On March 1, 2023, the US White House released the long-awaited National Cybersecurity Strategy. As a product manager, I am often the voice of the customer, and our customer’s should be excited about this strategy. Throughout the strategy it is clear that the needs of the end users have been prioritized compared to other stakeholders. After reading this cover to cover, here are some nuggets of insight that our customers should be aware of.
1. Resilient Digital Ecosystem
On page one, it states:
“Our goal is a defensible, resilient digital ecosystem where it is costlier to attack systems than defend them, where sensitive or private information is secure and protected, and where neither incidents nor errors cascade into catastrophic, systemic consequences.”
This is a lofty goal and is in many ways overdue. Underlying this goal is the ability to “know and understand” your cyber ecosystem. At a minimum, without collecting and analyzing the critical logs from all of your assets, you’ll be blind to potential threats. In that blindspot, the adversaries will always win.
On the flip side, Devo stores sensitive information all the time, and our platform could become under attack. This is where our FedRAMP journey began, and where it continues. Devo is currently FedRAMP “in-process”, and FedRAMP has given us the opportunity to think about how we handle and protect data across the company (among an endless number of other things).
2. Shifting Liability
The strategy includes shifting liability from customers and end-users to software providers, such as Devo. This will certainly cause concern across the software industry, especially for vendors that develop security products. Companies need to step up this challenge. The strategy does include a safe harbor framework if a company meets minimum standards. It’ll be interesting to see what those exact standards will become. Maybe everyone will have to meet the same FedRAMP standard as Devo is committed to today.
But what does this mean for Devo’s customers? It means that customers will continue the shift away from on-premises security software to cloud-native security software. If customers are responsible for maintaining an on-premises application they’ll have a harder time to shift liability vs. relying on a cloud-native application such as Devo.
3. Zero Trust
Throughout the strategy document, Zero Trust is mentioned as a priority for the Federal Government. While the government can’t mandate zero trust to non-federal entities, it’s clear that implementing zero trust will soon become each agency’s priority, if it isn’t already. The strategy goes as far as calling for the removal of legacy systems incapable of supporting Zero Trust.
Zero Trust is built on a foundation of knowledge, as in “I know that I can trust this component, but not this component.” That knowledge is developed through understanding the system through analyzing its logs, looking at logs from a variety of security products associated with that component, and blending this with an understanding of the current threat environment towards an end goal of determining if that component is trustworthy.
This can be a complex process, and that’s where Devo comes in. We can ingest all of those logs, leverage AI/ML to understand them, and then act on that decision through our SOAR. If you look at any of the government Zero Trust Architecture documents, you’ll find logging, SIEM, and SOAR capabilities in each of them, and Devo has all three.
The new strategy is 39 pages long, and I’ve only covered the highlights in this blog post. I agree with President Biden when he says “… our world is at an inflection point.” With respect to cybersecurity, we certainly are. Many have seen this coming for a while, and others may be surprised.
The value of a resilient digital ecosystem can’t be understated, and cloud native cybersecurity products such as Devo are at the core of the necessary protections to make this a reality. I look forward to seeing the administration and Congress transform this strategy into policies, laws, and no doubt, even more executive orders.