CISA Walks the Walk on Cyber Strategy

8–7–2023 (Monday)

Hello and welcome to another edition of The Intentional Brief - your weekly video update on the one big thing in cybersecurity for investors and management teams of growth stage companies.

I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.

Today is Monday, August 7, 2023 and we’re continuing the theme of long tail vulnerabilities. But - like last week - that’s not the one big thing.

When we say “one big thing” - we mean the one with the most impact. And this week, that was a Friday announcement by the Cybersecurity & Infrastructure Agency releasing their Cybersecurity Strategic Plan.

CISA Walks The Walk on Cyber Strategy

First, I think it’s worth a little reminder on CISA as an agency, and their role, mandate, and charter. Part of the Department of Homeland Security here in the US, CISA was only formed in 2018. Their first Director, Chris Krebs, was famously fired by tweet, and their new Director, Jen Easterly, assumed the role in July of 2021.

Since then, Easterly has done a tremendous job both humanizing the agency, and driving results.

While a significant amount of the Agency’s energy is focused on government systems and critical infrastructure, they’ve also done a tremendous job of building bridges with the private sector and developing alerts and tools like their Known Exploited Vulnerabilities Catalog - or KEV List.

The new strategy document, however, represents their next evolution in thoughtfully managing cyber risk, and I think there are plenty of notes that we can take for our own companies.

First of all, they note in the preamble that this moment of inflection will require investment, collaboration, and focus - all things that I’m in full agreement with.

The Plan

Their plan focuses on three core pillars, which CISA calls “enduring goals”:

  1. ADDRESS IMMEDIATE THREATS. We will make it increasingly difficult for our adversaries to achieve their goals by targeting American and allied networks. We will work with partners to gain visibility into the breadth of intrusions targeting our country, enable the disruption of threat actor campaigns, ensure that adversaries are rapidly evicted when intrusions occur, and accelerate mitigation of exploitable conditions that adversaries recurringly exploit.

  2. HARDEN THE TERRAIN. We will catalyze, support, and measure adoption of strong practices for security and resilience that measurably reduce the likelihood of damaging intrusions. We will provide actionable and usable guidance and direction that helps organizations prioritize the most effective security investments first and leverage scalable assessments to evaluate progress by organizations, critical infrastructure sectors, and the nation.

  3. DRIVE SECURITY AT SCALE. We will drive prioritization of cybersecurity as a fundamental safety issue and ask more of technology providers to build security into products throughout their lifecycle, ship products with secure defaults, and foster radical transparency into their security practices so that customers clearly understand the risks they are accepting by using each product. Even as we confront the challenge of unsafe technology products, we must ensure that the future is more secure than the present—including by looking ahead to reduce the risks and fully leverage the benefits posed by artificial intelligence and the advance of quantum-relevant computing. Recognizing that a secure future is dependent first on our people, we will do our part to build a national cybersecurity workforce that can address the threats of tomorrow and reflects the diversity of our country.

CISA notes that these three goals do not operate independently, but instead are interconnected. They also do a fantastic job of mapping their Vision, Mission, Goals, Core Principles, and Core Values into a single visual.

Finally, they close with what is just a fantastic line: “Now is the time to focus, prioritize, and accelerate—recognizing that our adversaries are not going to wait.”

Frankly, one of the reasons this work stands out so much is that we just don’t expect this type of content, performance, and capability to be delivered by government agencies. But maybe we should be expecting more from agencies like CISA, and from security leaders more broadly.

We’re continually reminded about the volume, velocity, and impact of cyber attacks and related risks. What we don’t see enough of is a thoughtful strategic response, and if security teams at every company adopted CISA’s strategy, tailored it for their size and operating environment, and began to put practices into place, we can move this needle to a place that is collectively more resilient, sustainable, and defensible.

Fundraising

From a fundraising perspective, some fairly large fund announcements, including $2.1B for Greenoaks’ fifth fund, and $5.8B for CVC Capital Partners secondaries unit, Glendower Capital bring us up to about $10.8B in newly committed capital for the week.

Yet this morning, the Financial Times is running a piece with the title “Private equity groups offer sweeteners to secure investor backing” - nothing that “Blue-chip firms including CVC Capital Partners, Ardian, TPG and Cinven have all in recent months offered investors either a discount on management fees or other incentives” and calling it “a sign that the industry is facing its toughest-ever fundraising environment.”

As a reality check, however, “Private equity firms globally raised $517b in the first half of this year”, according to a Bain report released in July. While this may be down from last year, it still seems like both plenty of money and plenty of opportunity.

You can find all the links to the stories we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next Monday for another Intentional Brief.

Links

https://www.cisa.gov/news-events/alerts/2023/08/04/cisa-releases-its-cybersecurity-strategic-plan

https://www.cisa.gov/known-exploited-vulnerabilities-catalog

https://www.ft.com/content/3c5ca648-b838-4d67-8612-aaa10c801629

Previous
Previous

16 Years of Data Lost - Retention Policy, Please?

Next
Next

The Real Impact of the SEC Cyber Rule Won’t Be Incident Disclosures