Weekly Video Update: December 26, 2022
12–26–2022 (Monday)
Hello and welcome to a Boxing Day edition of Cyber Risk at Deal Speed, your weekly video update on the one big thing in cybersecurity for private equity investors and portfolio company management teams. I’m your host, Shay Colson, Managing Partner for Cyber Diligence at Coastal Cyber Risk Advisors, and you can find us online at coastalcyber.io
Today is Monday December 26th and I want to highlight something that might not like a big deal, but has the potential for outsized impact.
This week’s One Big Thing is Chris Inglis’ retirement announcement.
Inglis Retiring, Implications Abound
I’m highlighting this news as the one big thing because I think the National Cybersecurity Strategy - being developed by by the Office of the National Cyber Director (Chris Inglis, currently) has the potential to fundamentally change the way we think about cyber is, and particularly this intersection of public and private risk.
First, let’s talk about Inglis.
He’s the first person to hold this role of National Cyber Director, appointed by Biden in July of 2021, but his career is long and storied.
He was the deputy director of the National Security Agency for 8 years, and was a Brigadier General in the US Air Force - serving 30 years - much of it involved with the NSA.
It’s difficult to find people with this type of pedigree in cyber, particularly those who have such an even keeled approach to stick, multi-domain, international cyber issues.
And we’re losing him. At perhaps the worst possible time.
Why is the timing bad? Because - despite years of discussion and development, and months of promises that this strategy is just around the corner, we have yet to see the document and now we won’t have Inglis’ steady hand to help guide its implementation.
This strategy has been rumored to have some tough implications for the private sector, with Inglis noting that “the strategy will address regulation and market forces.”
I’ve heard one summary of the strategy laid out simply as “Private sector - you’ve had 50 years to figure out security online, and you haven’t. So, here come the regulations.”
The timing is particularly tenuous. We’ve got looming threats from Russia, China, Iran, North Korea, and others.
We’re struggling to get our critical infrastructure cybersecurity strategy in place, with Jen Easterly’s role at CISA taking fire this past week (unnecessarily, in my eyes).
Sector-specific agencies are struggling to get requirements in place for the 16 critical infrastructure sectors (which includes IT, Financial Services, and the Defense Industrial Base, by the way).
We saw in the Fall some examples of what uphill battles we’re facing in Australia as an example, where the intersection of public and private cyber risk and impact was quite pronounced.
Having Inglis at the helm to deliver the strategy would be critical, as he’s been leading the conversations with both government and industry. That said, even if he stays until the strategy is released, he won’t be there for the implementation, which could really hamper the ability of this strategy to move the needle in a meaningful way.
There are still a tremendous amount of unknowns - including the content of the strategy document itself. We’ll have to wait and see how both Inglis’ retirement and the strategy rollout happen, but - if nothing else - I think we need to view this as a lesson in succession planning
Succession planning is absolutely critical. Great leadership is great, but leaders don’t live or last forever. What’s your organization going to do when your all star decides it’s time to hang up their Jersey or demands a trade to a new team?
Is that timing going to work out well for them or the business or both? What happens when that timing is out of sync?
We may soon see that play out in a very public way, and in a way that might impact all of our businesses. That’s what this news is the one big thing for the week between the holidays.
Update: Rackspace’s Ransomware Incident
Rackspace - now three plus weeks into their ransomware incident - have a little more than 50% of their customer data restored. The other half? Still nothing.
Fundraising
We’re going to fall short of the quarter trillion dollar mark for Q4, but are still heading into 2023 with an absolutely massive amount of dry powder.
As strategies come together, macro forces stabilize, and tech company valuations continue to struggle, we are likely to see deal flow tick up significantly in Q1 and Q2 of 2023, potentially even starting as early as January once folks are back in the office.
You can find all the links to the stories we covered below, find back issues of these videos and the written transcripts at cyberriskatdealspeed.com, and we’ll see you in 2023 for the next edition of Cyber Risk at Deal Speed.
Links
https://therecord.media/national-cyber-strategy-possibly-months-away-inglis-says/
https://ciaranmartin.substack.com/p/lessons-from-down-unders-data-disasters