Jack Jones on the Cybersecurity Executive Order: Bold Changes, but Missed Opportunity for Measuring Risk?
I’m thrilled with many of the provisions in the President’s recent Executive Order on Improving the Nation’s Cybersecurity. The tiered software security ratings system, the IoT consumer labeling, the cybersecurity review board, and the emphasis on sharing information on breaches and other cyber incidents, are all bold initiatives and long overdue. While the EO applies to federal agencies and contractors, I hope that many of these policies become standard across industries.
At the same time, I can’t help but worry that the order doesn’t give direction on fixing a critical gap in our nation’s cybersecurity capabilities that could reduce the effect of these initiatives. I’m talking about poor cyber risk measurement practices in the information security profession that leave us unable to prioritize among risks and make security investments effectively.
Let me explain, taking four initiatives from the EO.
Cyber Safety Review Board (Section 5)
I’m cautiously optimistic about formal investigations after a breach to achieve systematic learnings. The problem is, historically our profession has never done real root cause analysis.
We’ll say a breach occurred because our systems were not patched, or access privileges weren’t managed closely, and so on. If we even bother to go any deeper than that we might say the reason those weren’t accomplished is because security didn’t get the support it needs from management.
But management will give cybersecurity as much support as is warranted based on cybersecurity’s significance relative to everything else demanding management’s attention and resources. Unless and until we express risk in terms that can be compared to their other imperatives (which are typically measured in $$$), management is hamstrung.
That, of course, is simply one potential root cause, but it is illustrative of how superficially we’ve approached causal analysis in the past.
Consequently, although I might not expect to see anything in the EO specific to root cause analysis, I’m a bit nervous about how effectively it would be approached.
Jack Jones is Chairman of the FAIR Institute and creator of Factor Analysis of Information Risk (FAIR™), the international standard for cyber and technology risk quantification.
Read more by Jack:
Information Sharing (Sections 2 and 3)
Let’s say CISA receives a wealth of new data on cyber events because of better information sharing. Turning that into appropriately prioritized, actionable intelligence is strongly predicated on the model those data are applied to, as well as clarity about the loss event scenarios the data are relevant to.
To clarify; we need more than just better data. We also need to be very clear about the loss event scenarios we’re measuring and managing, as well as a solid analytic model to apply the data to. Only then can we reliably inform decisions regarding the risks we're addressing and the resources needed to mitigate them. This is where FAIR™ would be helpful.
But mostly, I see government agencies and private enterprises managing control deficiencies and using wet fingers in the air or badly broken models – and I don’t see anything in the EO to challenge that.
Learn FAIR quantitative risk analysis from the experts.
Zero Trust Architecture for Cloud Security (Section 3)
Zero trust is a great philosophy for security, but it’s non-trivial to achieve. It requires policies, processes, technologies, and people. This is big and complex enough that understanding dependencies and prioritizing actions will be important here too. Too often, organizations start security projects with the easy stuff, and then the energy and the focus get diverted by the latest news article or changing business imperatives, and they never get to the hard stuff that ultimately gets them where they intended to go.
Software Security Ratings (Section 4)
A system for classifying the security of software has tremendous merit, but I’m waiting to see the criteria. It’s important for creators of the requirements to consider that not all controls are created equal – their value must be risk-based, otherwise burdens will be imposed on product vendors that are not warranted, which will increase costs to consumers or eliminate efficiencies in other aspects of the software. Unfortunately, I see this pervasively today in 3rd party risk management, which is in part why I raise the concern here.
Note: Jack Jones is developing a new analytics framework for controls based on FAIR
Let me be clear, I’m rooting for the success of the Executive Order. Much of what’s in there is long overdue. If anything, my concern is that it’s a missed opportunity to raise the risk measurement bar so that organizations are able to focus and prioritize more effectively.