The Ripples of Executive Order 14028: 5 Questions Your Board Should Be Asking Now

August 3, 2022

A sweeping cybersecurity initiative that began in the U.S. federal sector in 2021 has since spurred transformative security conversations across the country’s private organizations.

 

Catalyzed by post-pandemic cyber threat trends, such as spiking ransomware attacks, the United States government announced Executive Order (EO) 14028 in May 2021 to ensure that critical American infrastructure is protected with robust cybersecurity practices. Less than a year later, the Securities and Exchange Commission (SEC) proposed that all publicly traded companies should be required to disclose cybersecurity incidents and submit periodic reports. According to the press release, this proposal also requires “periodic reporting about a registrant’s policies and procedures to identify and manage cybersecurity risks; the registrant’s board of directors' oversight of cybersecurity risk; and management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures.”

 

From a high level, these initiatives mean that U.S. organizations now have expectations from federal and state levels to invest in their current cybersecurity programs in order to meet new compliancy standards. Drilling deeper, they encourage companies across all sectors to have “baked in” cyber risk solutions at their fingertips.

 

This brings us to the board — and the C-suite — whose members make difficult decisions for the greater good of a company. In modern times, such decisions include the enterprise’s strategic handling of cyber incidents or attacks. Therefore, board members must position themselves as best they can to make the most challenging choices for their organization. And that starts with asking the right questions.

 

Here are the top five questions that board members should be asking now to keep ahead of the curve:

 

  1. Enterprise Cybersecurity Strategy:
    Do we have a strategy and roadmap to mitigate our threat profile?

     

    First and foremost, it’s critical to establish a holistic cybersecurity strategy that encompasses both current and target states. This means having the most up-to-date and accurate information possible about your enterprise’s attack surface and security posture, which includes identifying and categorizing the gaps within its cyber resilience capabilities (as well as any plans to address them). Any effective cyber strategy should also include a cyber recovery plan that assumes the eventuality of an attack. That’s why Optiv developed our Cyber Recovery Solution (CRS) as a targeted, highly customized program that allows board members to prepare their companies for cyberattacks and to recover efficiently when one occurs.

  2. Privacy Compliance:
    Are we in compliance with all applicable privacy and regulatory laws in every geographical region where we have a presence?

     

    The complexities of an increasingly connected world coupled with digital transformation mean that the modern enterprise has lots of moving pieces to track. Too many, in fact, to consider your myriad compliancy requirements as an afterthought. Rather than an amendment to your security program, compliancy should be built into the very culture of your organization. CRS engagements leverage Optiv’s vast technology partnerships to consider compliance every step of the way, helping organizations adhere to industry best practices, privacy laws and regulations, all while aligning with expectations set by the SEC and other regulatory bodies.

  3. Cybersecurity Policies:
    Are policies, standards and procedures specific to cybersecurity established, functional and measurable?

     

    It’s one thing to have a cybersecurity program in place. But if its processes aren’t implemented, governed and monitored properly, threats will surely slip past your defenses. As part of a larger cyber resiliency program that assesses current-state infrastructure and readiness, CRS is custom-built to evolve alongside your business and its changing needs. What’s more, the solution tests capabilities programmatically to continually adapt to new and unpredictable threats.

  4. Cyber Risk:
    Is risk "baked in" to the company strategies as set by the board?

     

    Business risk and cyber risk are now indelibly intertwined, making risk oversight a board-level issue. Therefore, the various sectors of an organization that were traditionally siloed need to be considered holistically. Today’s fast-moving threats and their potential to harm a business well after an attack is over means that each member of an enterprise has an important role to play in safeguarding it. Risk can and should be mitigated by every employee, from the boardroom to the loading dock. Providing a cyber risk management framework, CRS is designed to build cyber resilience across all facets of the organization while uniting its people, processes and technology to combat risk continuously and comprehensively.

  5. Cyber Incident Response:
    Did we involve business operations in cyber incident response planning so that mission/business-critical processes and systems are available when crises occur?

     

    Current events and an expanding global attack surface have indicated that suffering a cyber incident is only a matter of time for virtually any organization. CRS helps you identify your mission-critical assets — that is, your systems, applications, data and resources — then helps protect these in an immutable, air-gapped vault. The solution then establishes an incident response action plan to rapidly recover in the event of attack, expediting your operations back to normal and limiting the damage inflicted on your business.

 

While EO 14028 is mainly geared toward federal agencies, its guidelines for securing supply chains and verifying third parties are both relevant and applicable across all industry verticals. And with the latest SEC proposals coming quickly down the pike, there’s no better time than right now to start asking the right questions at the boardroom table.

Jessica Hetrick
Cyber Resilience Leader | Optiv
Hetrick is a senior cybersecurity leader with more than a decade of experience in crisis management, incident response and security operations. Prior to joining Optiv, she directed global incident response teams at Cisco during crises and provided strategic leadership to reduce risk and improve processes and procedures for global organizations.

Optiv Security: Secure greatness.™

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.