Organizations must establish cybersecurity risk accountability at the highest corporate levels, including executive leadership and board members, Cybersecurity and Infrastructure Security Agency Director Jen Easterly emphasized in a statement published Wednesday.
Organizations must treat cybersecurity as a fundamental business concern, Easterly noted. They must move beyond simply delegating these responsibilities to their technology teams or security officers without active involvement from executive leadership and board members.
“The moment has arrived for chief executives and board members to proactively embrace cyber responsibility as essential governance, acknowledging that each organization must ensure reasonable protection for their workforce, business partners and consumers,” Easterly stated in the release.
This call for enhanced cybersecurity oversight comes amid increasing sophisticated digital attacks targeting essential infrastructure by state-sponsored actors, particularly from China and Russia.
CISA collaborated with the National Association of Corporate Directors and the Internet Security Alliance during 2023 to develop guidelines addressing cyber risk management.
Easterly is expected to resign from her CISA leadership position upon the Trump administration’s arrival.
Easterly’s statements followed National Cyber Director Harry Coker Jr.’s assertion that America must strengthen its deterrence strategies against cyber threats from China, Russia and other hostile nations.
Coker emphasized that private sector involvement remains essential, since private organizations manage much of the nation’s critical infrastructure. Consequently, government agencies require private sector cooperation in maintaining robust network security and sharing intelligence about threats.
Approximately 260 organizations have committed to CISA’s Secure by Design initiative, a voluntary program encouraging technology companies and others to implement secure development practices ensuring software safety from initial release.
Easterly outlined several key actions board members must take to prioritize cybersecurity:
- Guarantee CISOs receive proper authority, influence and resources to make cybersecurity a organizational priority.
- Ensure senior leadership receives cyber risk education and incorporates cyber risk considerations into business, technology and software procurement decisions.
- Evaluate the organization’s cyber risk framework and establish consistent standards.
