way it does. If the document doesn’t define your specific needs, you’ll still learn what factors you should consider to define it in a manner that applies to your systems.

One of those core concepts is trustworthiness and the requirements behind it. These can include attributes of safety, security, reliability, dependability, performance, resilience and survivability under a wide range of potential threats. This forces you to think about digital defense from your own perspective and in terms of what your group can do. By nature, measures of trustworthiness are meaningful only to the extent that the standards are sufficiently complete and well-defined, and that readers can correctly assess them.

Scratching the Surface of NIST SP 800-160

NIST SP 800-160 applies to any enterprise serious about their information security design. It also applies at any stage of the life cycle. As the special publication says, you can use it if you are looking to:

  • Add new systems
  • Modify existing systems
  • Use dedicated or special-purpose systems
  • Use systems-of-systems
  • Evolve systems
  • Retire systems

In chapter 2, the document focuses more deeply on some of the basics. Here, it draws out the importance of being holistic in your approach. These core concepts guide you on how to be critical about your thinking and your problem solving. They look well beyond just technical safeguards and measures. Some of those include cost, scheduling, effectiveness, operational performance and technical performance, all of which are driven by your risk tolerances.

Chapter 2 also outlines the multidisciplinary aspects that go into a system engineering effort. It demonstrates links between systems, adequacy, standards (and limits) of stakeholder input, asset considerations tolerances, event consequences and loss considerations, active and passive protections and many other issues.

Apply Security by Design and System Engineering

Chapters 1 and 2 alone are over 20 pages. They lay the bedrock of what sort of thinking needs to go into securing a system.

Keep in mind these words from Carl Landwehr: “This whole economic boom in cybersecurity seems largely to be a consequence of poor engineering.”

Those looking to improve their cybersecurity posture would be well served to look at the engineering of their system as a sound first step. NIST SP 800-160 helps you focus on what matters as you do.

More from CISO

Empowering cybersecurity leadership: Strategies for effective Board engagement

4 min read - With the increased regulation surrounding cyberattacks, more and more executives are seeing these attacks for what they are - serious threats to business operations, profitability and business survivability. But what about the Board of Directors? Are they getting all the information they need? Are they aware of your organization’s cybersecurity initiatives? Do they understand why those initiatives matter? Maybe not. According to Harvard Business Review, only 47% of board members regularly engage with their CISO. There appears to be a…

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

C-suite weighs in on generative AI and security

3 min read - Generative AI (GenAI) is poised to deliver significant benefits to enterprises and their ability to readily respond to and effectively defend against cyber threats. But AI that is not itself secured may introduce a whole new set of threats to businesses. Today IBM’s Institute for Business Value published “The CEO's guide to generative AI: Cybersecurity," part of a larger series providing guidance for senior leaders planning to adopt generative AI models and tools. The materials highlight key considerations for CEOs…

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today