What Business can Take Away From the Cybersecurity National Action Plan

In just a few years, cyber security has quickly evolved from simply an IT issue to one of national security, perhaps best illustrated by the White House’s announcement earlier this month of its Cybersecurity National Action Plan (CNAP). The CNAP outlines several initiatives not only to improve cyber security within and between government agencies but also within the United States as whole with programs targeting building the skills of current and next generation cyber professionals.

The strategies outlined by CNAP offer a look into what the administration views as the government’s most pressing cyber security issues, many of which with business also contend, and provide the corporate world a simple blueprint approach to improve their own security postures.

Before remodeling an aging brick and mortar structure, its foundation must be determined to be sound by building inspectors and/or planning experts. For government and business organizations alike, software and hardware provide the technological foundation for executing on operations.  A Chief Information Security Officer (CISO) ensures that foundation is strong enough to support day-to-day needs and potential stressors as they evolve. Acknowledging this, the current administration has set aside billions of dollars to modernize legacy software and equipment and appoint a CISO to oversee its implementation. However, when it comes to overhauling technology, most organizations find both funds and personnel limited. Minus unlimited reserves, how can business keep up?

First, identify the most high value and at-risk assets and data, and then determine the IT resources that support them and require immediate improvements to remain effective.  Focusing on the relationship between specific assets and data architecture can help keep with budgets and scalability. To ensure that technological counter measure purchases positively affect security posture, align business, compliance and third party requirements to a model such as the NIST cyber sec framework.

In addition to government wide technological updates, CNAP also creates a delegation of thought leaders in a wide range of fields to provide insight and counsel on national cyber security issues (the Commission on Enhancing National Cybersecurity). Businesses striving to mirror this should seek to appoint members with an understanding of IT security issues to their board, able to communicate and understand the both symbiotic relationship between business and cyber security and its potential impacts.

While many of CNAP’s proposals are more long range and ambitious, including millions of dollars directed at grants and scholarships to close the cyber security gap, others are commonsensical and those any organizations would do well to consider. These include requiring two-factor authentication account log-ins and having a plan in place for evaluating cyber incidents and coordinating a response.

CNAP ‘s mission is massive in scale and monetary requirements, but no matter the size or industry, comprehensive cybersecurity requires that businesses account for and invest in people, processes, and technology.