Is Your Security Program Ready for CISA's Cybersecurity Strategic Plan?
Is Your Security Program Ready for CISA's Cybersecurity Strategic Plan?
A version of this article appeared in Forbes. It has been updated and syndicated here.
The Cybersecurity Strategic Plan pushes major changes to the way most organizations approach cybersecurity, and developers are in a unique position to help achieve those new goals.
The Cybersecurity and Infrastructure Security Agency (CISA) has not only been instrumental in safeguarding the critical infrastructure and computing networks of the United States since its inception in 2018, but its influence and expertise have also reverberated globally. The agency's comprehensive advice, security advisories, vulnerability reports, and cybersecurity programs have set a global benchmark for actionable best practices, underscoring the significance of the newly released CISA 2023-2025 Strategic Plan in the realm of global cybersecurity.
CISA’s influence and accomplishments have also spread far beyond what most government agencies have been able to accomplish, especially considering that it has only been around for a few years. This is in no small part because of the exponential growth of the threat landscape and the fact that attackers are becoming more skilled in their breach and exploitation attempts. CISA has taken on a leadership role in the fight against cyber criminals and other so-called threat actors, methodically tracking trends and advising on best practices for cybersecurity.
However, for all of the agency’s helpful advice and guidance, it has never before released an overall strategic plan designed to set the overall direction for cybersecurity efforts over the next several years. This is not just another plan, but a milestone that many organizations will want to study and ultimately implement. The fact that the plan calls for major changes to the way cybersecurity is approached might make following that guidance challenging, although the development community is in a unique position to help out if given the right support, tools, and upskilling pathways.
A change is in the air for global cybersecurity best practices
At first glance, it would be easy to perceive some level of frustration in the CISA Strategic Plan, but CISA is simply acknowledging the fact that if we keep doing the same things we are now, we will keep seeing the same results. For cybersecurity to get better, it will require major changes across the board, including from companies that make the software and applications being used today.
Pointing the finger at software, at least partially, is a concept that has been introduced previously. In fact, the National Security Strategy of the United States specifically states that “poor software security greatly increases systemic risk across the digital ecosystem.” The CISA Strategic Plan lays out a new strategy for approaching and solving that predicament.
The biggest change in cybersecurity being advocated by CISA is to challenge those making software to ship secure products. If secure coding best practices are established and put in place, then there will be far fewer vulnerabilities, especially major ones, lurking within software for attackers to exploit. Yes, something here and there could still be overlooked and will require diligence to find and fix, but that is a manageable proposition compared to the current status quo: hundreds of vulnerabilities detected every day overloading cybersecurity defenders. CISA states very clearly in its plan that those who make software and other technologies need to be accountable for the security of their own products.
“As a society, we can no longer accept a model where every technology product is vulnerable the moment it is released and where the overwhelming burden for security lies with individual organizations and users,” the CISA Strategic Plan states. “Technology should be designed, developed, and tested to minimize the number of exploitable flaws before they are introduced to the market.”
The plan goes on to suggest that eventually, this new approach might be more than suggestive, saying that CISA will use “all available levers to influence the risk decisions of organizational leaders.” It also hints that laws like the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which currently governs the reporting of cyber incidents, could act as a model to eventually shift voluntary compliance with these new regulations to becoming more mandatory. In any case, it would benefit most companies making software and other technology today to try and get behind this new guidance.
CISA's guidance represents a key opportunity
Instead of feeling apprehensive at the prospect of more potential regulations, organizations should instead embrace the opportunity to use the CISA Strategic Plan to strive for better, higher-quality software. This is not just a call for compliance, but a chance for developers to hone their skills and contribute to a more secure digital landscape. Ultimately, producing secure software helps everyone including the company that makes it, the users who come to depend on it, and the people whose data is accessed or stored by that piece of software or application. Only the attackers are left empty-handed if the code that makes up the majority of software and applications is made as secure as possible before heading over to a production environment.
Given this new direction, it makes sense that an organization’s developers, who write or source all the code, are a perfect place to start when it comes to implementing more secure coding and efforts to comply with the CISA plan. But developers can’t do it alone without the support of the rest of their organization, especially upper management. Having developers who understand vulnerabilities, how to write secure code and how to recognize problems long before they get to a production environment will be the key to organizations ultimately taking responsibility for shipping code and, as CISA puts it, “ensuring that vulnerabilities are discovered and fixed before adversaries can use them to cause harm.”
One key thing to note is the training that developers need is fairly advanced. It’s a challenging endeavor for someone to become proficient in consistently writing secure code, and check-the-box compliance measures are simply not up to that task. Developers will require high-level, agile learning methods that offer hands-on, digestible, and continuous learning outcomes as part of an overall security awareness program in order to ensure that they have the skills needed to maintain the level of security required by the new CISA plan.
Ideally, upskilling to get ready for the CISA plan should also incorporate many of the advanced methods and programs that developers use every day, such as the principles of Agile development. For example, in Agile development, work is broken down into manageable chunks, layering sprints on top of one another in a continuous cycle. A good education program that incorporates Agile practices can help developers quickly get up to speed with the skills needed to support the CISA plan, allowing them to start seeing benefits and begin coding more securely almost immediately.
The good news is that most developers support secure coding practices and are eager to help their organizations comply with the new CISA directive. In a survey of over 1,200 professional developers actively working around the world, the overwhelming majority said they were supportive of the concept of creating secure code and establishing a better security culture at their organizations.
Developers need precision education pathways and adequate support. If organizations can provide that, not only will their code become more secure, but they will be ahead of the curve in their efforts to comply with or surpass the guidance set out in the new CISA Cybersecurity Strategic Plan.
This proposed shift in security culture will be challenging, but it’s also an incredible opportunity to change the nature of cybersecurity and create a world where the technology that makes all of our lives better is not also plagued by attackers constantly trying to exploit it for their own nefarious ends. We have the power to stop them, and the CISA plan shows a promising path toward that remarkable and ultimately achievable goal.
Pieter Danhieux
Pieter Danhieux is a globally recognized security expert, with over 12 years experience as a security consultant and 8 years as a Principal Instructor for SANS teaching offensive techniques on how to target and assess organizations, systems and individuals for security weaknesses. In 2016, he was recognized as one of the Coolest Tech people in Australia (Business Insider), awarded Cyber Security Professional of the Year (AISA - Australian Information Security Association) and holds GSE, CISSP, GCIH, GCFA, GSEC, GPEN, GWAPT, GCIA certifications.
Related Articles We Recommend
Related Articles We Recommend
Dive into onto our latest secure coding insights on the blog.
Our extensive resource library aims to empower the human approach to secure coding upskilling.
Get the latest research on developer-driven security
Our extensive resource library is full of helpful resources from whitepapers to webinars to get you started with developer-driven secure coding. Explore it now.
Is Your Security Program Ready for CISA's Cybersecurity Strategic Plan?
A version of this article appeared in Forbes. It has been updated and syndicated here.
The Cybersecurity Strategic Plan pushes major changes to the way most organizations approach cybersecurity, and developers are in a unique position to help achieve those new goals.
The Cybersecurity and Infrastructure Security Agency (CISA) has not only been instrumental in safeguarding the critical infrastructure and computing networks of the United States since its inception in 2018, but its influence and expertise have also reverberated globally. The agency's comprehensive advice, security advisories, vulnerability reports, and cybersecurity programs have set a global benchmark for actionable best practices, underscoring the significance of the newly released CISA 2023-2025 Strategic Plan in the realm of global cybersecurity.
CISA’s influence and accomplishments have also spread far beyond what most government agencies have been able to accomplish, especially considering that it has only been around for a few years. This is in no small part because of the exponential growth of the threat landscape and the fact that attackers are becoming more skilled in their breach and exploitation attempts. CISA has taken on a leadership role in the fight against cyber criminals and other so-called threat actors, methodically tracking trends and advising on best practices for cybersecurity.
However, for all of the agency’s helpful advice and guidance, it has never before released an overall strategic plan designed to set the overall direction for cybersecurity efforts over the next several years. This is not just another plan, but a milestone that many organizations will want to study and ultimately implement. The fact that the plan calls for major changes to the way cybersecurity is approached might make following that guidance challenging, although the development community is in a unique position to help out if given the right support, tools, and upskilling pathways.
A change is in the air for global cybersecurity best practices
At first glance, it would be easy to perceive some level of frustration in the CISA Strategic Plan, but CISA is simply acknowledging the fact that if we keep doing the same things we are now, we will keep seeing the same results. For cybersecurity to get better, it will require major changes across the board, including from companies that make the software and applications being used today.
Pointing the finger at software, at least partially, is a concept that has been introduced previously. In fact, the National Security Strategy of the United States specifically states that “poor software security greatly increases systemic risk across the digital ecosystem.” The CISA Strategic Plan lays out a new strategy for approaching and solving that predicament.
The biggest change in cybersecurity being advocated by CISA is to challenge those making software to ship secure products. If secure coding best practices are established and put in place, then there will be far fewer vulnerabilities, especially major ones, lurking within software for attackers to exploit. Yes, something here and there could still be overlooked and will require diligence to find and fix, but that is a manageable proposition compared to the current status quo: hundreds of vulnerabilities detected every day overloading cybersecurity defenders. CISA states very clearly in its plan that those who make software and other technologies need to be accountable for the security of their own products.
“As a society, we can no longer accept a model where every technology product is vulnerable the moment it is released and where the overwhelming burden for security lies with individual organizations and users,” the CISA Strategic Plan states. “Technology should be designed, developed, and tested to minimize the number of exploitable flaws before they are introduced to the market.”
The plan goes on to suggest that eventually, this new approach might be more than suggestive, saying that CISA will use “all available levers to influence the risk decisions of organizational leaders.” It also hints that laws like the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which currently governs the reporting of cyber incidents, could act as a model to eventually shift voluntary compliance with these new regulations to becoming more mandatory. In any case, it would benefit most companies making software and other technology today to try and get behind this new guidance.
CISA's guidance represents a key opportunity
Instead of feeling apprehensive at the prospect of more potential regulations, organizations should instead embrace the opportunity to use the CISA Strategic Plan to strive for better, higher-quality software. This is not just a call for compliance, but a chance for developers to hone their skills and contribute to a more secure digital landscape. Ultimately, producing secure software helps everyone including the company that makes it, the users who come to depend on it, and the people whose data is accessed or stored by that piece of software or application. Only the attackers are left empty-handed if the code that makes up the majority of software and applications is made as secure as possible before heading over to a production environment.
Given this new direction, it makes sense that an organization’s developers, who write or source all the code, are a perfect place to start when it comes to implementing more secure coding and efforts to comply with the CISA plan. But developers can’t do it alone without the support of the rest of their organization, especially upper management. Having developers who understand vulnerabilities, how to write secure code and how to recognize problems long before they get to a production environment will be the key to organizations ultimately taking responsibility for shipping code and, as CISA puts it, “ensuring that vulnerabilities are discovered and fixed before adversaries can use them to cause harm.”
One key thing to note is the training that developers need is fairly advanced. It’s a challenging endeavor for someone to become proficient in consistently writing secure code, and check-the-box compliance measures are simply not up to that task. Developers will require high-level, agile learning methods that offer hands-on, digestible, and continuous learning outcomes as part of an overall security awareness program in order to ensure that they have the skills needed to maintain the level of security required by the new CISA plan.
Ideally, upskilling to get ready for the CISA plan should also incorporate many of the advanced methods and programs that developers use every day, such as the principles of Agile development. For example, in Agile development, work is broken down into manageable chunks, layering sprints on top of one another in a continuous cycle. A good education program that incorporates Agile practices can help developers quickly get up to speed with the skills needed to support the CISA plan, allowing them to start seeing benefits and begin coding more securely almost immediately.
The good news is that most developers support secure coding practices and are eager to help their organizations comply with the new CISA directive. In a survey of over 1,200 professional developers actively working around the world, the overwhelming majority said they were supportive of the concept of creating secure code and establishing a better security culture at their organizations.
Developers need precision education pathways and adequate support. If organizations can provide that, not only will their code become more secure, but they will be ahead of the curve in their efforts to comply with or surpass the guidance set out in the new CISA Cybersecurity Strategic Plan.
This proposed shift in security culture will be challenging, but it’s also an incredible opportunity to change the nature of cybersecurity and create a world where the technology that makes all of our lives better is not also plagued by attackers constantly trying to exploit it for their own nefarious ends. We have the power to stop them, and the CISA plan shows a promising path toward that remarkable and ultimately achievable goal.
