Jen Easterly is the director for the Cybersecurity and Infrastructure Security Agency (CISA). Recently, she gave a speech at CES that functioned sort of like a State of the Union, but for cybersecurity. Her comments reflect that the state of cybersecurity, most unfortunately, is “unsafe.”
“We live in a world…of massive connections where that critical infrastructure that we rely upon is all underpinned by a technology ecosystem that unfortunately has become really unsafe,” said Easterly, who was previously head of Firm Resilience at Morgan Stanley. “We cannot have the same sort of attacks on hospitals and school districts that we’ve been seeing for years. We have to create a sustainable approach to cyber safety, and that’s the message that I’m bringing to CES.”
The State of Cybersecurity
Easterly’s main message was that the tech ecosystem has become “really unsafe” due to the rise of cyber threats and attacks. She highlighted the increasing frequency and sophistication of attacks on government agencies, critical infrastructure, and private companies. She also spoke about the growing threat of ransomware, which has become a major concern for organizations of all sizes.
She laid much of the blame firmly at software developers’ feet.
“We’ve essentially accepted as normal that technology is released to market with dozens or hundreds or thousands of vulnerabilities and defects and flaws,” Easterly said. “We’ve accepted the fact that cyber safety is my job and your job and the job of my mom and my kid, but we’ve put the burden on consumers, not on the companies who are best equipped to be able to do something about it.”
Building on a theme
Former CISA Director Christopher Krebs has been shouting this same message from the rooftops for years. He has previously highlighted one of the key challenges facing cybersecurity experts — the shortage of skilled personnel. Krebs stated that the demand for cybersecurity professionals far outstrips the supply, and that this shortage is likely to continue into the future. He called on the government and private sector to invest in training and education programs to help bridge the gap.
Additionally, Krebs emphasized the importance of implementing robust cybersecurity measures, including regular software updates and patching, to protect against threats. He also urged organizations to adopt a “defense in depth” approach (aka ‘Castle Defenses’), which involves layering multiple security controls to protect against multiple types of attacks — things like multifactor authentication, zero trust, always-on security logging, etc.
“We have to continue moving out of that posture where everything is about prevention, prevention, prevention,” Krebs said. “Resilience is the key to adaptable, flexible organizations. It’s really about reducing blast radius. If you have a ransomware event, then you lose one cred, you lose one box. It doesn’t spread across the entire enterprise.”
That may sound counterintuitive and a little bit scary… don’t hyperfocus on prevention? But isn’t the best solution to not get breached in the first place?
Well, sure. But the likelihood that you’ll never suffer a breach is becoming lower and lower as threat actors become more and more sophisticated, and as more dangerous tools become white-labeled and broadly distributed.
The bottom line to all of this? The built information environment is scarier than ever. The CISA Directors have been singing this tune for years now, and the defense posture and best practices for incidence response are evolving as the threat landscape does. But the theme is still the same — our information environment is unsafe.
While much of that falls on factors outside your control, the one that really does is how you manage your cyberdefenses. Do you just install anti-virus software and pray for daylight? Or do you proactively take control of your security posture to decrease both your chances of a breach, and the fallout from a potential breach?
That’s where we come in. We know it’s beyond the expertise for most small and medium-sized businesses to keep up with all these best practices, manage their entire IT stack, build robust cybersecurity defense systems… it’s a lot. But that’s why partnering with a managed IT service provider like Leverage can lighten your load and give you peace of mind — we’re experts in this, and we’re always on for you.
Give us a call today so we can show you how to stay safe in this unsafe environment.