Heads Up, Boards: The Executive Order on Cybersecurity Needs Your Attention
President Joseph R. Biden Jr.’s recent executive order (EO) on improving the nation’s cybersecurity changes everything. Risk, resilience, reporting, how organizations prepare, how they respond (and to whom), what information they provide, who’s going to get sued, and what organizations will profit—they are all being reshuffled.
The EO means to improve the government’s ability to detect, coordinate, respond to, and investigate cybersecurity incidents. It will likely raise costs for attackers and promote security and resilience across software and industry supply chains. But this isn’t just about the federal government. The administration has been clear that they intend for the EO to have a substantial trickle-down effect. The EO’s regulations will become de facto standards for all companies in the United States.
Thus, the EO is a move that will ultimately help all organizations reduce risk, not just those that do business with the federal government. Further, while many of the impacts of the EO—and the details of the guidelines and best practices to be set by the National Institute of Standards and Technology (NIST)—are still unknown, in the long run, the EO will help companies save money: preventing a cyberattack is a lot less expensive than handling a major breach.
If you produce software or use software, this will matter to you. If you are not sure how, ask your chief information security officer (CISO). The best-case scenario is that you have a regularly scheduled board security session coming up, during which you can touch base with your CISO. If so, make sure the EO is on the agenda. If you don’t have regular meetings with your leadership team about cybersecurity, get together with your CISO soon, and then work on scheduling regular board-level cybersecurity briefings to reduce risk.
What to Discuss With Your CISO
1. Ask your CISO to work with industry and cybersecurity partners to collaborate with federal bodies on the NIST standards’ development. It’s like democracy: if you don’t vote or participate in civil discourse, then don’t complain about the system or those in office. It’s vital to get a seat at the table with NIST while the new standards are being formulated.
2. Determine how the EO will work, or not, with existing regulations in your industry and, if your company operates globally, with standards around the world. It is important to understand how the changes driven by the EO align with regulatory requirements from other agencies and countries.
3. Find out how the EO could affect your organization’s risk profile. As hinted at above, some companies fear that the breach information they would be compelled to provide under the EO could get them in trouble with other regulators. There are also concerns that the EO could trigger a greater number of lawsuits. How will these risks be addressed?
4. Get your CISO’s take on the changes that will need to be made at the company in the near and long term to reduce cyber risk. What are the highest-priority changes that would add the most value for the organization? Businesses that get on board with EO mandates quickly will be able to use compliance with the EO as a competitive differentiator.
Bob Kress is a managing director at Accenture Security where he is the co-chief operating officer and the global lead for quality and risk. He is responsible for identifying, assessing and managing risk for all Accenture Security business, and managing the quality of security services delivered to clients. Kress is also responsible for Accenture Security offerings to boards of directors, and is the Midwest region security lead.