CISA Official: Cyber ​​EO Aims at Priorities, Not a Fix-All

While President Biden’s 2021 cybersecurity executive order (EO) doesn’t address all of the Federal government’s cybersecurity needs, a security expert from the Cybersecurity and Infrastructure Security Agency (CISA) said the EO’s goal drives toward prioritization of the government’s most pressing needs — rather than a fix-all approach.

CISA Cybersecurity expert Branko Bokan explained the aims of the EO in light of findings from a recent MeriTalk study, conducted with Leidos, which shows 72 percent of Federal IT decision-makers surveyed thought the EO only addressed a fraction of the problems.

At MeriTalk’s “The Cyber ​​Mousetrap: Blueprints for Better Resiliency” webinar on March 2, Bokan said that finding ties to the disparate nature of the missions of federal agencies.

“We’re dealing with a very complex problem when it comes to Federal government,” Bokan said. “We’re dealing with the biggest enterprise in the world, an enterprise that cannot be compared to any other organization in the world. … An enterprise that on one side prints money, and on the other side, maintains an International Space Station – all kinds of missions roll together, all kinds of challenges, all kinds of different infrastructures that we need to protect.”

“The goal of the executive order was not to solve all of those problems. The goal was really to help agencies prioritize their efforts,” Bokan said.

“Based on the visibility and insight that CISA, our partners, and Federal agencies have – based on our experience and knowledge of what’s been happening in the Federal enterprise for the past several years – the executive order allowed us to prioritize and come up with those top efforts that every agency needs to work on that are common cybersecurity efforts,” he said.

Thomas Michelli – currently a strategic account executive for cyber at Leidos and formerly deputy CIO for the Department of Defense and Coast Guard – agreed with Bokan’s assessment that the EO is primarily focused on prioritization.

The MeriTalk study also found that 70 percent of the 150 respondents believe one of the EO’s greatest benefits has been elevating cybersecurity to the top-level of Federal agencies. However, Michelli said he also wished that the EO will do more in terms of accountability.

“Another piece I wish I’d seen was a greater emphasis on accountability outside of the CISOs (Chief Information Security Officers) and CIO shops,” Michelli said. “Although it’s there in other laws and guidance, it’s always good to hear more than once how important it is to the department and agency heads for them to take responsibility for cybersecurity, as well as for program executive officers – the folks who buy and build the systems for the Federal and military intel communities.”

“So I think those were gaps but, again, I want to emphasize how great it was for this to come out early in the administration and help prioritize,” he added.

Bokan agreed with the importance of elevating cybersecurity to the highest levels of Federal agency leadership and said that ultimately remains another one of the main goals of the EO.

“[Michelli] makes a great point – not only that the executive order helps agencies prioritize those efforts. It also empowers cyber executives and cyber professionals to do and take the right steps towards protecting Federal enterprise,” Bokan added.

In terms of what that sort of executive-level support for cyber initiatives has looked like, Bokan said it is often about having a proper risk management framework and assessment to empower cyber executives.

“That empowers C-suite executives… [and] Cyber ​​executives, in general, to better prioritize and properly not only understand risk, but make proper risk-based, risk-informed decisions that take into consideration not just the impact part of the cyber risk formula, but also think about other parts such as vulnerabilities, as well as actual threats,” Bokan said.

To hear the rest of Bokan and Michelli’s conversation register here to listen to MeriTalk’s “The Cyber ​​Mousetrap: Blueprints for Better Resiliency” webinar on-demand. And to read the rest of the study, download it here.

Leave a Reply

%d bloggers like this: