Cyber EO compliance is a full-time job
- By Rob Lalumondier
- Sep 30, 2021
The Biden administration's efforts to secure our government institutions and critical infrastructure while simultaneously requiring federal agencies to implement the Executive Order on Improving the Nation's Cybersecurity is laudable. From what we've observed in conversations with customers, the EO has become a principal driver of activity at federal agencies, and EO compliance has become a full-time undertaking for federal civilian personnel. In the race to get to the finish line and comply with the order's terms, it's more important than ever that security leaders exercise great due diligence and conduct rigorous testing of the security products and services offers flooding their inboxes.
The battle against our cyber adversaries is waged around the clock, and our nation has a vibrant ecosystem of pure-play cybersecurity companies working tirelessly to defend us. These companies have security – both their own and that of their customers -- as their number one objective, and their success at both has been proven. The federal government needs the trust and innovation these cybersecurity companies bring. They don't need security that is simply a "feature" of a company's broad offering.
Cybersecurity is a unique profession within the IT world, and we need our best and brightest experts fighting the panoply of emerging threats and threat actors.
Procurement officials, executive leaders in agencies and policymakers all have to align with Office of Management and Budget on funding and finally Congress. But the day to day implementation will be done by the CIOs and chief information security officers and their staffs, along with agency mission owners and personnel.
As agencies look to fulfill the requirements of the EO, here is some advice that may be helpful for building security platforms for the future:
- Ensure your security infrastructure is proactive, not just reactive. The potential loss and impact of a cyberattack is no longer constrained to a single silo within an agency's network or a small subset of devices. It can escalate and impact the mission of an agency in seconds. It is crucial agencies go on the offense against malicious actors and proactively develop comprehensive security strategies to prevent attacks before they happen. By incorporating Extended Detection and Response strategies, as called for in the EO, agencies improve their capabilities for controlling incidents from detection to response. By unifying security controls, agencies can improve protection, detection and response capabilities, as well as productivity of operational security personnel, leading to greater security postures overall.
- Enhance software supply chain security by removing barriers to bi-directional, real-time threat information sharing. Cybersecurity is a shared problem, and it's well known that information sharing is critical to solving it. The EO focuses on information sharing, but the emphasis seems to be on post-breach sharing. Government agencies need more than that. Robust, real-time sharing of threat data improves the speed and effectiveness of countermeasures and early detection. Bi-directional data sharing opens possibilities for things like cross-sector environmental context, timely and prescriptive defensive actions, and enhanced remediation and automation capabilities. Cybersecurity companies are offering these capabilities now -- predictive security that uses historical threat intelligence to guide proactive security policy decision-making. Agencies and others in the federal government should prioritize developing threat sharing standards that create a high-functioning ecosystem that allows for more interoperability between different types of sharing organizations.
- Incorporate zero-trust strategies that focus on protecting data. Real-time information sharing can make the EO's goals of moving to a zero-trust architecture more achievable. The aim of collaborative threat sharing is to identify potentially compromised or risky assets; therefore, the faster that information is shared, the faster an agency can assess trust and potentially modify permissions to protect high-value assets. And for most government organizations, data is the high-value asset. While the initial focus of zero trust was on access control, now government organizations are realizing that true zero trust makes data the starting point of trust decisions. To achieve that, agencies need data loss prevention and other comprehensive data protection policies that protect enterprise data, networks and applications while at rest, in transit and in use, thereby promoting greater organizational cyber resiliency.
- Prioritize cybersecurity. Don't be tempted to just bundle cybersecurity onto other IT offerings. Consider the costs of bundling: Is it really cost-effective or just convenient? Convenience should not be a driving factor in security infrastructures, especially as threats continue to escalate. Additionally, hidden costs that lead to future price hikes are likely woven into these bundled service packages. Likewise, offers that are "free" now are not likely to be "free" down the road. Cybersecurity is hard to do right; don't make decisions that seem too easy.
- Partner with proven cybersecurity companies – those whose mission is cybersecurity 24/7 and has a proven track record of security. Trusting your security vendor is critical to trusting the security of your networks. Any vendor with widely known security flaws is more exploitable by bad actors, leaving an agency's sensitive data more at risk. Don't unintentionally hurt your organizational resiliency by partnering with the wrong vendor. Consider also that a diversification of vendors reduces the attack surface. Threat intelligence feeds, in particular, have become a target of cyber adversaries. It's best to have several sources of threat intelligence rather than relying on one.
Meeting – and even exceeding – the requirements of the cybersecurity EO is an important mission for every agency and federal organization. Doing so with careful consideration of what's entailed in selecting the right cybersecurity partner should also be an imperative.
Rob Lalumondier is director of federal civilian for McAfee Enterprise.