With risk accountability, and a resilient, sustainable cyber workforce for all...

The recently signed executive order is critical with so much happening in cybersecurity

oval office white house
Credit: REUTERS/Jonathan Ernst

There are two areas emphasized in the recently signed executive order on cyber security—the elevation of risk management to an enterprise-level priority, and the emphasis on workforce development—that are very promising developments. Holding a federal department’s leaders accountable for implementing adequate risk management, technology governance and cybersecurity clearly indicates the administration’s belief in the importance of these crucial enterprise elements. This stance places the federal government on the same footing as enterprises in the private sector already operating with such protocols in place.

The United States’ public sector received a pointed reminder of the importance of risk management and cyber security as enterprise-level concerns; ironically, it came within a day of the signing of this executive order. On May 12, hospitals across the United Kingdom’s National Health System were compromised with malware in a coordinated criminal cyberattack.

However, it is not merely about risk management and cyber security, but the professionals engaged in those activities. Provisions of this executive order request swift and thorough federal agency assessments of what is working and what needs improvement; other significant provisions reference the need for a stronger, larger cyber workforce.

Even more important than a "stronger, larger" cyber workforce, though, is the need for a resilient and sustainable one — a workforce with a strong pipeline of talent, engaged in a continuous cycle of training. Ideally, being a part of this cybersecurity workforce should be comparable (i.e., salaries, benefits, resources, etc.) to similar posts in the private sector. The federal government, though, is simply not set up for such an environment. To create such an environment requires a re-envisioning of what it means to be a public sector cyber security professional in the United States. While change might be difficult, cybersecurity incidents like the May 12 ransomware attacks remind us that it is necessary.

Improving risk management and cybersecurity and creating a sustainable cyber security workforce cannot be our sole goals. Information and cybersecurity must become more integrated into the fabric of both the federal government and the public sector at large. State-of-the-art technology and a robust workforce will only take you so far. Changing the long-term patterns of an enterprise — creating an organizational culture of cybersecurity — are critical to improving security in a sustainable manner. Only then, when a cybersecurity culture is in place, will the efforts of the larger overall government workforce complement the efforts of an improved and resilient cyber workforce.

Congress also needs to act

There also is a need to modernize government technology, a need Congress is already taking steps to address. The Modernizing Government Technology Act, which saw slow progress in the prior Congressional session, is progressing at a swifter pace in the current session. Legacy systems are vulnerable systems; even the most sophisticated of security patches aren’t offering adequate protections anymore. Most importantly, if you are focused on upgrading the public sector cybersecurity workforce, making risk management a priority, and integrating cybersecurity and risk management throughout all facets of a public sector enterprise, it becomes counterproductive to make these improvements without improving government technology as well.

We look forward to learning more over the coming months from the reports generated as a result of this executive order, as they will play a key role in shaping the cybersecurity policies of this administration.

Cyber security within the public sector is at a critical juncture. Governments are faced with the need to update legacy systems, to increase security, and to do so in an environment in which the threat landscape evolves and fiscal constraints are a constant concern. Safeguarding a nation — or even a local community — is not about protecting computers from attack. It’s about protecting and safeguarding the citizens for which you are responsible.

With this goal in mind, this executive order offers promise through its initial strides forward. Working toward a public sector where cybersecurity and risk management accountability are priorities that permeate throughout organizations, using state-of-the-art equipment, and with a sustainable, resilient workforce in place, the federal government and entire public sector will finally be on a path toward comprehensive and responsive cyber security.

This article is published as part of the IDG Contributor Network. Want to Join?

Cybersecurity market research: Top 15 statistics for 2017