Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Trump’s Cybersecurity Executive Order a Positive Step, but Just a Start

Cybersecurity Executive Order

Cybersecurity Executive Order

Trump’s Cybersecurity Executive Order Should Serve as a Starting Point, Not the Be-all-end-all for Ensuring a Comprehensive Program

President Trump recently signed the much-awaited executive order focused on strengthening the cybersecurity of federal networks and critical infrastructure.  It is a wide-ranging order that touches on everything from the need for an agency-by-agency risk assessment to dealing with outdated infrastructure, botnets, and driving a cyber educated workforce. 

The executive order is a solid step towards improving the security posture of government, with a focus on a risk based approach. 

At the core of the assessment process is the NIST Cybersecurity Framework, which has been broadly adopted in the private industry and government as a benchmark against which to assess their security programs. 

While it certainly does not address every nook and cranny of cybersecurity, it serves as an overarching framework and common language.  Users should think of it as a starting point, but not the be-all-end-all for ensuring a comprehensive program. 

Few sizable agencies or enterprises realistically have everything they need to know at their fingertips to comprehensively evaluate every aspect of their program against the framework.  The initial assessment will require a lot of manual data gathering to properly characterize their operation against the many different requirements.  Along the way, identifying the source of the information will allow for more complete automation, leading to a continuous monitoring mode of operation.

Like any other regulation or compliance requirement, one of the dangers of an order like this latest one is that it can take on a life of its own, leading to stakeholders losing the forest for the trees. 

The executive order is intended to provide motivation and guidance for agencies to get their house in order, and cannot possibly prescribe every step in the process (nor would anybody want it to). 

It is important for practitioners and stakeholders in the government to be mindful of the goal of a more secure government, and not consider the end goal as being a report after 90 days and every year thereafter. 

The order is an opportunity for government CISOs to rally the troops across their agencies to initiate a cyber risk management process with a mindset of continuous compliance, shifting the mindset of all functions to thinking daily “is what I am doing putting my agency’s data and systems at risk?”

One aspect of the order that supports the concept of making security everybody’s business is the requirement to establish integrated teams of senior executives across IT, security, budgeting, acquisition, law, privacy, and human resources.  It emphasizes that this is not a problem that will be resolved by the CISO or CIO alone, but requires a comprehensive team effort across the agency’s functions.

The order promotes a risk based approach.  Note the repeated references to “Cybersecurity Risk,” and the notions of risk and asset value in statements like “commensurate with the risk and magnitude of the harm,” and the sections on “Support to Critical Infrastructure at Greatest Risk” and “Assessment of Electricity Disruption Incident Response Capabilities.”  This risk based approach encourages agencies to prioritize risks to their most important missions vs. only focusing on technical prescriptions like vulnerability scanning or the such.  It is an approach that speaks a common language of risk, familiar to those outside of security, and is certainly near and dear to the defense side of government.

In addition to the traditional aspects of cybersecurity, the order also touches on other activities that indirectly but significantly impact government agencies’ cyber risk posture. 

Many agencies and private enterprises would rather leave sleeping dogs lie, not touching functional though outdated systems, and do not pay enough attention to the residual risk associated with the inability to patch an outdated OS or application.  The sections of the order that address the risks associated with “antiquated and difficult–to-defend IT” promote assessing the cost of exposed IT infrastructure against the cost of replacement, a mantra often heard from former federal CISO, Ret. Gen. Greg Touhill (aka “Touhill’s law”). 

Finally, the last section that addressed developing the cyber skills and competency in the workforce is critical.  We in the industry are all familiar with the challenge of finding and keeping quality people with cyber experience.  Shining more light on the problem and promoting training can only benefit the industry as a whole, but there also needs to be a more immediate plan in place for response, until that ramp up occurs. Automation of mundane repeatable tasks is critical to an effective cyber security program, and allows human resources to focus on the higher level activities not suitable for automation.

Overall, I applaud President Trump’s executive order and hope that it provides the incentive to raise the bar of our government’s cybersecurity posture.  In combination with the many active government programs that are already in motion, such as Continuous, Diagnostics and Monitoring (CDM), it can only help move the ball forward.

Written By

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

Microsoft making a multiyear, multibillion dollar investment in the artificial intelligence startup OpenAI, maker of ChatGPT and other tools.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Funding/M&A

Twenty-one cybersecurity-related M&A deals were announced in December 2022.

Management & Strategy

Tips for making a presentation that will help improve the state of security programs and reflect favorably on the presenters and their companies

CISO Conversations

In this edition of CISO Conversations, SecurityWeek speaks to two city CISOs, from the City of Tampa, and from Tallahassee.