President Trump’s Executive Order (EO) on the cybersecurity of federal agencies and critical infrastructure is a message to all organizations. It puts into mandate five best practices that CSOs like myself have been evangelizing and performing for quite some time. This might sound like a small step forward, but it’s a meaningful one. By writing these best practices into “stone” it could free CSOs from having to sell these must-dos up the chain of command. It’s like the chairman of the board telling you to do what’s best, instead of you fighting for the financial and managerial support to act.
So, what are these mandated best practices?
- Take Accountability
Accountability and deadlines are essential for driving risk management at scale. In the EO, accountability and timelines takes center stage. It’s in Section 1(a): “The President will hold heads of executive departments and agencies (agency heads) accountable for managing cybersecurity risk to their enterprises.” Cyber risk management is a complex endeavor involving multiple areas of an organization, spanning up and down the chain of command. To make such sweeping changes, those people with the ability to affect the change must be charged with driving the changes that are needed.
And, the tasks they delegate must have clear guidelines and dates for completion. For example, in the EO, an agency-focused risk management report is due within 90 days and a report about critical infrastructure entities is due after 180 days. Anyone in a corporate setting knows how important clear marching orders and deadlines are, but in the case of such a complex issue as mitigating enterprise-level cyber risk, it’s easy for scopes of work and deadlines to be shaky. Deadlines are a must.
- Perform Assessments
The EO essentially sets up processes that assess risk, and the main process here is the production of reports. These reports, however, require in-depth assessments. For example, the agency-focused risk management report, mentioned above, must describe the agency’s action plan to implement the NIST Cybersecurity Framework and must document the risk mitigation and acceptance choices made by each agency. Producing a report like this requires the extensive examination of cyber exposure not only focused on IT but also across the organization. It requires knowing what is protected, what isn’t, why it isn’t, and if it’s worth the costs of protecting it—important questions any cyber-secure organization must be able to answer.
- Practice Continuous Improvement
You need to be in a constant state of assessment. Every day new business processes leverage technologies in new ways. Keeping up with an organization’s risk posture requires continual vigilance. The EO acknowledges this first by encouraging entities to plan for maintenance, improvements, and modernization, and second by asking government parties to annually update a report on how agencies could better support the cyber risk management efforts of critical infrastructure entities. In a corporate setting, any assessment, any security measurement is based on a snapshot in time. New uses of technology, new partnerships, new hires, new products, and new consumer experiences all have the ability to open up new vulnerabilities and exposure areas. To know your security posture, you need to employ an iterative cyber risk mitigation process.
- Benefit from Disruptive Technologies
Take advantage of the benefits of disruptive technologies. To “build and maintain a modern, secure, and more resilient executive branch IT architecture,” the EO requires agency heads to “show preference in their procurement for shared IT services, to the extent permitted by law, including email, cloud, and cybersecurity services.” The administration recognizes that some of the most scalable and resilient technologies exists in cloud. By mandating this approach, the administration is promoting a paradigm shift that should be heard by private industry. Companies need to start looking at whether their future IT spending on internal proprietary systems is worth it.
- Treat Cyber Risk As An Enterprise Risk
Lastly, the all-hands-on-deck philosophy behind the EO is one private organizations should take on as well. The order says, “Effective risk management requires agency heads to lead integrated teams of senior executives with expertise in IT, security, budgeting, acquisition, law, privacy, and human resources.” This cyber risk committee is standard in some organizations, new or nonexistent in others. By bringing together all of these individuals, with different backgrounds, viewpoints, and risk metrics, cyber risk is treated as the enterprise risk that it is.
While there’s been a lot of commentary on the EO, looking at it from a politically neutral standpoint, aspects objectively valuable to the cybersecurity community become clear. CSOs need to know their company’s cybersecurity posture at all times, as well as the cyber resilience of their infrastructures. What President Trump has effectively done is laid out a set of mandatory assessments to take place in federal agencies and critical infrastructure—and that’s a good thing for the agencies, critical infrastructure entities, and all other organizations alike. Because what’s good for the highest risk enterprises is sound advice for all those at lower risk.