The sweeping executive order on cybersecurity and what it means

The Cybersecurity Executive Order is a welcome, positive move—a long-needed call to action that will help many organizations to do the basics brilliantly. More on those basics in a moment. But first, there are many unanswered questions. This is a good thing because it means there is time for companies to study the executive order and engage with partners and government authorities to work out the devilish details. Participating in the rulemaking processes will put companies in a position to not only meet the requirements but thrive in the new environment—where companies’ security practices will become part of their competitive edge. 

A big swing of the bat that we applaud

This is the most promising, farthest-reaching move we've seen the federal government take to secure the U.S. If we can operationalize these changes, it's a major strike against cybercriminals, one that will increase their cost of doing business while reducing our costs.  

Think of all the money companies are spending now to deal with the attacks that make it into and through their systems. The ransomware attacks. The data exfiltration. The denial-of-service attacks. The damage to reputations, degradation of shareholder value, the regulatory fines, and the angry people whose information has been stolen. If this executive order does what it is intended to do, shifting the emphasis from reaction to prevention, the net should be reduced costs for companies.

We expect and hope that the executive order will drive significant changes in companies’ secure software design and operations, EDR plans and real-time information sharing. If industry and government follow through on this promise, it will raise the security bar for everyone—improving resilience for U.S. companies and as a result, the resilience of America to cyber-attacks.

<<< Start >>>

<<< End >>>

About those 'basics'

When we talk about helping companies become brilliant at the basics, we're describing things like security hygiene; rigorous industry-specific controls; effective access management controls; continuous patching; ensuring visibility into and protection of 'crown jewel' data; comprehensive backup and recovery strategies; and crisis management/incident response planning. When we do these things better, everybody will be better off.

The 'trickle down' benefits

As the various elements of the order are implemented over time we believe there will be multiple, significant benefits for companies who follow the order's lead, including:

• More secure software design.
• More secure supply chains.
• More emphasis on easier-to-secure (and business-driving) digital technologies such as cloud, zero trust, MFA everywhere, incident tracking and reporting and other technologies such as SaaS and PaaS.
• The opportunity to wield improved cybersecurity as a true differentiator in the marketplace, thus generating not only more work with the federal government, but more work with leading businesses who are likely to adopt these same requirements for their vendors.
• More transparent, trustworthy relationships between government and business and between businesses.

Ready to put some skin the game?

Companies, and CISOs in particular, need to quickly assess their ability to meet these standards and, beyond that, consider how to apply them. And this is important: companies need to work together and with their industry and cybersecurity partners, to participate in what the final standards should look like. The direction has been set by the government, now it is up to us to define how to implement these standards. 

Finally, this is a key moment to bring cybersecurity to the board room.  The secure software requirements in particular create an opportunity for both CISOs and CIOs to engage boards and CEOs about reshaping their strategies and investments to meet and lead with more secure products, not minimum viable products.  This is what we expect to become a new, more secure normal.  

This is a key moment

In short, it's an opportunity for all organizations to raise the security bar—improving resilience for U.S. companies and as a result, the resilience of America to cyber-attacks. Let's get after it. 

Accenture Security 

Accenture Security helps organizations build resilience from the inside out, so they can confidently focus on innovation and growth. Leveraging its global network of cybersecurity labs, deep industry understanding across client value chains and services that span the security lifecycle, Accenture helps organizations protect their valuable assets, end-to-end. With services that include strategy and risk management, cyber defence, digital identity, application security and managed security, Accenture enables businesses around the world to defend against known sophisticated threats, and the unknown. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security. 

Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report. 

Copyright © 2021 Accenture. All rights reserved.