At my recent talk presented at ISACA-LA titled “Cybersecurity in Trump Era” , I shared with the audience the areas that vendors, enterprises, and auditors need to follow to be prepared for anticipated changes in Federal cybersecurity legislation. While the presentation was lengthy, here are some brief highlights:
- Trump has signed an executive order extending the previous Obama administration executive order on cyber security. The original expectation (that did not happen) was that Trump would sign a new plan that would have created a “shared services” model across the government agencies. This also implies the heavy reliance on NIST standards (including 800-53 and the guidance from the NCCoE).
- Federal, national, and industry specific laws are being created with supplementary, overlapping or even conflicting legislation to each other. For example, the recent New York State cybersecurity legislation which imposes additional requirements for financial institutions in the area of cybersecurity regardless of the size of the organization.
- Fragmentation of regulatory policy is accelerating across the US and the globe. For example, with the UK leaving EU, how will GDPR apply (or not) to UK based organizations trying to do business with EU and US nationals?
I also discussed solutions to help insulate organizations from the expected rapid changes in both regulation and technical implementation options. The two key approach discussed were:
- Leverage policy based approaches to security and compliance. This ensures that business or legal goals can be met without changing each and every technology implementation.
- Assume that encryption will be a key element of any current or future changes. Get comfortable with understanding how to not only implement but also manage encryption – including the management of encryption keys and the principle of zero trust.
For a long while what happened in politics did not seem to affect IT organizations. That has now changed with the rise of the cloud, accelerated speed and complexity of cyber attacks, and lack of qualified cyber professionals to handle a technical response.
Let us know if you would like more information or further details from the ISACA presentation.