Last Updated on January 15, 2024
President Biden’s recent “Executive Order on Improving the Nation’s Cybersecurity” has the potential to bring new security guidelines to both the public and private sectors. What changes is the Executive Order most likely to drive? And how could it impact your organization?
To “read between the lines” and share expert insights into the Executive Order, a recent episode of The Virtual CISO Podcast features Scott Sarris, EVP of Digital Transformation and Cybersecurity Advisory Services at Aprio. The show’s host is John Verry, Pivot Point Security’s CISO and Managing Partner.
Scott notes that changes for the public sector may be coming faster than they have traditionally: “We’ve had NIST standards for many years, going all the way back to the old orange book days. It has slowly and progressively improved over many years. I think some of the directives in this piece around the speed of expected change and its impact to risk acceptance from the federal agencies for services that are rendered to them, really caught my eye because you typically don’t see those type of programs rapidly improve. Some of those directives around automation and the collection of federal information for purposes of approving their services and getting your authority to operate seems very tight to me. I’m wondering how quickly they can actually roll that out.”
The policy section of the order also notes that the scope of new security protections must encompass not only IT systems, but also the operational technology (OT) that “… runs the vital machinery that ensures our safety.”
“I believe the fact that they are looking at information technologies with operational technology, is kind of a nod to the problems that we’ve seen in recent events, right?” Scott observes. “Critical infrastructure, such as the pipeline attack and a reduction of food supply and others, really show us that the two are very much related. We don’t today run a pipeline or even produce meat products without the information security apparatus that’s behind everything. In a lot of cases, it’s operational technologies. Even if the operational kind of technologies can and do operate independently, it doesn’t mean that the information technology side doesn’t represent a significant [piece] of the operation side, simply due to the linkages and the systems communications between them.”
In short, this Executive Order is in many ways a direct response to recent mega-hacks, implying that cyber regulations could be coming at last for food and agricultural businesses and other “critical infrastructure” entities.
What’s Next?
Want to get up to speed on the Cybersecurity Executive Order? You’ll find the guidance you need in this podcast episode with Scott Sarris.
Looking for some related content about the Cybersecurity Executive Order? Check out this post: The Cyber Executive Order: What is the “Tone from the Top”? – Pivot Point Security
Listen to the podcast episode all the way through: EP#58 – Scott Sarris – The Cybersecurity Executive Order: What You Need to Know – Pivot Point Security