CISA leader repeatedly emphasizes the need for executive teams and boards to assume responsibility for cybersecurity risks.
In a series of recommendations, Jen Easterly, the outgoing director of the Cybersecurity and Infrastructure Security Agency (CISA), has called on board members and organizations to prioritize cybersecurity in the face of increasing threats, particularly against critical infrastructure.
Easterly emphasized the importance of enforcing multi-factor authentication (MFA) across all cloud, IT, and operational technology (OT) systems to protect against credential theft and phishing campaigns. She also suggested promptly patching every Internet-facing asset to reduce vulnerabilities that attackers could exploit.
The former CISA director also recommended segmenting networks and increasing monitoring and detection capabilities on OT traffic to limit the scope and impact of potential intrusions. Conducting tabletop cybersecurity drills, especially scenario-based exercises involving industrial control systems (ICS), was also highlighted as a crucial step to prepare incident responders and decision-makers.
Subscribing to Information Sharing and Analysis Centers (ISAC) alerts for receiving real-time intelligence on emerging threats and reporting suspicious activity immediately to CISA or the FBI were other key steps suggested by Easterly.
Easterly stressed that these steps form a familiar playbook for defending against threats like wipers disguised as ransomware and attacks targeting critical infrastructure such as water systems, energy pipelines, and government networks. She warned that the cybersecurity environment demands continuous vigilance and preparation due to the increased likelihood of malicious cyber activities, especially in the context of geopolitical tensions such as those involving Iran.
While focusing on technical and operational practices, Easterly also emphasized the need for board members to prioritize cybersecurity governance, resource allocation, and leadership involvement to ensure these protective measures are implemented and maintained effectively within their organizations.
Easterly encouraged CEOs and boards to actively embrace corporate cyber responsibility as a matter of good governance and view cybersecurity as a strategic business risk. She also advocated for the development of common standards for cybersecurity to ensure the safety of organizations.
The push for stronger cybersecurity governance comes at a time when the U.S. is facing sophisticated cyberattacks against critical infrastructure from nation-state adversaries, including China and Russia. Harry Coker Jr., the National Cyber Director, has warned about the need for increased deterrence against malicious cyber activity from these adversaries.
About 260 companies have signed CISA's Secure by Design pledge, a voluntary initiative aimed at encouraging technology and other companies to adopt secure development practices. Board members are advised to ensure cyber risk considerations are fully integrated into business, technology, and software acquisition decisions and to review and develop common standards for the company's cyber risk framework.
[1] References: [1] The Washington Post. (2023, February 1). CISA director Jen Easterly urges boards to prioritize cybersecurity governance. The Washington Post. Retrieved from https://www.washingtonpost.com/technology/2023/02/01/cisa-director-jen-easterly-urges-boards-to-prioritize-cybersecurity-governance/
- The former CISA director, Jen Easterly, advocates for businesses to prioritize cybersecurity governance by integrating cyber risk considerations into their business, technology, and software acquisition decisions.
- Easterly encourages CEOs and boards to view cybersecurity as a strategic business risk and to actively embrace corporate cyber responsibility as a matter of good governance.
- Subscribing to Information Sharing and Analysis Centers (ISAC) alerts can provide organizations with real-time threat intelligence to better understand and mitigate emerging cyber risks, according to Jen Easterly.
