Weathering the Storm
The challenges we face as cybersecurity leaders can feel like a Cat 4 hurricane at times. The federal government has long played a key role in cybersecurity for the public good – but what effect are policies from the new administration having? While there are some good steps being taken and plans that may prove beneficial in the long run, we may see an intensification to a Cat 5 cybersecurity hurricane in the near term before sunlight.
Actions the new administration has taken that should help our cybersecurity defenses include “The National Resilience Strategy and National Risk Register” Executive Order; the appointment of Katie Arrington, a key figure in developing the Cybersecurity Maturity Model Certification program, as DoD CISO; the General Services Administration’s FedRAMP 20X initiative; the SEC’s new Cyber and Emerging Technologies Unit (CETU); and the push to empower state and local governments to take a larger role in cybersecurity. There are others in the works, too.
On the other side of the ledger, uncertainty driven by cuts in federal programs and tariffs is making cybersecurity funding tougher than ever. On top of that, CISA funding cuts and brain drain from separations of staff, the halting of Government Coordinating Councils, the dismantling of the Cyber Safety Review Board, the firing the Director and Deputy Director of the NSA, and the actions against former CISA Director Chris Krebs are very concerning.
While the shift of responsibility to state and local authorities could eventually work better, with reductions in federal support and resources happening now - are state and local authorities prepared to step up? In twenty years as a CISO for a Fortune 100 company, I can recall almost zero involvement with state or local authorities on cybersecurity – how quickly can they ramp up and what happens until they do?
Like the financial markets, it seems that cybersecurity leaders need to be in “weathering the storm” mode until there is time for the administration’s new programs to bake. Leaders can adopt strategies to mitigate the impact on their security posture in the meantime, such as:
Adopt a risk-based approach to prioritization:
While you do this already, it now needs to be on steroids. Concentrate efforts and resources on the most impactful work you control, allocating resources to the most critical vulnerabilities and the highest risk reduction.
Focus on efficiency:
Automate repetitive tasks like patching, compliance reporting, data collection, vulnerability triage, and IT hygiene, and hone incident response actions.
Optimize operations by eliminating redundant processes or tools and transitioning to more efficient workflows.
Demonstrate value:
Define and track security and risk metrics that show the impact your program has on the organization's mission.
Strengthen collaboration:
Enhance collaboration and information sharing with state and local agencies, industry partners, and private entities.
Form coalitions with similar organizations to share best practices and solutions to common challenges.
Invest in your people and culture:
With potentially fewer dollars for technology expansion, double down on security awareness training to help fill the gap.
Establish yourself as a clear, honest, and empathetic leader to maintain team morale, focus, and a sense of purpose.
Refine plans and playbooks to adapt to potential staffing changes.
Get the most from your vendors and tools:
Your vendor partners can read the tea leaves, and they know what their customers are going through. Work with them to tune and ensure you are maximizing the value you are getting from their products and services.
If the cyber world temporarily grows to be a Cat 5 hurricane, actions like this can help your program and organization weather the storm. Be proactive and plan for that scenario, so you can come out stronger when the clouds clear.
Paul, I would hope most organizations did not wait until this Cat 4 hurricane to adopt/implement the strategies you listed. At this point in time, I would hope most organization should have at least 50% in place and maybe 10%-25% in the works or planning phase. These are no new strategies, these are basic actions to move their security maturity.