The cybersecurity executive order, signed by President Donald Trump, could enable a shift in culture that will help entire agencies gain the cybersecurity knowledge that they need to be successful in their missions, according to agency CIOs.
The executive order talks about cybersecurity being a “team sport,” according to Rod Turk, acting CIO and chief information security officer of the department of Commerce. Turk encouraged involving the agency heads, human resources officials, financial experts, and other teams in all of the cyber decisions that the office of the CIO chooses to make.
“I think that’s probably, in my opinion, the most important part of the executive order,” Turk said at Tenable’s GovProtect17 Conference on June 21. “You’re not going to get anything done unless everyone is on the same page.”
Turk said that agencies need to incorporate cybersecurity into every project from the beginning, rather than trying to add it in the night before it’s launched.
“We’re not there yet,” said George Jakabcin, CIO of the Treasury Inspector General for Tax Administration. “It’s still this thing that we add to the end.”
Karen Evans, national director of the U.S. Cyber Challenge, said that in the private sector, company heads have to know about cybersecurity in order to be successful.
“CEOs don’t have the luxury of saying ‘you know that security stuff over there? I don’t know it and I don’t like it, so I’m not going to do anything about it,’ ” Evans said.
Evans’ team at the U.S. Cyber Challenge briefed the Trump transition team on cybersecurity issues and they saw many of their priorities reflected in the executive order. Evans said that the executive order emphasizes the purpose of the Office of American Innovation, led by presidential adviser Jared Kushner, which identifies what agencies are doing and how technology can make the process more efficient.
The cybersecurity executive order makes agency heads responsible for the cybersecurity posture of their agencies, which is a major culture shift for some Federal agencies.
Essye Miller, deputy CIO for cybersecurity at the Department of Defense, said her department was able to make the most improvements when it begin following the Cybersecurity Scorecard and began updating the deputy secretary every Friday about their progress.
“We are probably the largest target organization in the country,” Miller said.
Miller said that she hopes the executive order will allow the DoD to identify what bad actors are doing before its systems are threatened. That way, the DoD won’t spend all of its energy defending its networks.
“If the leadership doesn’t care about that security aspect of it, the people who do security are like ‘why am I showing up to work every day?’ ” said Wayne Lloyd, chief technology officer of RedSeal Federal.
Lloyd said that organizations need to create a metric that’s understandable and measures improvement that technology departments can report to their agency heads.
Jakabcin said that agencies could solve many of their cybersecurity problems by using the software that they own to its full capability. The typical user uses only 10 percent of the software’s tools. Jakabcin encouraged more training for employees from vendors rather than immediately buying a new product when a problem arises.
“When you get to a traffic signal, even though it turns green, most of us look left and right before we cross the intersection,” Jakabcin said. “That’s where we need to get from an IT perspective.”