Dark Reading published an article on October 9 about the pending Executive Order on cyber security and what it will mean to an enterprise. As mentioned in a previous post, the executive order is the Obama administration’s response to the fact that Congress did not pass cybersecurity legislation, specifically the Cybersecurity Act of 2012.
Now while the Executive Order would be focused on national critical infrastructure, the article brings up some good points about what impacts and insights this could have on a business. The article noted that the Executive Order would not deal with one of the key points of the act, the sharing of information between government agencies. According to the article:
The issuance of an executive order would not address one of the key elements of the Cybersecurity Act of 2012 – information sharing between the private sector and government. According to former NSA Deputy Training Director Cedric Leighton, information-sharing has to span both sharing between the government and private sector as well as between entities in the private sector itself.
A key point about what businesses are looking for is stated in the article…more specifically three key items:
Rather than checklists, organizations are looking for three distinct things: the current state of a threat, what others are doing about security, and what are the guiding principles that should be considered when developing a security program and strategy, Granado argues. Protecting intellectual property means complicating the process of acquiring inappropriate access, detecting threats and neutralizing threats before they expand, he says.
As noted in the article, a purely defensive “knee-jerk” mentality is not enough and a pro-active stance is needed to effectively secure the information assets of the business and in turn improve the overall risk posture. The idea that the minimum is enough is not enough, that will leave business always behind a curve.