The Cybersecurity Executive Order that President Trump signed on May 11 shouldn’t tell you much that don’t already know about the importance of security to the Federal Government. However, there’s a sentence in it that should give every agency leader a fresh sense of urgency:
“The President will hold heads of executive departments and agencies (agency heads) accountable for managing cybersecurity risk to their enterprises.”
The president clearly means business on this. And if you think he won’t fire people, look no further than former FBI Director, James Comey. This one sentence is really the most substantial statement in the entire Executive Order. There is more there, though, and over the next several months I will try to peel apart the layers of the order in more detail.
But you already know, that you should be modernizing antiquated IT infrastructure for starters. And as products age out of support, it becomes impossible to patch known vulnerabilities, not to mention losing the efficiencies of more current solutions. If your modernization efforts currently includes threat intelligence products that can detect anomalous behavior at the network’s edge, you’re moving in the right direction to detect ever growing attacks against aging infrastructure (the new low-hanging fruit).
So now, the president has turned a commonly accepted practice in corporate America, namely executive accountability for cybersecurity incidents, into a defined directive for the entire Federal Government. And the president clearly doesn’t have any issues with holding leaders directly accountable for their inaction and has given clear indications of his expectations.
If you haven’t started already, you should immediately begin planning on phasing out all unsupported equipment and suspected grey market products to insure maximum ability to maintain a currently supported infrastructure capable of vulnerability maintenance.
The mandate has been provided in clear terms and nobody should be surprised if excuses are no longer accepted.