- Ben Card, CIPM, PMP, CISSP

Deservedly, much has been said about the White House Executive Order (EO) on Cybersecurity; how it may or may not be what the country needs to enable its agencies to reach a new, safer security profile. Seeing the evidence of how intensely foreign powers are directly investing in offensive cybersecurity programs—and with the Solarwinds, Microsoft Exchange, and Colonial Pipeline breaches fresh in our minds—all citizens of this country and other Western powers should be keenly interested in understanding how our leaders are actually going to protect the nation’s critical infrastructure and agencies.

For years the U.S. government has suffered from lack of focus, lack of funding, and lack of centralized leadership. Though the true effectiveness of the EO remains to be seen, one positive and specific outcome of the directive is that an agency has been tapped to take the authoritative, leadership role for federal cyber defense. Without continuous and fervent support from the White House and Congress, it’s unlikely that the agency will obtain sufficient funding, top talent recruitment, purchasing power, or influence on other agencies to accomplish its objective, but the situation is more hopeful now that the country is at least heading in the right direction.

Enter CISA – the Cybersecurity and Infrastructure Security Agency, which is a standalone United States federal agency under Department of Homeland Security oversight. CISA was established on November 16, 2018 when President Donald Trump signed into law the Cybersecurity and Infrastructure Security Agency Act of 2018. The evolving role of CISA is to improve cybersecurity across all levels of government, coordinate cybersecurity programs with U.S. states, and improve the government's cybersecurity protections against private and nation-state hackers.

If CISA can adopt the same principles already understood by organizations that have gained security maturity through years of striving for and maintaining security certification and compliance—namely thorough risk assessment, risk-based resource allocation, robust monitoring, and the use of external audits, consulting and penetration testing by experienced firms such as Webcheck Security—the transformation of the national security program is all but guaranteed. The only question now is how serious our leaders truly are about pursuing positive change.

- Ben Card, CIPM, PMP, CISSP