Published on January 9th, 2023 📆 | 2269 Views ⚑
0Tech priorities out of sync with security needs, CISA director says
The consistent increase in annual cybercrime damages is not sustainable, Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency said Thursday at CESÂ in Las Vegas.
Cybercrime damages cost organization $6 trillion last year, she said. They are projected to reach $8 trillion this year and $10.5 trillion in 2025.
âWe cannot accept that 10 years from now itâs going to be the same or worse than where we are now,â Easterly said. âThe critical infrastructure that Americans rely on every day ⌠is underpinned by a technology base and that technology base was created effectively in an insecure way.â
This wonât change until priorities and incentives are realigned, she said.
Risks remain heightened due to decades of insecure technology design, inconsistent cooperation between industry and government, lopsided responsibilities and backwards compatibility with insecure protocols.
Change starts with a recognition that cybersecurity is a fundamental safety issue, according to Easterly.
âWeâve somehow accepted that the incentives in technology are all aligned toward cost, capability, performance, speed to market, and not safety,â she said.
Companies are automatically blamed when theyâve been breached or didnât patch a vulnerability that resulted in an attack, but that sole blame misses the broader challenge and questions everyone should be asking of technology vendors, according to Easterly.
âWhy did that software have so many vulnerabilities in it that it has to be constantly patched every week? Why did that software have a vulnerability that caused such a damaging breach?â she said.
Organizations are relying on technology that short shrifts security.
âWe canât just let technology off the hook,â Easterly said.
CEOs, boards must own enterprise risk
Placing a greater onus for cyber responsibility on technology vendors and manufacturers requires a realignment of priorities, paired with a shift in how enterprises assign risk accountability at the company level.
Enterprise risk is owned by the CEO and the board, not CISOs or CSOs, Easterly and CrowdStrike CEO George Kurtz said on a panel at the event. More than 115,000 people attended the event, according to event organizers.
âYouâre talking about 4,000 years of history of sacrificing people that maybe shouldnât have been sacrificed,â Kurtz said. âA lot of times the CISOâs [get] an 18-month career lifespan, and if they didnât get funded and they identify the risk it doesnât mean that theyâre not going to get offered up. Itâs a tough job.â
Many good CISOs identify risks, donât get funding after requesting a budget to tackle the problem, and get dismissed within months of a breach, he said.
âThese CISOs are the ones who are busting their ass every day to help secure the company and they need to have the resources, the influence, and they need to be prioritized so they can actually help drive down risk to the company,â Easterly said.
Responsibilities aside, the outlook for cybersecurity-related damages is poor. While Easterly avoided making any predictions, Kurtz identified a key factor that no organization or government agency can control.
âWhenever thereâs a recession, cybercrime tends to go up,â Kurtz said. âLayoffs happen â less people to mind the store â and we tend to see more breaches.â
Gloss