President Biden’s Executive Order serves as an official and intentional first step to modernize cybersecurity defenses, especially as it relates to federal networks, and creating a more definitive response from the U.S. when incidents occur. Here are a few opportunities and challenges we see ahead!
On May 12, 2021, President Joe Biden signed an Executive Order that introduced efforts to improve the nation’s cybersecurity. The Executive Order serves as an official and intentional first step to modernize cybersecurity defenses, especially as it relates to federal networks, and creating a more definitive response from the U.S. when incidents occur.
I see a lot of good that can come from the Executive Order, as well as a few challenges.
The Opportunities Ahead
Many organizations today struggle to do a fully effective job when it comes to implementing proper cyber defenses. Despite best efforts, organizations invest in security and compliance solutions in an arbitrary way and then fall victim to a variety of cybersecurity threats. In most cases, the tools put in place work, but the organizations using them aren’t always following frameworks or security best practices — including proper and regular security training.
This is one area where I think the cybersecurity Executive Order is doing organizations a great service: increasing awareness. Awareness encourages questions that lead to greater security education. In fact, the Executive Order is starting conversations around the steps organizations need to follow to ensure they have proper cybersecurity defenses in place.
I believe there are three things organizations can do right away to start better protecting themselves.
1. Adopt and Commit to a Cybersecurity Methodology and Framework
Organizations need to realize the importance and value of starting at square one. You need to ensure you have an acceptable cybersecurity framework and methodology in place so you know what to do when you encounter a threat, and how to measure the success of your cybersecurity approach. Consider leveraging an established and accepted framework, from NIST, and commit to following the guidance it provides.
Worth noting: When you commit to “follow the process,” don’t give in to the temptation to take shortcuts. Shortcuts can lead to significant gaps.
2. Increase Cybersecurity Awareness Across the Organization
Raising awareness within your organization about the importance of security best practices is one of the easiest things organizations can do. In fact, similar to how organizations require employees to repeat basic HR training every year, I believe we’ll see something similar around cybersecurity awareness training. Even a gentle reminder of some of the simple things you can do every day, like avoiding simple passwords and using two-factor authentication, can go a long way.
Worth noting: Making cybersecurity awareness training more commonplace can have a big impact on the threat surface of an organization. No amount of tools will stop an attack if someone uses a simple password or repeats it across services. Supply chain attacks, for example, often start with weak configuration points. Even if employees claim to know everything you share with them about basic cybersecurity principles, a refresher is always helpful.
3. Test, Test, and Test Again
As I mentioned earlier, it doesn’t matter if you have the best cybersecurity solutions money can buy; if it’s not implemented correctly and not tested regularly, you can’t be confident that it will provide protection as intended.
Using penetration testing and phishing exercises, for example, can help you understand how effective your defenses are based on the chosen framework, essentially measuring your security posture as it relates to your implementation of the framework. A secondary benefit to testing is that you test people and processes, too. This increases cybersecurity awareness within your organization because you can determine when employees need a refresher on basic security defenses and best practices.
Worth noting: Though some organizations may face strict requirements to conduct testing regularly (like those found in FedRAMP or PCI), I encourage organizations to conduct testing at least once a year. Pen tests are a great option to pursue annually because they can help you identify where gaps exist. This test will provide a report of exploitable vulnerabilities a threat actor may take advantage of to gain access to systems and data.
Overall, the Executive Order’s intent is admirable, but the list of technology requirements is pretty significant. Yes, every step in this Executive Order will serve to harden the systems in question, and each of these additional frameworks will move us in a more secure direction. But it is impossible to tell if the problems we’ve been experiencing result from fundamentally broken systems or a failure to adopt technologies and frameworks that would have otherwise provided adequate security. If we pile on more technology requirements that do not get adopted down the supply chain, we are no better off than where we started.
To that point, a senior Biden administration official said that the Executive Order “reflects a fundamental shift in our mindset from incident response to prevention, from talking about security to doing security.”
I think this is short-sighted. To survive in today’s threat landscape, organizations need a healthy combination of incident response and prevention. The assumption is that it’s not a matter of if a cybersecurity incident will occur, but when. As a result, organizations need to have a plan when there is an incident, and they also need to ensure they’re taking the proper steps for prevention.
Additionally, the creation of the Cybersecurity Safety Review Board is another great idea, in theory. Review boards historically provide significant value, but only when they are hyper-focused. Without being efficient and targeted, it’s too easy to get distracted. There is so much to discuss and explore within cybersecurity that for this to really work, it needs to be highly structured. We may even see it evolve to include different groups or divisions to dedicate the right amount of time and attention to various events within specific industries.
There is also a big question mark around cybersecurity legislation going forward. Will it be updated annually? Will updates be more structured or broader? Quite frankly, new exploits and vulnerabilities are discovered every day. There is so much evolution in the cybersecurity space in the matter of a week that waiting for updates every year will be too slow.
Regardless of what legislation looks like in the coming months and years, I think organizations must realize it’s their responsibility to learn how to evolve in a structured and intentional way.
The Executive Order is absolutely a step in the right direction. It is increasing awareness around the importance of cybersecurity education and the steps organizations can follow to better control their cybersecurity efforts. After all, the hacks we’ve been seeing are not going to stop; it’s unfortunately our new reality.
There is a lot that can — and must — be done, but trying to do it all at once won’t be beneficial to anyone. For enhancements to cybersecurity to be most effective, every effort needs to be focused and structured.