CISA official: Lower reporting thresholds for cyber incidents and get your CEO and board invested in security

A top official at the Cybersecurity and Infrastructure Security Agency cited increased visibility over cyber intrusions in the private sector, cultivating a stronger digital security workforce and making cybersecurity a top-of-mind issue for corporate board rooms as priorities.

During a March 10 event hosted by Billington Cybersecurity, CISA Executive Assistant Director Eric Goldstein said it is important the agency (as well as the FBI) receive reporting from organizations who may be hit with a cyberattack from a foreign government or criminal enterprise.

The comments, recorded March 1, came the same day that the Senate passed a cyber incident reporting bill that would give CISA just such an authority and a week before the House followed suit.

However, Goldstein suggested companies could and should go beyond the reporting of only significant breaches and cyber incidents, because what looks like a small blip or insignificant incident might be more than meets the eye. The agency relays similar advice in their “Shields Up” messaging campaign, which aims to prepare U.S. society for the prospect of Russian-directed cyberattacks against businesses and other entities in response to economic sanctions.

“Our top-line message, particularly in this heightened threat environment, is lower the threshold for reporting,” said Goldstein. “If organizations see anything anomalous on their network, even if ordinarily you would think that it perhaps doesn’t hit the official [threshold] to report, just report it. Because that will let us help you confirm whether it’s actually anything to be worried about — and if it is, help protect the victim and help protect others.”

Expanding cybersecurity talent, other CISA priorities

Goldstein also cited as top agency priorities efforts to continue expanding the pool of cybersecurity talent at CISA and within the federal government as well as emphasizing the role and responsibility that CEOs and other non-technical leaders have when it comes to cybersecurity. While resources like “Shields Up” stress empowering chief information security officers (CISOs) in board-level decision-making, organizations also benefit the most when security moves “out of the purview of just the IT team and the security team.”

“We understand very well that many times, decisions on security come down to a decision about cost versus benefit, about operational risk or security gain, and that’s a conversation where business leaders and board leaders need to understand the risk that is facing our country and able to weigh those equities most effectively and also serve as an ally [to their CISOs],” he said.

The agency is also still working through the technological implications of the COVD-19 pandemic. It’s a “cliché’” at this point, but Goldstein said the pandemic and widespread shift to remote work over the past two years has more or less transformed the way federal agencies view the technological landscape and how it interacts with digital security. The decentralization of endpoint devices as employees began working from home and the shift of remote access from exception to rule “all requires significant changes to how we monitor, detect [and] prevent intrusions…and how we help non-federal organizations achieve the same objective.”

“That necessitates incorporating not just cloud and mobile [assets], but also really a holistic conception of how to do on-premise, mobile, cloud all interact and how do we provide a cohesive security architecture and security solutions that are able to get visibility across the network as a whole, regardless of where a workload or endpoint is located.”

The "good news" is that CISA and other agencies had plenty of company, and was able to take the best lessons from private-sector transformations and apply it to their own internal security strategies, such as the Trusted Internet Connection program, which seeks to manage and secure internet access points throughout the federal government. The program received pandemic and cloud-centric overhauls in recent years to deal with the new normal of a distributed workforce.

"The good news is that partnering with our partners in the private sector, we have solutions in place to really modernize how we think about deploying security solutions in these newer models," said Goldstein.