Takeaways on the Cyber EO

21
Nov

Takeaways on the Cyber EO

Photo: Andrew Cline / Shutterstock.com

The Cyber Executive Order and IT Modernization

We recently sat down with Don Maclean, chief cybersecurity technologist at DLT Solutions and got his perspective on the Cybersecurity Executive Order.

What’s your initial take on the Cybersecurity Executive Order? Do you think it’s a big step forward, or more of the same?

The order is not much different from past orders. However, it does reiterate key points, such as modernization as an ongoing process, cloud adoption, top-level accountability for cybersecurity, use of the NIST cybersecurity framework (CSF) for risk management, and the old workhorses:  patching and configuration management.

What were some of the most promising takeaways?

Given the specificity of the mandates regarding patching & configuration, it’s clear that security experts contributed to this Executive Order. These items are relatively easy to implement, and can improve security substantially. The other mandates are worthy goals, but may be more difficult to realize.

Where will agencies be most challenged to meet the mandates?

Modernization will be difficult. Staying up-to-date will require a faster procurement cycle, a bureaucratic challenge far outside the scope of cybersecurity. Ongoing modernization requires a new mindset, one that is open to early adoption of new technology.

How will broader IT modernization initiatives challenge cybersecurity efforts? And, on the flip side, what are the main opportunities for improved cyber as agencies modernize their infrastructures and move to more shared services?

According to a recent survey of government agencies, security shops see modernization, particularly cloud adoption, as increasing their security challenges. The pool of qualified security personnel is already too small. When an agency modernizes, that pool shrinks further, since potential hires must know both security and the new technology.

Modernizing, as Dr. Ron Ross of NIST emphasizes, is not simply buying and deploying new systems:  it is a chance to consolidate and simplify systems. Simpler systems are not just easier to manage; they are also easier to secure. Also, cybersecurity technology is at its best when new, before the bad actors have figured out how to break it.

We look forward to hearing more from Don at the Symposium, where he’s slated to speak on the “It’s a Mod, Mod World” Transforming (and Securing) the Business of Government” panel. Register for the Symposium today.