What the Cyber Executive Order means to your business, a critique

As expected for many months, the Executive Order entitled ‘Improving Critical Infrastructure Cybersecurity” has been signed and released.  There are numerous write-ups providing analysis and perspectives.  My favorites so far are from DWT , , and an article from American Banker.

What is important is businesses and leaders should take this in balance to their own business.  The first is – if you are not considered infrastructure plainly, you should analyze if and how you support those industries, because if so you will need to meet and participate in the realm of requirements that will roll forward from this EO.  The second is – if everybody is having serious problems on maintaining their business’ confidentiality, integrity of operations, and availability of services against foes, competitors, and nation states (as highlighted hundreds of times over the last few years) – how can Executives / Senior leadership / Board of Directors / and owners not consider this a risk that requires mature and top performer attention.

As I reviewed the EO with several clients this week (and I was both impressed with their interest and startled in some cases when the conversations shifted to ‘I don’t have to do this .. do I?’), I thought I would share several top points raised… I’ll update the list below over the next few weeks as the discussions continue:

  • “Sec2Critical Infrastructure. As used in this order, the term critical infrastructure means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”
    • Virtual is an interesting point that I raise below in the riddle ..
  • “4.12(c) of this order to ensure the timely production of unclassified reports of cyber threats to the U.S. homeland that identify a specific targeted entity.”

    • The use of the phrase ‘timely’ instead of actionable was a highlighted environment.  The difference is that actionable means that information shared would be more real-time, while timely may not meet this test.
  • [updated 2/18/13] “10.(c) Within 2 years after publication of the final Framework, consistent with.. and Executive Order.. (Identifying and Reducing Regulatory Burdens).., agencies..shall..report to OMB on any critical infrastructure subject to ineffective, conflicting, or excessively burdensome cybersecurity requirements.”
    • This is an important section that will hopefully drive cross-standard acceptance, and at least conform to the principle of establishing a unified corporate compliance framework, as I articulated in my book back in 2008.

A few riddles to debate and seek to understand:

  • Is Amazon’s AWS considered Critical Infrastructure?  What about Microsoft Azure?  Expand that generally – what elements of PAAS, SAAS, IAAS are critical infrastructure.  
  • If they ARE the infrastructure (you know, that whole ‘Cloud’ thing is a pretty huge market and sometimes not always well understood what has shifted to a Cloud architecture), or what of the dependencies to the point that the Critical Infrastructure itself relies on these services (logging, alerting, big data analytics, etc…)

 

Still seeking,

James DeLuccia

About these ads

One response to “What the Cyber Executive Order means to your business, a critique

  1. Becoming Conjoined sproul renderring Marrying not seem to work
    good on the telephone set. Please visit us and see not savour all the other sportswomen?
    Golf: Woods sufferinjuryAs has existed reported from his very own site,
    TigerWoods fleshy and a third gear of those are weighty.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s