Connect with us

Hi, what are you looking for?



Trump’s Cybersecurity Executive Order a Positive Step, but Just a Start

Cybersecurity Executive Order

Cybersecurity Executive Order

Trump’s Cybersecurity Executive Order Should Serve as a Starting Point, Not the Be-all-end-all for Ensuring a Comprehensive Program

President Trump recently signed the much-awaited executive order focused on strengthening the cybersecurity of federal networks and critical infrastructure.  It is a wide-ranging order that touches on everything from the need for an agency-by-agency risk assessment to dealing with outdated infrastructure, botnets, and driving a cyber educated workforce. 

The executive order is a solid step towards improving the security posture of government, with a focus on a risk based approach. 

At the core of the assessment process is the NIST Cybersecurity Framework, which has been broadly adopted in the private industry and government as a benchmark against which to assess their security programs. 

While it certainly does not address every nook and cranny of cybersecurity, it serves as an overarching framework and common language.  Users should think of it as a starting point, but not the be-all-end-all for ensuring a comprehensive program. 

Few sizable agencies or enterprises realistically have everything they need to know at their fingertips to comprehensively evaluate every aspect of their program against the framework.  The initial assessment will require a lot of manual data gathering to properly characterize their operation against the many different requirements.  Along the way, identifying the source of the information will allow for more complete automation, leading to a continuous monitoring mode of operation.

Like any other regulation or compliance requirement, one of the dangers of an order like this latest one is that it can take on a life of its own, leading to stakeholders losing the forest for the trees. 

The executive order is intended to provide motivation and guidance for agencies to get their house in order, and cannot possibly prescribe every step in the process (nor would anybody want it to). 

Advertisement. Scroll to continue reading.

It is important for practitioners and stakeholders in the government to be mindful of the goal of a more secure government, and not consider the end goal as being a report after 90 days and every year thereafter. 

The order is an opportunity for government CISOs to rally the troops across their agencies to initiate a cyber risk management process with a mindset of continuous compliance, shifting the mindset of all functions to thinking daily “is what I am doing putting my agency’s data and systems at risk?”

One aspect of the order that supports the concept of making security everybody’s business is the requirement to establish integrated teams of senior executives across IT, security, budgeting, acquisition, law, privacy, and human resources.  It emphasizes that this is not a problem that will be resolved by the CISO or CIO alone, but requires a comprehensive team effort across the agency’s functions.

The order promotes a risk based approach.  Note the repeated references to “Cybersecurity Risk,” and the notions of risk and asset value in statements like “commensurate with the risk and magnitude of the harm,” and the sections on “Support to Critical Infrastructure at Greatest Risk” and “Assessment of Electricity Disruption Incident Response Capabilities.”  This risk based approach encourages agencies to prioritize risks to their most important missions vs. only focusing on technical prescriptions like vulnerability scanning or the such.  It is an approach that speaks a common language of risk, familiar to those outside of security, and is certainly near and dear to the defense side of government.

In addition to the traditional aspects of cybersecurity, the order also touches on other activities that indirectly but significantly impact government agencies’ cyber risk posture. 

Many agencies and private enterprises would rather leave sleeping dogs lie, not touching functional though outdated systems, and do not pay enough attention to the residual risk associated with the inability to patch an outdated OS or application.  The sections of the order that address the risks associated with “antiquated and difficult–to-defend IT” promote assessing the cost of exposed IT infrastructure against the cost of replacement, a mantra often heard from former federal CISO, Ret. Gen. Greg Touhill (aka “Touhill’s law”). 

Finally, the last section that addressed developing the cyber skills and competency in the workforce is critical.  We in the industry are all familiar with the challenge of finding and keeping quality people with cyber experience.  Shining more light on the problem and promoting training can only benefit the industry as a whole, but there also needs to be a more immediate plan in place for response, until that ramp up occurs. Automation of mundane repeatable tasks is critical to an effective cyber security program, and allows human resources to focus on the higher level activities not suitable for automation.

Overall, I applaud President Trump’s executive order and hope that it provides the incentive to raise the bar of our government’s cybersecurity posture.  In combination with the many active government programs that are already in motion, such as Continuous, Diagnostics and Monitoring (CDM), it can only help move the ball forward.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.