President Trump recently issued an Executive Order called “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.” It’s a natural successor to the 2013 order issued by President Obama—a mandate that spurred the creation of the standard NIST Cybersecurity Framework to standardize the way organizations assess, monitor and manage cyber risk.
The new order requires federal agencies to have reported on and outlined mitigation strategies for cyber risk this month.
The latest federal mandate acknowledges economic and technological threats as worthy of more coordinated defense, encouraging greater sharing of information between public and private organizations, established protections of privacy and liability for those sharing the information, and widespread adoption of the CSF by private industry.
During the three years since its release, the NIST cybersecurity framework has become a de facto standard almost universally recommended by experts.
Government agencies needed the additional push to upgrade technology and training programs for better cyber defense, but now non-governmental organizations lag behind the public sector in their ability to understand and map true cyber risk. What does the government’s movement toward greater coordinated cyber defense with structured cyber hygiene and executive-level risk mitigation mean for those in the private arena?
Boards and C-suites: The buck stops with you
When President Trump released the latest cyber order in May, encouragement of private industry to use NIST cybersecurity framework was transformed into an obligation for federal agencies to use it to manage cyber risk. The process of implementing it may take several years, because the order didn’t include provisions for underwriting the cost of the measures it decrees, and slow federal procurement processes are a regular obstacle to rapid progress.
Private companies continue to be strongly encouraged to adopt it as well, but without the equivalent of Sarbanes-Oxley for cybersecurity, how many will actually do so?
Now, it’s clear federal agency heads will be held explicitly accountable for managing cyber risk. Even though business leaders, C-suites and boards of directors don’t operate under this executive order’s umbrella, it’s imperative they understand the buck still stops with them. C-suites and boards will be held financially liable in the event of a successful breach because of negligence in establishing security protocols or staff training.
During the first half of this year, 30 percent of breaches were caused by third-party risks and employee errors, according to a recent Beazley Breach report. “This continuing high level of accidental data breaches suggests that organizations are still failing to put in place the robust measures needed to safeguard client data and confidentiality.”
The impact on enterprise operations
We won’t know exactly how successfully agencies will be able to meet the deadline with required materials, but sources indicate it’s not going swimmingly in every agency. In some cases, agencies will fall beyond the deadline on purpose. The rationale is “this was not anticipated in our budget, and we have no means by which to determine what resources are necessary to be in compliance with the EO. We look forward to obtaining future guidance from NIST on how best to implement a compliance methodology, and will ensure that our budget requests or out-of-cycle budget requests place this as one of our highest priorities.”
The underlying reasons vary, but in some cases, the agency or department CIOs aren’t sure how to accomplish what’s been asked. It’s also not clear whether each Cabinet-level government agency has an appointed CIO, since there are more than 3,300 unfilled positions across the public sector.
That said, implementing the NIST cybersecurity framework is the clearest part of the order, and it will have far-reaching effects. By dictating that all federal agencies employ the NIST framework, this executive order may be creating the largest single user base in the world that actively assesses and manages cyber risk based on standardized guidelines. That base will continue to expand as agencies begin asking business partners and vendors to report their risk levels on a regular basis by using the Framework.
Given the massive number of companies that contract with the federal government, the NIST cybersecurity framework may become the most extensively used cyber risk tool in the world, with states already moving to follow the example of the feds, and recent reports pointing to growing support for its adoption in Japan and throughout Asia.
As this surge accelerates, the implication for business leaders is strong. When we approach the tipping- point where more than 50 percent of U.S. organizations use the NIST cybersecurity framework, company cyber risk assessments will become an expected part of annual reporting for public entities, private companies, and nonprofits, and the relative cyber risk level of organizations will inevitably be compared. Knowing how well your organization stacks up against the NIST cybersecurity framework standards, and how astute deployment of people, processes, and policies can make your organization more cyber resilient will be two high priorities.
Enterprise cyber risk myths and next steps
The fact that broad regulatory action in the commercial arena has not yet been taken in the face of huge losses is incomprehensible. According to the Hiscox Cyber Readiness Report, cyberattacks in 2016 cost an estimated $450 billion in worldwide business losses.
The hard-to-swallow truth is that your organization is a target, and your IT department is not an organization-wide motivator for proper cyber hygiene and habits. Technology advancements enable organizations to harden perimeter defense investments, but that’s not where the true vulnerabilities lie—errors in the human behavior and improper use of technology is the reason behind 80 percent of breaches.
Rapid growth in the use of NIST cybersecurity framework, spurred on by government mandates, offers hope. Imagine how much safer and resilient the world’s economy and critical infrastructure could be if all organizations regularly assessed their operations against national standards, leading to continual improvement and the creation of cyber-conscious cultures. The vast majority of breaches are caused not by technology but by human errors, and widespread support for NIST cybersecurity framework’s emphasis on people, processes, and policies will improve defenses for all.