"A cyberthreat to one organization is a threat to all organizations," write CISA Director Jen Easterly and Executive Assistant Director for Cybersecurity Eric Goldstein in a recent essay for Foreign Affairs.
They could easily describe a theme running through our upcoming Global CISO Exchange in Miami this February 16-17. Focused on “building a more resilient enterprise,” the conference will promote enterprise cooperation, information sharing, and the importance of public-private partnerships among leading security executives.
Planned with our customers, it was born out of the recognition that we must start seeing cyber threats as a societal problem rather than a barrier to revenue generation if we are to stop victim blaming, breach concealing, and vulnerability ignoring. Instead, we should encourage collective responsibility and inter-organizational collaboration among those charged with protecting the global economy from cybercriminals.
The Global CISO Exchange is more than a two-day conference featuring keynotes and breakouts. It’s a think tank that’s sure to touch on two key issues CISA’s Easterly and Goldstein blame most for our current sorry state of cyber affairs.
First, too many technology manufacturers prioritize sales over security, passing the massive responsibility of cybersecurity onto consumers and business users. We can see the effects of these deficiencies in how the software supply chain has been weaponized, with small and medium-sized businesses often bearing the brunt of the damage.
Second, cybersecurity is still too often siloed within IT departments or considered the sole responsibility of a chief information security officer. Failure to see cybersecurity as an existential business issue discourages disclosure and cooperation among professional peers. Today’s private sector businesses are forced to contend with state-backed threat actors whose budgets surpass all but a handful of companies, yet too many organizations still see cybersecurity as a fringe issue.
"Americans need a new model," they write, "one they can trust to ensure the safety and integrity of the technology that they use every hour of every day.” I couldn’t agree more. Easterly and Goldstein talk about the need for technology that is “secure by design,” which they describe as technology “purposely designed, built, tested, and maintained to significantly reduce the number of exploitable flaws."
This definition fits zero trust network architecture (ZTNA) to a T. ZTNA inherently hides applications so they can't be probed for vulnerabilities by any internet passerby, prevents lateral movement by connecting users to applications rather than networks, and inspects both inbound and outbound encrypted traffic to guard against malware and data exfiltration.
While we’re stressing the need to make technology products more secure, why not take it a step further and focus on making the underlying architecture that enables their use more secure, too? Thankfully, the U.S. Federal Government has made steps in that direction with its 2021 executive order calling for implementing zero trust architecture among its agencies.
Convening a global “cyber-civil defense” coalition
Drawing on the work of philanthropist and Craigslist founder Craig Newmark, Easterly and Goldstein call for a pervasive awareness-raising campaign infused into consumer reports, curricula, and “target rich, cyber poor” organizations like school districts, healthcare facilities, and local election offices.
"If the government and the private sector can build trust and work together,” they write, “cyberspace can become safer for everyone."
We are headed in the right direction with smart initiatives like the Joint Cyber Defense Collaborative (JCDC), of which I am proud to say Zscaler is a part. But I would expand this notion of cyber-civil defense to include cooperation between security executives at leading private sector organizations around the globe.
Regardless of which country hosts their HQ, these organizations tend to be well-resourced, well-intentioned, and international. A global network of cooperative CXOs, determined to prevent economic and societal damage stemming from cybercrime, would be a powerful ally in this fight.
That is, again, why we are so passionate about the mission behind our inaugural Global CISO Exchange. It’s a chance for industry luminaries like CrowdStrike President, CEO, & Co-founder George Kurtz, for instance, to take the stage alongside Zscaler CEO, Chairman, & Founder Jay Chaudhry to discuss zero trust as an ecosystem of partners and the importance of adopting its key tenants by a wide swath of both public and private organizations.
The timing couldn’t be better for kicking off a dialogue on how this special group of attendees can more closely cooperate on today’s toughest cybersecurity challenges. As Easterly and Goldstein note, there’s no shortage of high hurdles to overcome.
State-backed threat actors are being sheltered and backed by geopolitical pariah states, including Russia, North Korea, and Iran. They continue to launch opportunistic attacks against our businesses, schools, hospitals, and governments from beyond the reach of international law enforcement coalitions.
Threat actors also realize that, at least in the United States, much critical infrastructure is privately funded and poorly protected. This is an issue of national security that CISA is mandated to address, a task that could be eased with cooperation and intelligence-sharing from the private sector.
Perhaps no one is more familiar with the threat landscape I’ve been describing, and as able to tell the story, as WIRED writer and cybersecurity journalist Andy Greenberg. I look forward to speaking with Greenberg about these topics, including an update on cyber operations in Russia’s war against Ukraine and his new book Tracers in the Dark at the Global CISO Exchange.
We have much to discuss and, I’m afraid, some of the topics are bleak. But, if we sincerely collaborate both within the private sector and with our public sector counterparts, we can advance the goal of creating a safer cyberspace for everyone.
What to read next
Stop passing the buck on cybersecurity
Public sector cybersecurity: We can't afford to leave SLED behind