BLUF

President Biden’s EO 14028 challenges the entire US government cyber ecosystem to rethink how we weave various digital components – inclusion, security, trust – into the digital fabric we rely upon. Here we start unpacking various threads needing woven into future developments.

Background

In looking at the Zero Trust model cited in Biden’s new Executive Order 14028, it’s clear a new path is being charted for USG organisations and their contract support. Many major firms are at a bit of a loss, looking to continue their government contracts though unsure how to incorporate the new security requirements. In part this is based on their perspective of security, seen as an overhead or addition to what they actually are building/ using/ provisioning. As an organisational paradigm, cyber security as a cost centre misses the mark, creating unnecessary challenges highlighted by the response to EO 14028. Whilst we are reframing the new build, we’ve further considerations at the fore.

Business reliance on uninterrupted customer experience: There is a reason the business adds security later in the process – it competes with their priority to deliver seamless services through digital products and services. Even when the core business is not digital, there is a cyber element involved in the customer experience. Until security is threaded through the build, it will continue to be a problem in delivery.

Inclusion of assistive tech/ IoT/ BYOD etc.: Another element attached after, devices facilitating a variety of additional access points to bring people together is threaded through the digital experience. Whether to add functional aspects otherwise absent or to increase access and visibility, bilateral security is essential. Many look at the risk a user brings as a start. What risk does the organisation bring to the user?

Third-party ecosystems: Not only will the USG and contractors be appraised, but also the sub (to the nth degree) contractors. How we maintain control of the supply chain network traffic and maintain confidence in securing those aspects needing protection will require trust – which sounds like the antithesis of Zero Trust (it’s not, honestly). How we build trust between organisations using the Zero Trust framework will be another endeavor entirely.

These are a few threads tied onto an organisation’s cyber considerations. Shifting USG security requirements to a more aggressive model like Zero Trust means we need to rethink how we weave various components into the fabric of the digital offerings.

Trust is a social currency. Can we apply the same characteristics to cyber security as we build it out?

A post for later certainly; not a ‘can’ but rather a ‘must.’

-scl