{"id":6467,"date":"2022-01-25T17:25:05","date_gmt":"2022-01-25T17:25:05","guid":{"rendered":"https:\/\/mailinvest.blog\/index.php\/2022\/01\/25\/what-the-cybersecurity-executive-order-means-for-the-private-sector\/"},"modified":"2022-01-25T17:25:05","modified_gmt":"2022-01-25T17:25:05","slug":"what-the-cybersecurity-executive-order-means-for-the-private-sector","status":"publish","type":"post","link":"https:\/\/mailinvest.blog\/index.php\/2022\/01\/25\/what-the-cybersecurity-executive-order-means-for-the-private-sector\/","title":{"rendered":"What the Cybersecurity Executive Order Means for the Private Sector"},"content":{"rendered":"

<\/a>\n<\/p>\n

\n

Companies and governments have suffered from delaying the fundamental\u00a0cybersecurity<\/a> overhauls necessary to defend against increasingly sophisticated and common attacks for too long.<\/p>\n

The Executive Order<\/b><\/h2>\n

As a response to this threat landscape, President Joe Biden issued an\u00a0executive order on improving the nation\u2019s cybersecurity<\/a>, specifically with Zero Trust security architecture.<\/p>\n

In a White House memo<\/a>\u00a0that followed the order, the administration addressed the private sector, imploring companies to invest in cybersecurity and to segment their networks, which is the\u00a0first step\u00a0toward Zero Trust security.<\/p>\n

Biden\u2019s order and the subsequent memo spotlight the need for government agencies and businesses alike to move rapidly to a\u00a0Zero Trust architecture.<\/p>\n

Impacts on the Private Sector<\/b><\/p>\n

So what does this mean for private industry professionals today? Business leaders, managers, department heads, and anyone in a position to lead the charge needs to shift the way they think about security and help their teams do the same.<\/p>\n

Zero Trust is more than just a new set of tools and procedures. It\u2019s a whole new strategy for protecting your business.<\/b><\/h3>\n

In brief, a\u00a0Zero Trust security model<\/a>\u00a0stems from the concept of \u201cnever trust, always verify,\u201d and \u201cassume breach.\u201d With a Zero Trust framework, only confirmed-safe traffic, processes, and users are trusted. It acknowledges that the biggest threats to security can come from within the organization and leaves nothing up to chance.<\/p>\n

The Need for Zero Trust<\/b><\/h2>\n

As the United States\u2019 third federal CIO serving from 2015 to 2017, I\u2019ve seen firsthand the mounting number of cyber threats against U.S. organizations. One of my first projects on the job was leading the federal government response to the Office of Personnel Management cyber intrusions<\/a>, which the previous year had exposed security clearance background information on about 21.5 million government employees and laid bare the vulnerabilities in existing cybersecurity models.<\/p>\n

One upshot of these breaches was the\u00a0Cybersecurity National Action Plan<\/a>, which sought to strengthen cybersecurity both in the federal government agencies and within all Americans\u2019 digital lives.<\/p>\n

On the front lines of cybersecurity as CIO of Microsoft and Disney, I saw that cyber threats were only becoming more destructive and more widespread. It became clear to me that traditional, perimeter-based security would continue to fail and that the single most effective long-term strategy would be to adopt a Zero Trust framework.<\/p>\n

So, what\u2019s holding companies back from implementing Zero Trust?<\/b><\/h3>\n

Challenges have ranged from psychological to material.<\/p>\n

The biggest worry that many businesses or team leaders have is that moving swiftly into the unknown will only cause more problems. They might think, \u201cHow will I transition to this entirely new framework without breaking something?\u201d<\/p>\n

Another common block is the misconception that adopting a Zero Trust framework is a massively heavy lift that will certainly overload teams. Other challenges include lack of skills, time, budget, or managerial commitment.<\/p>\n

It\u2019s Well Worth the Effort<\/b><\/h2>\n

As companies come to terms with the inevitable threat to their\u00a0revenues and reputations<\/a>, they\u2019re recognizing that the need for a Zero Trust security posture far outweighs the implementation challenges.<\/p>\n

Modernized cloud-based Zero Trust technology<\/h3>\n

And today\u2019s modernized cloud-based Zero Trust technology\u00a0is simplifying the path to Zero Trust for enterprises, using powerfully streamlined automation and machine learning, and integrating with existing security tools.<\/p>\n

As Biden\u2019s executive order puts cybersecurity in stark focus for the public sector and the White House urges the private sector to follow suit, companies should look to the order as a guiding star for cybersecurity standards across industries moving forward. To make Zero Trust implementation smoother, organizations need to prepare in the following three ways:<\/p>\n

1. Focus on organization-wide education first<\/b><\/h4>\n

Because an entire institution must embrace Zero Trust implementation, organization-wide education is the necessary first step.<\/p>\n

Educating employees is essential for changing mindsets and gaining buy-in, and everyone must understand that Zero Trust isn\u2019t just an exercise for the IT department. Instead, it requires full participation across the organization to establish and maintain business processes for verified identities, protected devices, and secure data, networks, and infrastructures.<\/p>\n

Education begins with leaders, both at the top and managerial levels. Company leaders should set the implementation in motion by making it a company goal to ensure every person understands what the Zero Trust model is, why it\u2019s important, and how it can help secure the organization and its assets.<\/p>\n

Managers and department heads can help translate this into more specific and targeted communication and education for employees. For example, features such as single sign-on and multifactor authentication are basic examples of implementation that employees might already be familiar with.<\/p>\n

Employees need to know that the organization\u2019s strengthened cybersecurity workflows won\u2019t render their jobs impossible. Managers can show employees how Zero Trust architecture will affect their work and reiterate the benefits along the way.<\/p>\n

2. Build the Zero Trust muscle<\/b><\/h3>\n

Anything worth doing requires learning, practice, and refining, the same goes for Zero Trust. Implementing Zero Trust doesn\u2019t start on Friday morning and end just in time for happy hour. Zero Trust is a new security framework, so it is a marathon that you will build on at a reasonable pace, it\u2019s not a sprint.<\/p>\n

Practice with a small patch and learn how to manage it, then expand from there.<\/b><\/h4>\n

SaaS platforms can kickstart the path to Zero Trust and simplify legwork with AI and machine learning that make policy recommendations for you. And they allow you to test in simulation mode, reducing uncertainty to help you scale faster.<\/p>\n

At the early stages, it\u2019s also important to identify what compliance standards you need to adhere to (e.g., HIPAA, PCI, GDPR) so that you can build your security posture with those regulations in mind.<\/p>\n

As the Zero Trust muscle grows, I\u2019ve found that many businesses can move quickly in scaling Zero Trust implementation, especially with today\u2019s cloud-delivered platforms.<\/p>\n

When I was at Microsoft, we were one of the most attacked organizations globally. Through our experience warding off attacks, we got pretty good at it. But we knew we weren\u2019t completely invulnerable, so we started to think harder about what more we could do to cover the necessary surface area to be safe, scaling bit by bit.<\/p>\n

I can\u2019t say that you\u2019ll get this down right away, but it\u2019s a truly effective long-term strategy, and so it\u2019s also a long game compared to \u201cset and forget,\u201d tools.<\/p>\n

3. Overcome the organization\u2019s internal silos<\/b><\/h3>\n

It is common that teams are experts in their function, such as\u00a0cloud administration, but have little visibility into others, such as end-user device administration.<\/p>\n

The greatest implementations\u00a0break down some of those barriers\u00a0during the Zero Trust journey, to educate across domains and strengthen posture not only on a technological level, but also on an organizational level.<\/p>\n

Each implementation of Zero Trust that I have witnessed \u201ca-ha\u201d moments of discovery within the company\u2019s environments, including undetected traffic from the outside, outdated internal interfaces they didn\u2019t think were still running, and misrouted traffic putting an unknown burden on the network.<\/p>\n

Let\u2019s face it: Intruders don\u2019t have the governance and budget constraints of a regular institution. They\u2019re always looking for new ways to break through your perimeter. But when you have embraced Zero Trust implementation, you can isolate the threat before it does any more damage and therefore recover much faster.<\/p>\n

A Zero Trust framework can make your organization resilient to cyber threats, even when attackers remain undiscovered. It\u2019s time to admit that the bad guys will probably find a way in and adopt a Zero Trust approach that \u201cassumes breach,\u201d stopping ransomware in its tracks before\u00a0<\/i>it can wreak havoc.<\/p>\n

Image Credit:<\/p>\n

\n
\n
\n\"\"<\/div>\n
\n

Tony Scott<\/a><\/h3>\n
\nBoard Member at Color Tokens
\n<\/h5>\n

\nTony Scott is a board member at ColorTokens and CEO of TonyScottGroup. He was the third federal CIO (2015-2017) of the United States government in the nation\u2019s history. Scott is one of the world\u2019s foremost security and IT experts. <\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n