GUEST ESSAY: Why Trump’s cybersecurity executive order is a step in the right direction

By Alberto Yépez

Last May, the White House issued a cybersecurity executive order (EO)—the Trump administration’s first major action on cyber policy. It has attracted naysayers. The fact is, however, that the president has finally plugged a huge hole by putting in place a guiding strategy for our nation’s cyber defense.

And his suggestions are solid.

Related article: Trump’s cybersecurity order calls for work force development

The order charges the government with reviewing its cyber posture and places responsibility for cyber risk on those officials who lead federal agencies, such as the Departments of Homeland Security and Defense. They must provide reports this month based on the National Institute of Standards and Technology framework, the de facto standard. And broader reports on issues impacting our nation’s critical infrastructure, such as our electric grid, must be completed in the next three months.

The EO also catalyzes an effort to drive a much bigger and better-educated cyber work force—one woefully small in comparison to demand.

Ultimately, the administration is setting the stage to secure porous federal networks that have been repeatedly infiltrated by nation-states such as China and Russia, and nobody refutes this must stop.

Widening the security net

Yepez

One particularly appealing aspect of the president’s EO is that it supports the concept of making security everybody’s business. To this end, it requires government agencies to establish integrated teams of senior executives across IT, security, budgeting, law and privacy, among other areas.

Cybersecurity problems cannot be solved by a CISO or CIO alone. It requires a team effort. This is an opportunity for government CISOs to rally agency troops to improve cybersecurity with a mind-set of continuous compliance.

Putting dollar figure on exposure

Trump’s EO also addresses the tendency among federal agencies—not to mention private enterprises—toward inertia. Today, insufficient attention is paid, for example, to the risk associated with the inability to patch an outdated operating system or application. To address this, the EO promotes assessing the cost of exposed IT infrastructure against the cost of replacement.

And then, of course, there is the focus on the cyber work force issue. Given projections of a global shortage of 2 million cybersecurity professionals by 2019, the promotion of cyber training is clearly beneficial. It also would be nice if an immediate plan to accomplish this end were put in place.

Baking security into design

Another needed step—although unaddressed, so far—is the need to embed cybersecurity into system architecture and design to substantially enhance protection. Obviously, this will not happen overnight. The cost of replacing today’s systems with better-protected systems is massive. Nonetheless, an effort needs to start, and in the interim there are ways to enhance security beyond specific cybersecurity products and services.

Underwriters Laboratories has a Cybersecurity Assurance Program (CAP), for example, that uses a new set of standards to test network-connected products for software vulnerabilities. The UL certification is for both vendors of Internet of Things (IoT) products and for buyers of products who want to mitigate risks.

Part of the value of CAP is that it helps software and equipment makers include all the many patches and updates from third parties and open-source providers used in an application or software product used with a device. Patches don’t always migrate to finished products, and this is a cause of security breaches.

Worthwhile first steps

For now, let’s applaud an administration that is finally doing something proactive and comprehensive about the omnipresent—and increasingly menacing—security threat. It doesn’t address every cybersecurity nook and cranny, but it finally provides an overarching framework. It’s an excellent start. We’re finally moving in the right direction.

About the essayist:  Alberto Yépez is the managing director of Trident Capital Cybersecurity

More stories related to improving cybersecurity:
Bridging the gap between government and Silicon Valley
SMBs need to fortify their ‘human firewall’ with cybersecurity training
Security awareness training gets a much-needed reboot

This article also appeared in ThirdCertainty.com

 

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone