Time to Issue your own Cyber Executive Order
By Marten Mickos, CEO, HackerOne
Time is not kind to the security of an organization. The longer you wait, the weaker you are. Delays in responding to threats, incidents, and compromises mean higher risk of breach and exponential cost increases.
Your organization doesn't have to be completely secure (it is not possible), but it must be more secure than the other targets of the adversary. You must make it unattractive or at least very costly for anyone to compromise your digital systems.
This May, the president of the United States issued an executive order on improving the nation's cybersecurity. The order instructs the federal government, among other things, to increase information sharing and collaboration, modernize cybersecurity, enhance security of their software supply chains, and standardize the playbook for responding to vulnerabilities and incidents. Uniformly, cybersecurity experts have lauded this executive order.
We can all learn from this approach by the U.S. government. Audit or cybersecurity committees of corporate boards should ask their CEOs how they will react to the changing landscape of cyber threats.
CEOs should work with their CIO and CISO on an organizational Executive Order on improving the company's cybersecurity. An Executive Order acts as a broad mandate for the entire company, stating the priority and urgency of improving cybersecurity controls and securing the funding for such initiatives. It gives the entire organization unambiguous instruction on important initiatives.
Supply chain security serves as an example where an Executive Order can help. It is a well-known area for any cybersecurity leader. But on a corporate level, supply chain security is often a forgotten and under budgeted topic about which the CEO and the Board know little.
The recent Kaseya and SolarWinds breaches are devastating examples of supply chain risk. SolarWinds became not an isolated case of one IT system vendor being compromised, but a national affair, with over 18,000 customers being breached. No company is secure until the supply chain is secure. We must find the vulnerabilities in the supply chain and fix them.
When a risk grows higher or more imminent, decision-making must be quicker and more resolute.
Today, every company faces increased cyber risk — from nation-states, organized cybercrime, and rogue actors. All that's valuable in society and business is stored in or operated by software. So that's where the criminals go. As owners and operators of digital systems, we must stop them before they strike, by making system attacks unattractive and expensive.
Read the entire Executive Order on Improving the Nation's Cybersecurity. It is clearly written, and many sections are applicable to commercial corporations. Think about how security considerations change when application workloads increasingly run on public clouds. Learn about the Zero Trust model. Prepare to launch a Vulnerability Disclosure Program. Order an internal review of supply chain security. Adopt the NIST Cybersecurity Framework.
To repeat what has been said before, the need to make our digital society secure is urgent. Time is not on our side.