Check out the article below on the emphasis coming from the leadership of CISA’s cybersecurity efforts. If you recall, DHS has had more than its share of reports of poor morale over the years. If you want to reverse that you have to spend time focusing internally so that the services provided by the agency improve. I see the description below as being a helpful indication of someone trying to address cybersecurity “from the inside out.”
The Cybersecurity 202, from The Washington Post
By Tim Starks
with research by Aaron Schaffer
More than words: CISA’s director makes her case to workers, consumers
The head of the federal government's cyber agency, Jen Easterly, says that in her one-year tenure she has spent the most time establishing her organization as one that people want to come work at, and she also wants to convince everyone else to take better care of their own computers and phones — which means cutting out the “nerdspeak.”
Easterly, head of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), is trying to demystify cyber with different messages and terminology, whether she’s talking to a K-12 student or a company chief information officer.
“Every engagement that I have, I am incredibly deliberate about the messaging and the communications behind that,” she told me in a Monday interview. “People who are technical and in cyber, I think, are not as deliberate as they should be about being good storytellers.”
• Maybe that means using a song by ’70s rock band Boston to sell consumers on a key security technology. Like with CISA’s “More Than a Password” campaign to convince people to adopt multi-factor authentication, which involves verifying a sign-on with a second device such as a code sent via text message. But the phrase “multi-factor authentication” makes “eyes glaze over,” Easterly said.
• Or maybe — even though the word is in the name of her agency — it means reevaluating whether to call “cybersecurity” something else altogether. She cites the push from tech investors Ron and Cyndi Gula, who have advocated instead for calling it “data care” in job postings to evoke the concept of health care, and thereby make it more relatable to women and communities of color who might be turned off by the term ”cybersecurity” and its evocation of war or law enforcement.
Easterly was a long-time federal government national security pro before leaving for a stint in the private sector at Morgan Stanley in 2017. At the financial giant, Easterly brought cyber experts together for a project with Academy Award-winning moviemakers with the goal of helping people understand the subject and get inspired to work in the field.
“This has been a major focus area for me, and it was very much informed by looking in from the outside once I left government and went to the private sector and not thinking that this was done terribly well,” she said.
CYBER FUTURE
Touting CISA as a place to work, as well as CISA's evangelism about good personal cyber practices, is more than a marketing exercise. A top White House official said major tech execs estimated last year that multi-factor authentication could head off 80 to 90 percent of all cyberattacks. But figures on how many people use it vary wildly. Twitter said last year that only 2.3 percent of users enabled it, while password management service LastPass said 57 percent of businesses worldwide use multi-factor authentication.
And qualified personnel are at the core of heading off the next major cyberattack, or writing any innovative cybersecurity policy.
But marketing isn’t enough by itself, Easterly said. Creating a culture to establish a diverse workforce that wants to stick around for a while requires constant maintenance and proof in practice, like listening sessions, psychological safety workshops and recruitment at historically black colleges and universities.
Easterly reminds that Enron, the energy giant now synonymous with accounting fraud after a scandal in the 2000s, stated its values as “Respect, Integrity, Communications and Excellence.” [Eric here: I call these "aspirational values—not the real values of the organization.]
“You can’t just be talking the talk; you have to walk the walk, and it has to come from me,” she said.
As of last month, CISA had approximately 150 cyber vacancies among its more than 2,700 full-time personnel. A much-ballyhooed DHS system for bringing cyber employees on quickly and with better pay has gotten off to a slow start.
AVERAGE JOE
But Easterly doesn’t want to put all the pressure on average consumers to defend themselves.
“There’s responsibilities on both sides and I’d like to see companies more and more be enabling things like multi-factor authentication by default,” she said, citing a critical infrastructure company she’d spoken to earlier in the day who had done just that. “They just fully implemented MFA and you see it with some of the Big Tech companies. Salesforce just mandated it and so we're going to get there slowly.
“But in the interim, I want to make sure that my son is protected, my mom is protected, anybody who gets any sort of technology knows how to protect themselves and keep themselves safe and secure online,” she said. “So we have to make it as simple as possible.”