What organizations need to know about the Cybersecurity Executive Order
President Trump recently issued an Executive Order (EO) called “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.” As a natural successor to the 2013 EO issued by President Obama – a mandate that spurred the creation of the now gold standard NIST Cybersecurity Framework to standardize the way organizations assess, monitor, and manage cyber risk – this EO requires federal agencies to have reported on and outlined mitigation strategies for cyber risk by August 9, 2017 – last Wednesday.
Cyber risk and damages incurred by cybercrime are estimated to hit $6 trillion annually by 2021. More and more executives and liability experts are considering cyber risk as equally deserving of leadership’s attention as financial risk within an enterprise. The latest federal mandate acknowledges this economic and technological threat as worthy of more coordinated defense, encouraging greater sharing of information between public and private organizations, established protections of privacy and liability for those sharing the information, and widespread adoption of the CSF by private industry.
During the three years since its release, the NIST CSF has become a de facto standard almost universally recommended by experts.
Government agencies needed the additional push to upgrade technology and training programs for better cyber defense, but now commercial enterprises lag behind the public sector in our ability to understand and map true cyber risk. What does the government’s movement toward greater coordinated cyber defense with structured cyber hygiene and executive-level risk mitigation mean for those of us in the private arena?
Boards & C-Suites – The Buck Stops With You
When President Trump released the latest cyber order in May 2017, encouragement of private industry to use NIST CSF was transformed into an obligation for federal agencies to use it to manage cyber risk. The deadline passed August 9, but the process of implementing it may take several years, since the order didn’t include provisions for underwriting the cost of the measures it decrees, and slow federal procurement processes are a regular obstacle to rapid progress.
Private companies continue to be strongly encouraged to adopt it as well, but without the equivalent of Sarbanes-Oxley for cybersecurity, how many will actually do so?
Now, it’s clear federal agency heads will be held explicitly accountable for managing cyber risk. Even though business leaders, C-suites and boards of directors don’t operate under this EO’s umbrella, it’s imperative they understand the buck still stops with them. C-suites and boards will be the ones held financially liable in the event of a successful breach if due to negligence in establishing security protocols or staff training.
During the first half of this year, 30 percent of breaches were caused by third-party risks and employee errors, according to a recent Beazley Breach report. “This continuing high level of accidental data breaches suggests that organizations are still failing to put in place the robust measures needed to safeguard client data and confidentiality.”
How Does Agency Preparedness Affect Enterprise Operations?
We won’t know exactly how successfully agencies will be able to meet the deadline with required materials, but sources indicate it’s not going swimmingly in every agency. In some cases, agencies will fall beyond the deadline on purpose. The rationale is "this was not anticipated in our budget and we have no means by which to determine what resources are necessary to be in compliance with the EO. We look forward to obtaining future guidance from NIST on how best to implement a compliance methodology, and will ensure that our budget requests or out-of-cycle budget requests place this as one of our highest priorities."
The underlying reasons vary, but in some cases, the agency or department CIOs aren’t sure how to accomplish what's been asked. It’s also not clear whether each Cabinet-level government agency has an appointed CIO, since there are over 3,300 unfilled positions across the public sector.
That said, implementing the NIST CSF is the clearest part of the order, and it will have far-reaching effects. By dictating that all federal agencies employ the NIST CSF, this EO may be creating the largest single user base in the world that actively assesses and manages cyber risk based on standardized guidelines. That base will continue to expand as agencies begin asking business partners and vendors to report their risk levels on a regular basis by using the Framework.
Given the massive number of companies that contract with the federal government, the NIST CSF may become the most extensively used cyber risk tool in the world, with states already moving to follow the example of the feds, and recent reports pointing to growing support for its adoption in Japan and throughout Asia.
As this surge accelerates, the implication for business leaders is strong. When we approach the tipping- point where more than 50 percent of U.S. organizations use NIST CSF, company cyber risk assessments will become an expected part of annual reporting for public entities, private companies, and nonprofits, and the relative cyber risk level of organizations will inevitably be compared. Knowing how well your organization stacks up against the NIST CSF standards, and how astute deployment of people, processes, and policies can make your organization more cyber resilient will be two high priorities.
Enterprise Cyber Risk Myths & Next Steps
The fact that broad regulatory action in the commercial arena has not yet been taken in the face of huge losses is incomprehensible. According to the Hiscox Cyber Readiness Report, cyber attacks cyber attacks in 2016 cost an estimated $450 billion in worldwide business losses. How much cyber risk must we take on before taking concerted action to control it? Although business leaders realize that protective actions are critical, many still take refuge in these common myths heard from C-suites, IT departments and boards of directors every day:
- My organization isn’t a target.
- Our IT department has the issue covered.
- Technology will provide good enough solutions.
- Hardening the perimeter is the best place to invest.
- Legal liability is not a big concern.
The hard-to-swallow truth is that your organization is a target, and your IT department (if you even have one) is not an organization-wide motivator for proper cyber hygiene and habits. Technology advancements allow us to harden perimeter defense investments, but that’s not where the true vulnerabilities lie – errors in the human factors at companies and improper use of that technology is the reason behind 80 percent of breaches. If legal liability isn’t a concern, it should be – Yahoo’s board of directors now faces 43 lawsuits and counting, and will be personally responsible for those damages and the $350 million loss in its sale to Verizon.
Rapid growth in the use of NIST CSF, spurred on by government mandates, offers hope. Imagine how much safer and resilient the world’s economy and critical infrastructure could be if all organizations regularly assessed their operations against national standards, leading to continual improvement and the creation of cyber-conscious cultures. To end on one critical fact business leaders should takeaway from this article: the vast majority of breaches are caused not by technology but by human errors, and widespread support for NIST CSF’s emphasis on people, processes, and policies will lead us to a brighter future.