Risk Management
CISA Gov: '23-25 Plan Focuses on Unified Cybersecurity
William Malik, VP of Infrastructure Strategies, shares his opinions on the goals and objectives outlined in the CISA Strategic Plan 2023-2025.
Bio: William Malik’s information technology career spans over four decades. Before joining Trend Micro, he worked at IBM as a developer, tester, and planner; led Gartner’s Information Security Strategies service; and was CTO of Waveset, an identity management company.
In September 2022, the Cybersecurity and Infrastructure Security Agency (CISA) released its 2023-2025 Strategic Plan. This is the agency’s first comprehensive strategic plan since it was established in 2018. Consisting of four ambitious goals, the CISA Strategic Plan builds on the foundation of the CISA Strategic Intent (August 2019) to further guide the agency’s work and “create unity of effort.”
Breakdown of CISA Strategic Plan Goals & Objectives
A strategy is a Litmus test for evaluating alternate plans or a guide for investing scare resources. This document plan does not meet those requirements. Instead, it lists a set of noble aspirations and goals.
Goal 1: Cyber Defense, and Goal 2: Risk Reduction and Resilience, are core to CISA’s mission to protect critical infrastructure. Goal 3: Operational Collaboration and Goal 4: Agency Unification, speak to the challenges CISA faces among its peer agencies and internally.
While information on how the CISA will accomplish the goals is lacking, there are high level indicators for assessing success. From a quality management perspective, the goals are not measurable, but every journey begins with a first step. Over time, if the goals incorporated in the document endure, the CISA will need to develop measurable ways to track performance against outcomes, tune procedures, and align management behavior to better achieve those goals.
Effective quality management underpins the guidance this document offers. While the word appears twice, in Objective 3.3, “Streamline Stakeholder Access to and Use of Appropriate CISA Programs, Products, and Services,” the document asserts that the “CISA will measure the quality and accessibility of Division Programs, products, and services.” How that will be done, what measures of quality they will seek, remain undefined for now. It is possible to read too much into this statement, as it equates quality with accessibility – an important goal but an issue of much different scope.
Goal 4 will help the CISA guide itself towards more effective performance against its mission. This is useful and important, but much remains. The organization will “translate leadership vision into prioritized action” and “strategically and transparently allocate resources to support efficient delivery across the entire CISA enterprise.” In other words, a representative outcome of Objective 4.1 of the CISA Strategy, “Strengthen and Integrate CISA Governance, Management, and Prioritization,” will be a strategy.
Objective 4.2: Optimize CISA Business Operations to be Mutually Supportive Across All Divisions speaks to the decades-long organizational silos instituted when the DHS was created. The goal of the DHS was to guide agencies to share information to identify threats collaboratively. The intelligence failures preceding 9/11 include the FBI and CIA not sharing information between themselves or local law enforcement. DHS does not include the CIA, the FBI, or local law enforcement, but does bring together:
- U.S. Citizenship and Immigration Services (USCIS)
- United States Coast Guard (USCG)
- United States Customs and Border Protection (CBP)
- Cybersecurity and Infrastructure Security Agency (CISA)
- Federal Emergency Management Agency (FEMA)
- Federal Law Enforcement Training Center (FLETC)
FLETC itself guides training for law enforcement across about 70 agencies. Over the long term, incorporating these goals – a focus on learning, employee empowerment, and meaningful after-action reporting – will erode those organizational impediments.
The second representative outcome for this objective is “CISA integrates systems, processes, data, and architecture across the entire organization.” If the organization refers to the CISA itself, this is a cornerstone of effective management. If, however, the organization refers to DHS or to the entire Federal Civilian Executive Branch, this would yield a powerful, cost-effective improvement in security and trustworthiness.
The organization addresses learning in Objective 4.3. Organizational learning is the way to move up the process maturity scale and thereby reduce crises and lessen dependence on individual experts. Peter Senge’s “The Fifth Discipline” provides insight and guidance on how an organization can excel through effective learning.
Truly high-performance organizations, from professional sports teams and symphony orchestras to the United States Armed Forces, incorporate the lessons in that work. The CISA is crucial to protecting our nation. It cannot fail. If the organizational transformation previewed in this document succeeds, we and the world will become a safer, more reliable, more trustworthy place. The document promises much at a high level. Implementation will show if this noble declaration can bring needed organizational strength and efficiency.
What do you think? Let me know on Twitter: @WilliamMalikTM or LinkedIn