CISA’s New Strategic Plan Builds On Existing White House Cybersecurity Strategy 

CISA has released its FY2024-2026 Strategic Plan which sets out a vision to change the US’ national cybersecurity risk environment trajectory and builds on the White House’s strategy published last week.    

“Where the National Cyber Strategy calls for foundational shifts to help America outpace our adversaries and set a national agenda on our terms rather than theirs, and CISA’s Strategic Plan outlines how we’ll work together as a unified agency grounded in common values, our Cyber Strategic Plan focuses on the “how” and – of critical importance – how we’ll know if we’re making progress,” a statement by Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA noted.   

The plan outlines three goals: 

  • Goal 1: Address Immediate Threats.   
  • Goal 2: Harden the Terrain.   
  • Goal 3: Drive Security at Scale.                                                                                                                                                   

The Plan notes that too often threat actors succeed because of insecure environments where enterprises are “too difficult to defend, and our technology products are too vulnerable to protect.” And while the steps to overcome this are known, the design and development of products must adapt to mitigate the impact of exploitable vulnerabilities.  

“We must help organizations, particularly those that are “target rich, resource poor,” take the fewest possible steps to drive the most security impact,” the Plan states. 

Jason Keirstead, Vice President of Collective Threat Defense, Cyware had this comment:   

“CISA is taking a pragmatic and holistic approach to their 2024-2026 strategic plan. Organizations lack the resources to effectively defend against known and emerging threats, and to outpace the adversary, the industry must collaborate more often and more effectively. Even organizations with mature cybersecurity programs often struggle to adequately safeguard every vulnerability. CISA’s focus on collaboration, intelligence sharing, and scalability has potential to measurably strengthen our overall security posture.”

Roy Akerman, Co-Founder & CEO, Rezonate follows up with this:   

“It’s commendable to witness CISA advancing the cybersecurity narrative in such a strategic manner. Drawing from my experiences with cyber defense in Israel, this step accentuates the criticality of prompt detection and response. The recognition that adversaries will always seek and often find vulnerabilities underscores the importance of evolving our SecOps and Identity and Access security programs. In essence, it’s about being several steps ahead, rather than merely reacting.” – Roy Akerman, CEO of Rezonate and former head of cyber defense operations for the Israeli Government.

Having a strategy is great. But it’s all about implementing this strategy and getting people to buy into it. I’m reserving judgement until I see how well that part is done. But on paper, this is a good move by the White House.

UPDATE: Wade Ellery, Field CTO, Radiant Logic had this to say:    

“The recent update to CISA’S comprehensive plan marks a significant stride in the nation’s ongoing efforts to bolster its digital security landscape. An identity-focused strategy stands out as an indispensable and highly effective approach to fortifying systems across the U.S.

Managing identities have become more complicated for organizations, regardless of industry or size. As the government looks to implement a comprehensive plan, it must take into consideration the types of attacks plaguing the U.S. – Identity-related attacks make up the bulk of cyber-attacks, calling into question the way businesses handle their identity data. 

Having clean, unified Identity data has emerged as a central pillar in safeguarding sensitive information, fending off cyber threats and ensuring the integrity of digital environments. This approach centers on verifying and managing the identities of users and allows for full visibility and control over who can access specific resources within a system. This fine-grained access control, integrated into a Zero Trust Architecture, can help minimize the attack surface, limit the risk of unauthorized parties entering the system and detect threats early on.”

Leave a Reply

%d bloggers like this: