Time is not kind to the security of an organization. The longer you wait, the weaker you are. The more things drag out, the higher the risk of breach. Delays in responding to threats, incidents, and compromises mean exponential cost increases.
Your organization doesn’t have to be completely secure (which is not even possible), but it has to be more secure than the other targets of the adversary. You must make it unattractive or at least very costly for anyone to try to compromise your digital systems.
On May 12th, 2021, the United States President issued an executive order on improving the nation’s cybersecurity. The order instructs the federal government, among other things, to increase information sharing and collaboration, modernize cybersecurity, enhance the security of their software supply chains, and standardize the playbook for responding to cybersecurity vulnerabilities and incidents. Uniformly, leading experts on cybersecurity have lauded this executive order.
We can all learn from the U.S. government on this issue. Audit or cybersecurity committees of corporate boards should ask their CEOs how they will react to the changing landscape of cyber threats.
CEOs should work with their CIO and CISO on an organizational Executive Order on improving the company’s cybersecurity. An Executive Order is not a detailed cybersecurity plan or budget (already established by the company’s security leader) but a call to action for the entire company, stating the priority and urgency of improving cybersecurity controls and securing the funding for such initiatives.
Supply chain security serves as a poignant example. It is a well-known area for any cybersecurity leader. But on a corporate level, supply chain security is often a forgotten and underbudgeted topic about which the CEO and the Board know little.
The data breach in 2013 of a large retail chain, committed through the systems of their HVAC supplier, was an early warning of supply chain risk. The recent SolarWinds breach is a devastating example. It became not an isolated case of one IT system vendor being compromised, but a national affair with over 18,000 of their customers being breached. These are frightening examples of supply chain security vulnerabilities, and there are more. No company is secure until the supply chain is secure. We must find the vulnerabilities in the supply chain and fix them.
When a risk grows higher or more imminent, decision-making must be quicker and more resolute.
Today, every company faces increased cyber risk — from nation-states, organized cybercrime, and rogue actors. All that’s valuable in society and business is stored in or operated by software. So that’s where the criminals go. They exist worldwide, and even when tracked and identified, criminals are difficult to apprehend. As owners and operators of digital systems, we must stop them before they strike, by making system attacks unattractive and expensive.
Read the entire Executive Order on Improving the Nation’s Cybersecurity. It is clearly written, and many sections are applicable to commercial corporations. Think about how security considerations change when application workloads increasingly run on public clouds. Learn about the Zero Trust model. Prepare to launch a Vulnerability Disclosure Program. Order an internal review of supply chain security. Adopt the NIST Cybersecurity Framework.
To repeat what has been said before, the need to make our digital society secure is urgent. Time is not on our side.
An Executive Order gives the entire organization unambiguous instruction on important initiatives. It is a way to get ahead of the curve and to play for the future. When we take cybersecurity seriously, we prepare for tomorrow, and we build digital trust with our constituents.
As we adapt to the pandemic and see global healing, all signs point to massive business growth across the economic landscape. It’s time to play cybersecurity offense and get our security posture in shape. Otherwise, tomorrow’s business opportunity will be captured by somebody else. Time is now.
Marten Mickos
CEO, HackerOne