Companies need to take ownership of cybersecurity risk at the highest levels of corporate governance, including senior management and at the board level, Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, said in a blog post released Wednesday.
Companies need to embrace cybersecurity as a strategic business risk, Easterly said. They can no longer afford to relegate that responsibility to their IT department or corporate CISO without the awareness and participation of the C-suite and corporate directors.
“The time is now for CEOs and boards to actively embrace corporate cyber responsibility as a matter of good governance, recognizing that every organization has an obligation to reasonably assure the safety of their employees, partners and customers,” Easterly said in the post.
The push for stronger cybersecurity governance comes at a time when the U.S. is facing sophisticated cyberattacks against critical infrastructure from nation-state adversaries, including China and Russia.
CISA in 2023 partnered with the National Association of Corporate Directors and the Internet Security Alliance last year on a handbook that addresses how to manage cyber risk.
Easterly is scheduled to step down as CISA director when the Trump administration takes office.
The concerns raised by Easterly came just a day after National Cyber Director Harry Coker Jr. warned the U.S. needs to step up deterrence efforts to counter malicious cyber activity sponsored by China, Russia and other adversaries.
Coker noted that the role of the private sector is critically important, because much of the nation’s critical infrastructure is run by private sector organizations. Therefore authorities need the private sector to maintain strong network defenses and share threat intelligence.
About 260 companies have signed CISA’s Secure by Design pledge, which is a voluntary effort to get technology and other companies to adhere to secure development practices in an effort to make sure software is safe out of the box.
Easterly said board members need to take several actions to make sure cybersecurity is a priority:
- Ensure CISOs are fully empowered and given the proper influence and resources to prioritize cybersecurity within the organization.
- Make sure senior executives are educated on cyber risk and that cyber risk considerations are fully baked into business, technology and software acquisition decisions.
- Review the company’s cyber risk framework and ensure the development of common standards.
