As CISA downsizes, what can we do for support and guidance?

CISA (Cybersecurity and Infrastructure Security Agency) is the nation's cyber security defense agency and supports all US organizations in implementing and improving critical information security resilience.

CISA has been an ally, assisting state and local governments in conducting secure elections and providing entire libraries of free tools and templates for every size and type of organization. Though it is unclear how CISA's downsizing will alter the myriad of services it offers, we do know that hundreds of personnel have been impacted, and that will reduce CISA's already taxed missions.

With new AI threats appearing daily and cybercrime costing a record $9.5 trillion last year (up 10% from 2023), the 'bad guys' seem to have about every advantage. Meanwhile, many organizations still don’t understand the basic relationships between security and technology.

Security Professionals have been the underdogs for years, and many companies are understaffed and have not matched IS (Information Security) budgets to their exploitable risk vectors.

Organizations often don't even have a full-time information security position. A common misconception is that IT (Information Technology) personnel are trained and experienced IS (information security) personnel. While IT and IS have overlaps, they are separate and distinct practices. While it is common to find IS experts who also have IT experience and credentials, the reverse is rare.

Organizational leaders who assume the scope and expertise of IT are the same as IS have false confidence, which is not only a form of security gap but also highly unfair to the IT experts who have assumed scope beyond their training and expertise.

Mitigating the CISA Gap

Both IT and IS personnel have greatly benefited from resources provided by CISA and other US government agencies like NIST (National Institute of Standards and Technology). Now that those already understaffed agencies are downsizing, what do we do to mitigate the gap?

Large organizations likely already have a team of IS professionals and have working frameworks with regular assessments and perhaps even audits. While they cannot replace a centralized nonprofit resource gathering worldwide exploit information and tracking threat actors like CISA does, they at least have in-house experienced expert practitioners.

The likely first impacts will be on SMBs and state, county, and local governments. SMBs (Small-Medium Businesses) are much less likely to have implemented a mature security model and, in many cases, suffer greatly from the IT/IS misconceptions noted earlier.

One way to supplement the IS work in an organization is to use security products that manage your security for you. Some of these products are indeed very good; however, shopping for them without an experienced trusted advisor is a minefield. Vendor marketing materials are rarely concise or well-suited for the novice consumer.

Rather than going directly to the vendors, seek a trusted advisor such as a VAR (value-added reseller) with a broad spectrum of products and a good reputation. Good VARs use experienced security advisors to find products and services that match your organization's needs. VARs work to maintain a good reputation and relationship with your organization, so they are unlikely to recommend poor choices.

Before researching and buying security solutions, try this.

Before seeking products and services to fill your organization's security gaps, you need to know what your gaps are and how you are going to fill them.

Some organizations will look to the products used by similar organizations of the same size and in the same markets, but this can be a recipe for disaster. No two organizations are exactly the same, and making that assumption is very likely to result in significant security gaps and a false sense of security.

Even if you have a trusted advisor, they can only make informed guesses about your organization unless you have a risk assessment.

Risk assessments are often confused with vulnerability assessments and PEN Tests. If you are not absolutely certain you understand the differences, you can learn here.

The problem with most risk assessments is that they are designed for Fortune 500 companies and large government entities. They likely cost tens of thousands of dollars and take months or a year to complete.

To meet the needs of SMS, county government entities, and local governments that lack the budget, time, and resources for a risk assessment, Cadre Information Security has created the first successful Informal Risk Assessment.

An Informal Risk Assessment follows the same frameworks as formal risk assessments but is designed from the ground up for smaller organizations. It costs only a few thousand dollars and can be completed within weeks.

An Informal Risk Assessment will not only find the security gaps in your organization but also provide the scope and cost rationale for all third-party security products and services. It can also likely provide a litany of other benefits, such as proof of due care and due diligence, which might be required for and by your board of directors.

Plan your next steps now.

With CISA, NIST, and other resources being diminished, there is no better time than the present to make sure your organization has at least the minimum tools, polices, programs, and resources to avoid a cyber catastrophe. If when you ask who to speak to about a cybersecurity question or issue you get directed to an under-staffed IS department, or worse, an understaffed IT department, almost certainly you need a Trusted Advisor and an Informal Risk Assessment.

If you want an information security VAR with 30 years of experience that can provide vendor-agnostic product and service guidance and the best SMB risk assessment in the business, Cadre is right for you.

Now you might think that my recommendation is biased since I work at Cadre Information Security and perhaps that is true, so I suggest you consider the fact that Cadre is also a medium-sized organization much like yours and thoroughly vets and understands all of the products and partners. Cadre has a policy of “if you can’t do it right, don’t do it,” and if Cadre can’t do what you require, unlike other VARs, they will help you find another vendor that can.

If you already have a VAR you use and trust, still stick with them. The Cadre Informal Risk Assessment team is vendor-agnostic and happy to do your assessment. Remember that most products labeled as “risk assessments” are not risk assessments but repackaged vulnerability assessments or scans. If the risk assessment is software-based and especially, if it includes a “scan,” you are looking at a misrepresented product or service. Let us help your organization be safe and act on knowledge not guesses.

AI did not generate this article.

In fact, this article was drafted on a 1982 Apple LISA computer, which introduced the most profound advancement in personal computer history…

No part of this material may be used or reproduced in any manner for the purpose of training artificial intelligence.