As Federal agencies work through the second year of implementing the Biden administration’s cybersecurity executive order issued in May 2021, one benefit not enumerated in the order is coming into view: chief information officers (CIO) and security officials are getting a bigger seat at the table with agency leadership.
That was one of the takeaways from Bob Costello, chief information officer (CIO) at the Cybersecurity and Infrastructure Security Agency (CISA), who spoke at an ATARC event on Nov. 8 that centered on implementation of the executive order.
“I think what we’ve also seen as a result of the executive order – and that sometimes what we see from many executive orders – is attention at the highest levels,” Costello said.
“I think that you’ve seen many CIOs now have an increased seat at the table, as well as CISOs [chief information security officers] and others” on the security issues that that the executive order covers, he said.
“You’re seeing secretaries, assistant secretaries, and others asking really good questions about where are we in our implementation,” of the order, he said, adding, “you know, what is zero trust? What are we doing to secure our systems?”
“I think that that’s a very important fact [about] the executive order is the increased awareness of how critical it is that we’re implementing some of these basic steps,” Costello said. “I think a lot of us that maybe have a highly technical background, we read the executive order, [and ask] why wouldn’t anyone be doing these things already, or already have a path to doing them? Why wouldn’t you have logging?”
“I think what we see is that often … IT systems are rolled out to sort of function [and] security wasn’t baked in from the start,” he said. “We really need to change that.”
Speaking about other positive developments tied to the cybersecurity executive order, Costello said he’s seen an increase in government-industry collaboration to accomplish the order’s aims.
He also said that CISA’s endpoint detection and response (EDR) initiative – a centerpiece of the agency’s Continuous Diagnostics and Mitigation Program – “has gone very, very well and has really increased CISA’s visibility into what’s happening across the Federal branches.”
Finally, he said CISA is increasing its meetings with industry, including holding industry-day events on a monthly basis. “We want to talk to industry and we want to have effective engagement,” the CIO said.