Skip to main content
close search
site logo

CISA director reiterates prior calls for C-suites, boards to take cyber risk ownership

Jen Easterly said companies need to consider cybersecurity threats as core risks that need to be fully incorporated into corporate business strategy.

Published Jan. 10, 2025
David Jones's headshot
Reporter
CISA Director Jen Easterly
CISA Director Jen Easterly speaking at a forum hosted by the Center for Strategic and International Studies on Nov. 1, 2022. Easterly is calling on corporate boards and senior executives to fully embrace cyber risk as a core business concern.

Center for Strategic and International Studies

Companies need to take ownership of cybersecurity risk at the highest levels of corporate governance, including senior management and at the board level, Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, said in a blog post released Wednesday

Companies need to embrace cybersecurity as a strategic business risk, Easterly said. They can no longer afford to relegate that responsibility to their IT department or corporate CISO without the awareness and participation of the C-suite and corporate directors. 

“The time is now for CEOs and boards to actively embrace corporate cyber responsibility as a matter of good governance, recognizing that every organization has an obligation to reasonably assure the safety of their employees, partners and customers,” Easterly said in the post. 

The push for stronger cybersecurity governance comes at a time when the U.S. is facing sophisticated cyberattacks against critical infrastructure from nation-state adversaries, including China and Russia. 

CISA in 2023 partnered with the National Association of Corporate Directors and the Internet Security Alliance last year on a handbook that addresses how to manage cyber risk.  

Easterly is scheduled to step down as CISA director when the Trump administration takes office.

The concerns raised by Easterly came just a day after National Cyber Director Harry Coker Jr. warned the U.S. needs to step up deterrence efforts to counter malicious cyber activity sponsored by China, Russia and other adversaries. 

Coker noted that the role of the private sector is critically important, because much of the nation’s critical infrastructure is run by private sector organizations. Therefore authorities need the private sector to maintain strong network defenses and share threat intelligence. 

About 260 companies have signed CISA’s Secure by Design pledge, which is a voluntary effort to get technology and other companies to adhere to secure development practices in an effort to make sure software is safe out of the box. 

Easterly said board members need to take several actions to make sure cybersecurity is a priority:

  • Ensure CISOs are fully empowered and given the proper influence and resources to prioritize cybersecurity within the organization. 
  • Make sure senior executives are educated on cyber risk and that cyber risk considerations are fully baked into business, technology and software acquisition decisions. 
  • Review the company’s cyber risk framework and ensure the development of common standards. 

 

Editors' picks

Company Announcements

View all | Post a press release
American Trust Retirement Data Breach Investigation
From Migliaccio and Rathod LLP
January 07, 2025
Medusind Data Breach Investigation
From Migliaccio and Rathod LLP
January 08, 2025
Excelsior Orthopaedics Data Breach Investigation
From Migliaccio and Rathod LLP
January 08, 2025
Editors' picks
Latest in Strategy
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.