October 4, 2022
The United States is the #1 target for cybersecurity attacks in the world. 38% of targeted cybersecurity attacks so far in 2022 were aimed at the United States data and systems.[1] That’s alarming. And we see it in the news almost every day. Solarwinds, Colonial Pipeline, The Pulse Secure VPN zero-day… There’s an increasing number of threats and attacks, to the tune of 15.1% year over year.[2]
The public sector also relies heavily on private sector vendors. Many of the vendors that federal agencies leverage to route, process, and analyze security and observability data are the same ones enterprises use, like SentinelOne, CrowdStrike, and Splunk. This presents a challenge for a couple of reasons. First of all, the goal of an enterprise is to solve problems for customers and ultimately to make money, and getting that paper isn’t always in the best interest of the American public. And secondly, vendor lock-in starts to look a LOT scarier when it’s agencies of your federal government experiencing that lack of flexibility. Cyber attacks are getting more complex, and it’s happening fast. What if an agency needs to switch vendors to properly secure the nation?
On top of all that, agencies deal with all the same data pains that everyone else does, including a deluge of data and tool sprawl.[3]
The Biden Administration’s answer to these data challenges is Executive Order 14028. EO 14028 emphasizes cybersecurity as a national priority and mandates federal agencies to adapt to today’s continuously changing threat environment. As follow-on guidance to the Executive Order, the Office of Management and Budget (OMB) issued several memorandums meant to give guidance around how exactly we go about improving the nation’s cybersecurity. M-21-31 lays out a maturity model for logging, M-22-01 has guidance on endpoint detection and response (EDR) best practices, M-22-09 mandates a zero trust model for agencies, M-22-16 walks through zero trust architecture (ZTA) implementation and IT modernization, and the newest memo, M-22-18, walks through secure software development practices for the supply chain.
Federal agencies are being asked to do a lot as it relates to cybersecurity, and they’re being asked to do those things by a certain date. It’s incredibly stressful, and stress often gives way to misconceptions. In this blog post, I’ll touch on 3 common misconceptions about EO 14028: Improving the Nation’s Cybersecurity.
Most people think an executive order comes down out of the sky, lands on a CISO’s desk, and then those agencies have to scramble to comply. That’s simply not true. I’ve spent many hours talking to agency CISOs and CIOs (some of them oversee multiple agencies), and one of the things I kept hearing from them was this: They had already been looking to do what the Executive Order was mandating.
“Of course I want to move to a zero trust model. I’ve been transitioning our agencies for over a year.”
“One of my agencies prefers to build their own tools, and another one always buys. I need data to flow seamlessly between them.”
“I want and need to retain more data for longer, and I’m trying to. I’m just not sure how to get it done cost effectively.”
So what actually is happening is agency CISOs and CIOs have been working to improve their cybersecurity practices for quite some time; it’s just more important now than ever.
That last quote above is super telling and highlights a real pain point that I see not only in Fed, but in SLED and at many enterprises. How do I strike that perfect balance between cost, flexibility, and control? It can seem impossible.
The fact of the matter is that not having a data pipelining engine, not having a centralized control plane, is expensive. Data volumes are constantly going up year after year, which makes it difficult to manage all that data, and it’s often not in the most cost-effective destinations. Introducing an observability pipeline into your environment (even for security data) will streamline operations and actually save you time and money moving forward.
We’ve all been there. You want to bring a shiny new tool or software into your organization, and you’re confident it will solve all your problems and help you meet your mission or business goals. And what happens next?
That’s right. Enter the dissenters.
“Did you look at Tool B? It costs way less.” –Economic Buyer
“We’ve already got a tool that does this. Why do we need something new?” –Guy that brought Tool That Does ThisTM to the organization
“I need the software to do this. Does it? Are you sure?” –Threat Analyst #703
At first, it can feel like you’ll never get it done. I want to clear up this misconception as well. When it comes to this Executive Order, you have to remember the title of it: Improving the Nation’s Cybersecurity. People can always argue with you about which tool you want to buy. They cannot argue that we don’t need to improve our nation’s cybersecurity. Sell the mission, not the tool.
In summary, sometimes it seems like executive orders and memorandums just appear out of thin air, and agency CISOs and CIOs get left scrambling to comply. While they still have to follow EO directives and memo guidance, rather than simply reacting to them, executive orders and memorandums can be a proactive tool for agency leaders to push their data initiatives forward.
That said, there are a few misconceptions about the timeline and how exactly to get that done. I hope I’ve cleared those up for you in this post. If you’re interested in continuing the conversation and learning 3 tricks on how to flip the script as you work to comply with Executive Order 14028, check out our on-demand webinar: Jedi Mind Tricks and The Executive Order.