Leadership Shake Up at CISA: Lessons for the Middle Market?
11–18–2024 (Monday)
Hello and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for middle market companies, their investors, and executive teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, November 18, 2024, and we’re going to do a little prognostication today based on news of a leadership shakeup at CISA that broke late last week - so let’s dive in.
Jen Easterly Out at CISA. Implications?
News broke late last week that the Director of the Cybersecurity and Infrastructure Security Agency, Jen Easterly, and her Deputy Director Nitin Natarajan will depart on Inauguration Day in January of 2025.
As a quick reminder on both Easterly and CISA, she’s only the second Director of the Agency, which is part of the Department of Homeland Security, was signed into law by Donald Trump as part of the Cybersecurity and Infrastructure Security Agency Act of 2018.
Easterly was confirmed by the Senate in July of 2021, and has served in this role since then. Easterly is a West Point graduate, who served for 20 years in the US Army, including roles as an intelligence leader, combat deployments, and spending time at both the NSA and establishing US Cyber Command, as well as roles on the National Security Council.
Her departure marks a significant inflection point for the Agency, and the future of the agency was covered quite well in a piece in WIRED Magazine over the weekend by Eric Geller. In short, changes are coming - including the focus of this organization away from supporting regulations for critical infrastructure and towards a China-focused offensive orientation.
Even law makers continue to struggle with the changing reality, with Virginia senator Mark Warner continuing to advocate for additional cyber breach reporting regulations that appear unlikely to happen now.
So, for those of us in the middle market here, the takeaway is this: to a larger extent than has been, you’re going to be on your own. The resources and focus that CISA has deployed over the last 5 or 6 years, just aren’t going to be there.
This means tools, training, and intelligence - all of which you’ll need to find suitable replacements for.
Unfortunately, this is going to put a squeeze on the middle market and down, leaving lots of room for ransomware and other commodity threats to thrive as the focus moves up to nation state incursions like China’s Salt Typhoon and others.
I know that building a cyber capability isn’t high on the list for companies of our size, but the risks from an impact perspective are just too high to do nothing. Cyber is one of the few domains that can bring an entire organization down in minutes and keep them down for weeks.
For that reason - and many others, including supporting your growth target and exit paths - there’s going to need to be a focus on managing cyber risk the next 5 years.
What, exactly, that means for each of you will depend on your business, your tech stack, your growth ambitions, and a range of other variables, but one thing that we’ll all be facing together is an increasingly chaotic world in this space, where threats evolve faster than defenses.
Your job now is to get a running start. Understand what you have, understand what you need, and put plans in place to build, buy, or partner on that capability for 2025 and beyond. There’s no cavalry coming any time soon.
Fundraising
From a fundraising perspective, still in the smaller numbers range - coming in at $4.2B in newly committed capital - but did see that number spread over about a dozen fund announcements with various sizes and focuses.
Again, the larger players have all secured a sizable amount of new funding, nearly$750B this year so far, so I don’t know how many massive announcements we’ll have left for the quarter or the year. The better part of a trillion seems big enough already.
With that, a reminder that you can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.
Links
https://www.wired.com/story/trump-administration-cybersecurity-policy-reversals/
https://www.nextgov.com/people/2024/11/cisa-director-jen-easterly-depart-inauguration-day/401036/