The Cybersecurity Executive Order is a welcome, positive move—a long-needed call to action that will help many organizations to do the basics brilliantly. More on those basics in a moment. But first, there are many unanswered questions. This is a good thing because it means there is time for companies to study the executive order and engage with partners and government authorities to work out the devilish details. Participating in the rulemaking processes will put companies in a position to not only meet the requirements but thrive in the new environment—where companies’ security practices will become part of their competitive edge.
A big swing of the bat that we applaud
This is the most promising, farthest-reaching move we’ve seen the federal government take to secure the U.S. If we can operationalize these changes, it’s a major strike against cybercriminals, one that will increase their cost of doing business while reducing our costs.
Think of all the money companies are spending now to deal with the attacks that make it into and through their systems. The ransomware attacks. The data exfiltration. The denial-of-service attacks. The damage to reputations, degradation of shareholder value, the regulatory fines, and the angry people whose information has been stolen. If this executive order does what it is intended to do, shifting the emphasis from reaction to prevention, the net should be reduced costs for companies.
We expect and hope that the executive order will drive significant changes in companies’ secure software design and operations, EDR plans and real-time information sharing. If industry and government follow through on this promise, it will raise the security bar for everyone—improving resilience for U.S. companies and as a result, the resilience of America to cyber-attacks.
About those ‘basics’
When we talk about helping companies become brilliant at the basics, we’re describing things like security hygiene; rigorous industry-specific controls; effective access management controls; continuous patching; ensuring visibility into and protection of ‘crown jewel’ data; comprehensive backup and recovery strategies; and crisis management/incident response planning. When we do these things better, everybody will be better off.
The ‘trickle down’ benefits
As the various elements of the order are implemented over time we believe there will be multiple, significant benefits for companies who follow the order’s lead, including:
- More secure software design.
- More secure supply chains.
- More emphasis on easier-to-secure (and business-driving) digital technologies such as cloud, zero trust, MFA everywhere, incident tracking and reporting and other technologies such as SaaS and PaaS.
- The opportunity to wield improved cybersecurity as a true differentiator in the marketplace, thus generating not only more work with the federal government, but more work with leading businesses who are likely to adopt these same requirements for their vendors.
- More transparent, trustworthy relationships between government and business and between businesses.
Ready to put some skin the game?
Companies, and CISOs in particular, need to quickly assess their ability to meet these standards and, beyond that, consider how to apply them. And this is important: companies need to work together and with their industry and cybersecurity partners, to participate in what the final standards should look like. The direction has been set by the government, now it is up to us to define how to implement these standards.
Finally, this is a key moment to bring cybersecurity to the board room. The secure software requirements in particular create an opportunity for both CISOs and CIOs to engage boards and CEOs about reshaping their strategies and investments to meet and lead with more secure products, not minimum viable products. This is what we expect to become a new, more secure normal.
This is a key moment
In short, it’s an opportunity for all organizations to raise the security bar—improving resilience for U.S. companies and as a result, the resilience of America to cyber-attacks. Let’s get after it.
By Kelly Bissell
About the author: Kelly Bissell is Lead at Accenture Security.