Does Biden’s executive order provide you clarity on implementing new cybersecurity compliance frameworks at your organization?
Sort by:
You have to know where to look. That’s why there are hygiene metrics. These frameworks are great because they create some kind of baseline, at least for discussions between companies. But if you're not asking the questions related to hygiene you really aren't understanding how that company is operating. I was in biotech for the longest time, and when I moved over to tech I had whiplash from SOPs. It's a totally different strategy. Now I own driving integrity at my organization and making sure my teams understand what a secure Systems Development Life Cycle (SDLC) is—what does that really mean and how are you testing for that?
This order doesn’t give me the granularity that I need, either as a vendor, a buyer of technology or even as an analyst. For data on the production floor of a manufacturing facility—and this is very apropos to the pipeline incident—is each Programmable Logic Controller (PLC) in each piece of equipment what you have to protect? Do you start at the physical device, the silicon, and then go up to a layer of firmware and then data? And if it's binary, do you focus on how the data is being created or how the data is being captured for use? There are a whole set of parameters around that. As professionals, I think the powers that be need to give us more.
Within 30 days of the order, the National Institute of Standards and Technology (NIST) is supposed to put out a request for feedback from the industry, whoever we are. But they've got a 90 day deadline to consolidate that, which would be August. It's not long from now.
I come from a pharmaceutical background where everything is run by Standard Operating Procedures (SOPs). Half my job was sitting in audits, talking to auditors that know nothing about IT, and I have to explain how it all works to them. So I can pass any checkbox audit but that doesn't mean I'm secure or protecting my environment at all. Name the acronym—I’ve passed all those audits a million times over the last 15 years or so.