May 11, 2017

(WASHINGTON, D.C.) – The Internet Security Alliance (ISA) supports President Trump’s new executive order on cybersecurity.

The President’s order places responsibility for cybersecurity on agency heads, who are now directed to use a risk management model for cybersecurity programs. ISA supports this critical paradigm shift and is a long-standing proponent of using risk assessments to guide cybersecurity spending decisions.

Together with the National Association of Corporate Directors, the ISA has urged senior management and boards of directors to treat cybersecurity as a risk management problem affecting all parts of a company, and not merely an annoyance best overseen by IT department.

As a result, we are particularly heartened by the order’s finding that “Effective risk management requires agency heads to lead integrated teams of senior executives with expertise in IT, security, budgeting, acquisition, law, privacy, and human resources.” We couldn’t agree more: Viewing cybersecurity through the narrow lens of technology alone is a recipe for the status quo of insecurity.

When it comes to implementing the order’s sections on critical infrastructure, we urge the federal agencies charged with identifying “authorities and capabilities” that could bolster private sector cybersecurity to consider the positive role of incentives.

Incentives are a recognition that the public and private sectors face disparate risks and economic postures when it comes to cybersecurity. Unlike most of the private sector, the federal government has national security to consider, a level of threat beyond the abilities of most companies to secure against. Incentives need not necessarily be financial, since the government has at hand a slew of regulatory and administrative ways to reward companies for cybersecurity practices.

The ISA also greatly welcomes the order’s recognition that cybersecurity workforce development is a critical aspect of securing our country from cyberattacks.

To address cybersecurity workforce gaps, the federal government must focus on recruiting people to help fill the void, which like the issue itself, goes beyond technical expertise and runs to overall risk management. We need an integrated, multifaceted, targeted program with research-based messaging, just as the private sector would do when marketing any product or service.

Industry already operates a multitude of one-off outreach programs and we urge the federal government find ways to bring together these efforts so that consistent messaging reaches as broad a population as possible to secure the ecosystem, as opposed to a particular company. Government’s primary mission ought to be to coordinate with the private sector on these programs, rather than devising their own independent programs. Government can open doors, facilitate partnerships, and allow the private sector to be the major creators and operators of workforce-development programs.

 About ISA: The Internet Security Alliance (ISA) is a trade association with members from virtually every critical industry sector. ISA’s mission is to integrate advanced technology with economics and public policy to create a sustainable system of cybersecurity. ISA pursues three goals: thought leadership, policy advocacy and promoting sound security practices. ISA’s “Cybersecurity Social Contract” has been embraced as the model for government policy by both Republicans and Democrats. ISA also developed the Cyber Risk Handbook for the National Association of Corporate Directors. For more information about ISA, please visit or 703-907-7090.