By Jonathan Gill
President Biden’s detailed executive order relating to cybersecurity is great to see.
Biden’s order reflects the importance of cybersecurity at the highest levels – it is an issue of national security and should be treated as such.
One of the big themes coming out of the order is the need to implement the right controls, and being able to provide evidence. Section two really underscores the need for secure software development.
If it is followed through, software publishers will need to open their kimonos to show they have the right controls in place and that these are working effectively.
It is also interesting to see in section seven that NIST will be issuing guidance on “minimum cybersecurity practices”, considering common cybersecurity practices and security controls.
Gill
Moving forward, we can expect to see even greater emphasis not just on encouraging companies to implement controls, but on providing evidence of such. However, many companies will struggle here.
IT infrastructures and ecosystems have become incredibly complex. Most large organizations do not even have visibility of what assets they have, let alone the status of their security controls across those assets.
This isn’t due to a lack of effort or care from cybersecurity professionals. The challenge lies in the fact that most large organizations rely on 50+ cybersecurity tools to protect their fast-moving IT environments.
These tools operate in silos, disconnected from one another and informed by incomplete configuration management databases (CMDB). As we move into an era of ‘trust, but verify’, organizations will be under increasing pressure not only to outline what controls they have, but to demonstrate their effectiveness.
Most large organizations already possess the data they need to understand their assets, controls coverage, and controls effectiveness, but it’s scattered and inaccessible. This data must be transformed into actionable, trusted intel, enabling security leaders to identify gaps, enforce accountability, and ensure stakeholders meet agreed-upon standards of controls.”
About the essayist: Jonathan Gill is CEO at Panaseer which supplies a continuous controls monitoring solution
