The single best thing about the cybersecurity order signed this week by President Donald Trump is that it clearly makes the head of each government agency responsible for cybersecurity. Instead of appointing a cybersecurity czar that would have little to no authority, the order makes it clear that the heads of each agency at the very least should know where and how their agency is vulnerable to cybersecurity attacks.
The single worst thing about the order is that all it asks those agency heads to do is file a report about the status of their cybersecurity efforts in accordance with the cybersecurity framework created by the National Institute of Standards (NIST). The NIST framework doesn’t provide any recommendations for how to solve cybersecurity issues. Rather, it basically informs organizations what they should be keeping track of to better discover those issues.
In fact, the closest the presidential order comes to be prescriptive about solving cybersecurity issues is asking the heads of agencies to identify vulnerable legacy systems that need to be replaced and wherever possible making use of shared cloud resources, including security services, based on modern IT infrastructure that is theory will be easier to defend.
The reason the order limits the scope of its directive to what amounts to agency heads creating reports is that the president doesn’t have the authority to direct budget dollars to solving cybersecurity issues. Congress would have to pass a bill to allocate the money to modernize IT systems and implement, for example, a shared cybersecurity threat intelligence system. Obviously, some government agencies, such as the Defense Department are a lot more secure than others. In fact, the real issue is that most of the government agencies that oversee critical infrastructure such as the electric grid don’t have nearly as firm a handle on the cybersecurity vulnerabilities and threats they face as the Defense Department or the National Security Agency.
Because of that general lack of cybersecurity awareness at the agency head level, the cybersecurity order in of itself does represent a significant step in the right direction. In fact, CEOs would be well advised to copy it. Anywhere in the document where it says government agency head they could simply insert business or department head. CEOs like the president may not have the funding available to address every cybersecurity issue those reports would generate. But there’s no doubt that greater awareness of cybersecurity issues generally serves to improve the overall cybersecurity posture of the organization.Business and government leaders need to make better-informed decisions about what level of risk they are willing to accept. Click To Tweet
Of course, there’s no such thing as perfect IT security. But business and government leaders do need to make better-informed decisions about what level of risk they are willing to accept. Many of them are, for example, implementing digital business transformation strategies involving, for example, Internet of Things (IoT) projects with no real understanding the cybersecurity implications. Most of them, unfortunately, don’t even have a good understanding of the size of the IT attack surface their IT and cybersecurity staffs are trying to protect.
Given the number of vulnerabilities in applications and systems, the fact that the IT every organization counts on to operate work at all is an unheralded testament to IT and cybersecurity professionals everywhere. The time has now come for business and government leaders to understand the true scope of the challenges those IT and cybersecurity professionals face every day.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot.Mike also blogs about emerging cloud technology for Intronis MSP Solutions by Barracuda.