Overall, was Biden’s executive order a net-positive for the cybersecurity industry?
Sort by:
Anything is positive. The requirement to report within a certain date is great, but that wouldn't help any of the departments or companies that don't know that they've been breached. So it's not going so far as to say that if you do know about a breach then you have an obligation to report. In California, we already have regulations requiring us to report if any of the consumers’ PII has been stolen, but it's not doing that much to help proactively identify a breach.
Regardless of what sector we're in, an EO written like this has some ripple effects that will affect security, CIOs, and board members in different ways. Some of it is directional towards federal agencies, but some of the order has broader implications which will have a tail going across a wide variety of industries. Being aware of these developments is helpful from a planning perspective, but you can also point to this executive order and ask suppliers or third parties that you're involved with what they're doing about it and integrate that into your third-party risk management.
You can find the full executive order here: https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
The primary thing that I liked about this executive order was that it's using the purchasing power of the US to effect some change. That's probably an over-simplification, but there's certainly a lot of that: Political moves that might move the needle a little bit, but broadly might not do a whole lot. There's a decent amount in the order on effecting change in supply chain security, which is pretty solid. I'm a big believer in NIST and their guidelines, and if people followed those guidelines even directionally it would make a big difference. I was actually pleased to see that it was more NIST-focused to define things in the software supply chain.