The US National Cybersecurity Strategy — Takeaways for Security Pros
Straight from Jack’s Desk
Do you really know what that recent announcement is about? The one from the White House. About the strategic plan for the federal government’s involvement in information security risk.
Well — I’ve been reading about it. And untangling my brain. Then reading more. It was a lot, and if you work in cybersecurity, you probably don’t have the time to read these lengthy, complicated memos–but I’ve got you covered. Here are the top three takeaways:
Takeaway #1 — Investment Will Continue
This announcement provides direction and strategy for lawmakers, government assistance programs, federal budget allocation, and many more programs related to information security. This isn’t law–but it’s not crazy to say that some of it, down the line, will be. It will shape the focus of the federal government’s cyber operations.
What this means for professionals:
👉 CISOs, prepare for your budget increases! These commitments to protecting cyberspace indicate that there’s support for cybersecurity initiatives, even in the face of a recession.
👉 Bootcampers, don’t let the little things discourage you; your future profession should see a spike in demand, making it easier to land a sweet job.
The document is full of statements about improving, increasing, and inflating. It’s a positive direction for information security.
Takeaway #2 — Accountability Is Shifting
Shifting accountability to the private sector was my key takeaway from this announcement. Here’s what happening:
Breaches are far too common.
In my career, I’ve green-fielded infosec programs for dozens of companies when beginning my work as their CISO. I rarely see budgets that are generous enough to mitigate reasonable amounts of breach risk. And of course, this is one of the reasons we hear about a new major breach every time we read the news.
I reached out to Sean Grimaldi, the CTO of VectorZero and former CIA intelligence leader, to get his thoughts:
“My takeaway is: ‘hold the stewards of our data accountable.’ Essentially, the strategy is acknowledging a need for legislation incorporating standards developed by the NIST to provide ‘strong protections for sensitive data like geolocation and health information.’ That seems necessary at this point. Vector Zero can directly help organizations with this.”
Well said!
The public release from the White House makes frequent mention of free-market forces influencing underinvestments in cybersecurity programs. The strategy hopes to change that through accountability (read: laws, regulations, statutes, etc). And those new rules should bump your budgets to allow you to effectively steward that data more securely.
Takeaway #3 — Critical Infrastructure Comes First
The statement makes it clear that proposed changes need to be prioritized… and, unsurprisingly, critical infrastructure comes first.
And the scope of federal involvement with critical companies is greater. There was a heavy focus on national security preservation through improvements in our ability to combat cyberterrorism. Cloud providers will likely see legislation that increasingly grants access and rights to federal agencies. These rights could involve costly software and hardware projects, which could translate to increased cloud costs, or worse, decreased cloud functionality and agility.
The SMB market will be immediately impacted as well. Telco, EdTech, FinTech, and all companies that provide services that are critical to the daily operation of the United States, you’re up to bat.
Everyone’s going to get a taste eventually. When? Could be years from now. But if it’s anything like TxRAMP, you’ll need those years to prepare. I recommend being proactive. If future compliance regulations quickly become in scope and, unlike your competitors, you’re ready for action: sell it. Taming the big scary compliance monster isn’t just a badge of honor, it’s an attribute of your product. A feature.
Any opportunity to tie your infosec program directly to a marketable attribute of your product, is an opportunity best seized without delay.
Conclusions–Take it from Jack:
Some plans outlined in the strategy will make your life easier. I’ve been a CISO for a decade now. And I’ve spent maybe eight hours working on cyber insurance (I’m joking, but it’s a painless routine task). The new strategy includes plans for the implementation of a national cyber security insurance program. We’ll see how this plays out–but it’s not the time savings that interests me, it’s the (hopeful) improvements in the effectiveness of cyber insurance claims.
We’ll have to see what kind of enforcement and implementation this document really manifests as; as things stand, this strategy document is mostly just that: strategy.