Cyber Informed Engineering (CIE), Secure By Design, SBOMs for all and everywhere, and large monitoring networks bringing back all sorts of data for visibility and analysis. These large programs, largely driven by government, make so much sense. 

Who wouldn’t want a full course of security embedded into engineering with a methodology and new entrants fully trained on CIE? Who wouldn’t want the ability to know everything that is in every product or see every attack packet going over the network? It all sounds so logical.

As does standing up, one of the most popular .gov terms, new departments, projects and programs that will provide the people and power to tackle some of the big critical infrastructure cybersecurity problems. A lot of the objectives in the Cyberspace Solarium Commission involved setting up organizations and roles to address these problems. 

The concern is how long will we need to wait to see the wins from all this work? Not the implementation wins like in the Solarium scorecard or documents describing the CIE. The actual wins where this is helping us reduce cyber risk to the critical infrastructure.

What are the early wins, in the first year, that we should see from these multi-year efforts and projects? We don’t want to spend 3, 5 or 10 years going down a path before realizing it won’t deliver.

It’s a hard question, and an important question.