CISA shares 2023-2025 cybersecurity strategy

About this time every year, cybersecurity leaders will collect their thoughts in a way that creates something akin to a strategy for the coming year. It’s always a little difficult to be precise when it comes to cybersecurity strategy because the nature of the threats faced will, as always, continue to evolve. However, the Cybersecurity and Infrastructure Security Agency (CISA) has been kind enough to publish a strategic plan for 2023 to 2025 that many cybersecurity leaders might want to simply crib.

The 37-page document isn’t overly prescriptive, but it does loosely outline four cybersecurity goals that everyone within an organization should be working toward achieving. From the perspective of an enterprise IT organization, they can summarized as follows:

1. Spearhead an effort to ensure defense and resilience to make it easier to withstand cyberattacks and incidents. As part of that effort, organizations should focus on improving their ability to actively detect cyber threats, disclose and mitigate critical cyber vulnerabilities, and whenever possible make IT environments secure by default.
2. Reduce risks to critical infrastructure by expanding visibility via investments in risk analytics tools to help better prioritize allocation of limited resources.
3. Strengthen operational collaboration and information sharing among stakeholders.
4. Integrate functions, capabilities, and the workforce to create one unified cybersecurity team based on a culture of excellence.

Creating your North Star

Most cybersecurity professionals will intuitively understand the mission at hand. The issue from their perspective is what resources will be made available to achieve it. After all, the available resources usually dictate what tactics can be employed to combat various types of risks. Being able to articulate a strategy, however, is important because it creates, as CISA director Jen Easterly described it, a “North Star” that reminds everyone how and why cybersecurity funding needs to be allocated, especially in times of stress.

In fact, as part of that mission Easterly told the Cybersecurity Advisory Committee that the agency plans to focus on “what boards and C-suite execs must do to effectively manage cybersecurity risk” via a subcommittee that will be formed to advance that specific goal.

Difficult choices

Of course, in the wake of the rise of ransomware, business leaders have never had as much appreciation of the value of cybersecurity as they do now. However, appreciating something doesn’t always equate to understanding. At a time when many business leaders are being required to make some difficult economic choices, cybersecurity isn’t really one of those areas where less can do more.

There is always an opportunity to reallocate budgets in a way that promotes efficiency, but as cyberattacks continue to increase in volume and sophistication any cutback on spending will most certainly increase the level of risk to the business. There may be circumstances where there is no other choice to be made, but business leaders need to deeply understand what tradeoffs are being made.

Cybersecurity professionals, in the meantime, are being presented with a unique opportunity to become leaders within their organization. Perfect cybersecurity may be unattainable, but as appreciation for the threat level becomes greater, the more most members of any organization will look to cybersecurity professionals for not just guidance but also a sense of purpose and hope.

Subscribe to Journey Notes