Thoughtful Analysis Needed to Build on Cyber Security US Executive Order

In May, US President Trump set into motion a series of requirements to obtain an understanding of where US federal agencies stood in terms of readiness to ward off cyber attacks and assured the American public his administration valued the importance of understanding the risk, mitigating it and building a world-class workforce.

As a CISO for several organizations, including a major healthcare contractor to the US government and a global accounting firm engaged in government contracts, I have watched the evolution of the US federal government’s focus on cyber security with great care. It has always been important, but as the tools and criminals become more sophisticated, our work to benchmark our current status, manage risk and develop a highly skilled workforce of tomorrow becomes even more critical.

My professional association, ISACA, for which I’ve spent over a decade providing information security presentations and certification workshops, and whose work I am highly passionate about, also supports a strong focus on cyber security risk management and workforce development. By mid-July, the federal agencies owe the Office of Management and Budget (OMB) and Department of Homeland Security (DHS) a risk management report or current assessment. It is the next milestone in the US Executive Order Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. They will need to report information based on FY 2017 FISMA CIO metrics so everyone is reporting based on a consistent methodology. It must be based on 2016-2017 Guidance of Federal Information Security and Privacy Requirements.

Then, the OMB and DHS will use the FISMA metrics to produce agency-specific risk assessments in a report to the President. The results will serve as a way to identify new needs and offer ways to think about how to offer services differently to improve cyber security. In the future, agencies will have to conduct reviews bi-annually.

The order also calls for an action plan for implementing a framework that reduces risks and allows the network to:

• Identify
• Protect
• Detect
• Respond
• Recover

Aligning with the NIST Special Publications, as well as other associated standards and guidelines, this structure will provide a common vocabulary and process sharing across the agencies. The framework plan is also due in mid-July.

From a cyber security practitioner’s viewpoint, while the timeframe is aggressive, the order is welcomed because 1) it acknowledges the importance of our interconnected government and that risks in one agency or critical infrastructure may impact others; 2) the approach is from a risk management perspective (vs. compliance), and requires an explanation as to why choices were made (strategic, operational, and budgetary considerations) to accept the current level of risk; and 3) it indicates a desire to move to current technology and updated systems.

After the reports and planning are in, there will need to be a time for reflection—a time to analyze our current situation and how we are best served as we enter a new era. Customized training will be critical. Traditional four-year degrees in computer science may not be our path forward in our new world. We’ll need to engage partners from academia, Veterans Affairs (veterans have a strong skill set that could be leveraged) and private industry.

ISACA offers cyber security training and supports exploring opportunities for non-traditional educational training to build a hardened IT infrastructure.

As a cyber security professional who has had the opportunity to see many changes throughout the landscape of my career, I believe thinking differently allows us to offer solutions that will strengthen our borders and build a more prepared workforce.

Todd Fitzgerald, SVP and Chief Administrative Officer, Information Security and Technology Risk, Northern Trust, Chicago

[ISACA Now Blog]