What Organizations Can Take Away from the New CISA Strategic Plan
December 21, 2022
Way back in the early days of the internet — 1989 to be exact — a malicious actor committed the first-known ransomware attack in history using floppy disks.1 He sent these to victims via regular, old-fashioned, hand-delivered, mail.
Flash forward to today and ransomware attacks are far more sophisticated, bold and rampant, posing a serious threat to businesses and governments worldwide. According to the FBI, at least 649 organizations from multiple critical infrastructure sectors across the U.S. reported ransomware attacks in 2021.2 But given that many of these attacks go unreported, it is impossible to know the real number.
For all their sophistication, what makes ransomware attacks so tricky to combat is how easy it is for hackers to deploy the malware that carries a virus. A malicious actor simply needs to dupe a single victim to gain access to an organization’s entire network. And as more of us use personal devices in our work communications, the surface area for an attack grows larger.
The U.S. federal government created the Cybersecurity and Infrastructure Security Agency (CISA) in 2018 with the goal of understanding, managing and reducing risk to the nation’s cyber and physical infrastructure.3 In September of this year, CISA issued its first comprehensive strategic plan. The 2023-2025 CISA Strategic Plan addresses the current challenges faced by the public and private sectors and charts a path forward by focusing on four strategic goals: cyber defense, risk reduction and resilience, operational collaboration and agency unification.4
The stakes are high when an organization falls victim to a cyber attack. Resources may be limited, sensitive data can be put at risk and recovery can take weeks to months. That is why it has never been more critical for businesses to work cross-functionally to embed strong cybersecurity practices at the core of their operations. Fortunately, the CISA Strategic Plan offers guidance on how to start implementing new processes.
A Four-Pronged Approach
If business leaders want to properly adopt CISA’s recommendations, they will need to take a careful look at their organization’s infrastructure to identify strong and weak points, with cybersecurity teams leading the charge. However, to truly strengthen cybersecurity, all sectors of the business will play a role. Granted, there is no prescribed order, so organizations must determine where from the following four areas is the best place to start.6
One area to begin with is cyber defense. In its report, CISA states that its goal is to “spearhead the national effort to ensure the defense and resilience of cyberspace.”7 Similarly, organizations must make a concerted effort to protect themselves by doing the following:8
- Enhancing the ability of the organization to withstand cyber attacks and incidents
- Increasing the organization’s ability to actively detect cyber threats that target critical networks
- Driving the disclosure and mitigation of critical cyber vulnerabilities
- Advancing the cyber space ecosystem to drive security-by-default
- Investing in cybersecurity and ensuring board members and executive leadership have heard from their CISOs and are familiar with the cyber risks at hand
From there, organizations will want to turn their attention to reducing risk and increasing resilience. That means identifying which areas of the business are most critical, pinpointing specific vulnerabilities and taking steps to patch any security gaps. Remember, it is not a question of if but when a cyber incident will occur. Organizations that are the most resilient to attacks have plans in place and have practiced and communicated this plan from their boards down. Organizations can solidify their strategies by:9
- Expanding visibility into risks to infrastructure, systems and networks
- Advancing the organization’s risk analytic capabilities and methodologies
- Enhancing the organization’s security and risk mitigation guidance and impact
- Building greater stakeholder capacity in infrastructure and network security and resilience
- Increasing the organization’s ability to respond to threats and incidents
Throughout, an organization should focus on strengthening its operational collaboration, which includes proactive information sharing. In many cases, organizations will have systems in place for effective collaboration, but if the cybersecurity push is coming from only one sector of the business, it will never truly stand up to today’s ever-evolving threat landscape. Per CISA’s recommendations, organizations should look to:10
- Optimize collaborative planning and implementation of stakeholder engagements and partnership activities
- Fully integrate regional offices into the organization’s operational coordination
- Streamline stakeholder access to, and use of, appropriate cybersecurity programs, products and services
- Enhance information sharing with the organization’s partnership base
- Increase integration of stakeholder insights to inform business product development and mission delivery
The importance of collaboration cannot be overstated, which is why CISA prioritizes agency unification. For some time now, organization leaders have been discussing this concept of integrating functions, capabilities and the workforce. However, viewing this effort through the lens of cybersecurity may be a way to increase awareness around safe cybersecurity practices. Keeping with CISA’s recommendations, organizations should aim to:11
- Strengthen and integrate the organization’s governance, management and prioritization of cybersecurity best practices
- Optimize business operations to be mutually supportive across all divisions
- Cultivate and grow the organization’s high-performing workforce
- Advance the organization’s culture of excellence
It is hard to believe that something as primitive as a floppy disk could once have posed such a serious threat to business. Then again, given the pace of ransomware attacks today, we may look back at this time in the same light. Any way you slice it, the threat landscape is growing more insidious. The best way to fight back is by implementing proactive measures focused on readiness and resilience, following the guidance of industry leaders and reviewing the CISA plan.
1: Vince Marino. “Ransomware 2.0: How Malware Has Evolved And Where It's Heading.” Forbes (May 20, 2021). https://www.forbes.com/sites/forbestechcouncil/2021/05/20/ransomware-20-how-malware-has-evolved-and-where-its-heading/?sh=379a325aa391.
2: Sergiu Gatlan. “FBI: Ransomware hit 649 critical infrastructure orgs in 2021.” Bleeping Computer (March 23, 2022). https://www.bleepingcomputer.com/news/security/fbi-ransomware-hit-649-critical-infrastructure-orgs-in-2021/.
3: “About CISA.” Cybersecurity and Infrastructure Security Agency (Retrieved December 2022). https://www.cisa.gov/about-cisa.
4: “CISA Strategic Plan 2023-2025.” Cybersecurity and Infrastructure Security Agency (September 2022). https://www.cisa.gov/sites/default/files/publications/StrategicPlan_20220912-V2_508c.pdf.
5: Stephanie Kelly and Jessica Resnick-ault. “One password allowed hackers to disrupt Colonial Pipeline, CEO tells senators.” Reuters (June 8, 2021). https://www.reuters.com/business/colonial-pipeline-ceo-tells-senate-cyber-defenses-were-compromised-ahead-hack-2021-06-08/.
6: “CISA Strategic Plan 2023-2025, p. 10.” Cybersecurity and Infrastructure Security Agency (September 2022). https://www.cisa.gov/sites/default/files/publications/StrategicPlan_20220912-V2_508c.pdf.
7: “CISA Strategic Plan 2023-2025, p. 11.” Cybersecurity and Infrastructure Security Agency (September 2022). https://www.cisa.gov/sites/default/files/publications/StrategicPlan_20220912-V2_508c.pdf.
8: “CISA Strategic Plan 2023-2025, pp. 11-15.” Cybersecurity and Infrastructure Security Agency (September 2022). https://www.cisa.gov/sites/default/files/publications/StrategicPlan_20220912-V2_508c.pdf.
9: “CISA Strategic Plan 2023-2025, pp. 16-22.” Cybersecurity and Infrastructure Security Agency (September 2022). https://www.cisa.gov/sites/default/files/publications/StrategicPlan_20220912-V2_508c.pdf.
10: “CISA Strategic Plan 2023-2025, pp. 23-28.” Cybersecurity and Infrastructure Security Agency (September 2022). https://www.cisa.gov/sites/default/files/publications/StrategicPlan_20220912-V2_508c.pdf.
11: “CISA Strategic Plan 2023-2025, pp. 29-33.” Cybersecurity and Infrastructure Security Agency (September 2022). https://www.cisa.gov/sites/default/files/publications/StrategicPlan_20220912-V2_508c.pdf.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, Inc., its management, its subsidiaries, its affiliates, or its other professionals.
About The Journal
The FTI Journal publication offers deep and engaging insights to contextualize the issues that matter, and explores topics that will impact the risks your business faces and its reputation.