ORLANDO, Fla. — IT leaders must equip their businesses with the necessary tools to operate safely in an expanding cyberthreat landscape, but the responsibility should not solely fall on IT, CISA CTO Brian Gattoni said Tuesday at the Gartner IT Symposium 2022.
"It's not your job alone," said Gattoni. "It's every individual person's collective responsibility to be a good citizen in cyber to protect the enterprise. If you are touching IT, if you're touching data, if you are doing something for your company around electronics: you have a responsibility with cyber."
Gattoni, who joined the Department of Homeland Security in 2010, said organizations are up against a threat landscape in flux. What's needed is a stronger focus on personalizing defense strategies, he said.
"The threat space is expanding every day, whether our adversaries are taking direct action to improve their capabilities, or the technology landscape is shifting in such a way that it makes their job easier and ours a little harder," Gattoni said.
Executives are aware of the long-term implications of cybersecurity — and are spending accordingly.
Two-thirds of CIOs say cyber and information security is a top area of increased investment for 2023, according to Gartner data. Amid surging threats, this ratio is higher than other fields such as business intelligence or cloud platforms.
Aside from the availability of new technology, organizations need to pay more attention to cybersecurity basics, said Gattoni, including but not limited to:
- Recognizing and reporting phishing attacks, which includes training workers to spot and avoid them.
- Enforcing the use of strong passwords for all applications and adding a layer of multifactor authentication.
- Prioritizing patches to address known vulnerabilities.
"Don't wait: update your software," said Gattoni. “Every day you delay updating a critical software vulnerability in your enterprise is just another inch of fuse burning down the line until eventually there's a bang."
Part of the defense strategy deals with on-board security features inside the technology enterprises use. CISA Director Jen Easterly has previously called for technology companies to begin infusing security in the design phase of their security products.
Security features on IT tools have taken on new relevance amid a spike in supply chain attacks, where hackers compromise a product or service used by an enterprise, then leverage that access to attack multiple users concurrently.
"There's a lot of scenarios where the bad guys only got to get it right one time," Gattoni said. "That means that we all have to work together to share information to help combat that."
That's one of the reasons CISA launched the Joint Cyber Defense Collaborative (JCDC) in 2021, a public-private alliance meant to bring together cyber, defense and national security entities alongside private organizations.
"We are your trusted partner to share information with about what's going on in cyber land, knowing that it's our intent to package it up, anonymize it if you need us to, and share it with your peers and industry," said Gattoni. "You can expect the same coming back your way: actionable intelligence that helps with your enterprise."