Harmonizing Government, Policy, and Technology: Thoughts from Jeff Le, SecurityScorecard’s new VP of Global Government Affairs & Public Policy

For the past twenty years, I have had the pleasure of working at the intersection of public service, technology, and global security. As Deputy Cabinet Secretary to former California Governor Jerry Brown, I responded directly to the technology challenges that the state government faced to protect constituent data, deliver key services and resources to its residents, and recover from emergencies and disasters.

A concerning trend I saw during my time with the Governor’s office was the increase in cybersecurity incidents and homeland incursions that came from a host of rogue, state-sponsored actors and opportunistic criminal syndicates. These groups targeted critical infrastructure operators and ports; universities and school districts; and hospitals and clinics. Even worse, these groups only increased their tempo and attack cadence during concurrent disasters – such as fire events, flooding, and mass shootings. The most vulnerable were the most impacted and also the most defenseless. 

 

Strengthening California’s cyber defenses

To build the state’s defenses, I helped steer the cybersecurity audits and assessments process to establish a baseline of resources and capacity within executive branch departments and agencies. My team also supported the effort to remove Kaspersky from the state’s networks at a pace much faster than that of the Federal Government. And I also pushed for funding to increase capacity, modernize the state’s digital infrastructure, and expand rural broadband access and open data projects.

These steps helped the State of California improve its cyber hygiene and defenses. But with technology advancements and a sharp increase in third-party and supply chain breaches, threat actors are able to strike with more precision. This unfortunately is happening at the same time where public servants are retiring at alarming rates, which means a reduction of meaningful institutional memory and ability to manage vital government systems. 

 

Making the move to SecurityScorecard 

That is why I joined SecurityScorecard as the new Vice President of Global Government Affairs and Public Policy at this critical juncture. With the company’s suite of managed solutions, global commercial track record, and world-class threat intelligence, SecurityScorecard can do more to protect governments, partners, and communities. In the fall, SecurityScorecard achieved the Ready Designation under the Federal Risk and Authorization Management Program (FedRAMP). Achieving this designation builds on SecurityScorecard’s work in the public sector, particularly our partnership with the Transportation Security Administration’s (TSA) Surface Operations Cybersecurity Assurance Division to provide cyber vulnerability monitoring, security ratings, and threat intelligence for TSA’s partners, which comprise national critical infrastructure providers. 

 

Using metrics to increase cyber readiness

The U.S. Federal Government has been taking important steps in recent years to better secure its systems. The U.S. Environmental Protection Agency, with backing from the Government Accountability Office, is assessing cyber risks with an emphasis on a modified risk-scoring system with “enterprise and component-level risk scores, which will be added to the senior executive dashboard.” This timely stance coincides with growing interest from the U.S. National Security Council on utilizing a letter grade rating system to hold key providers accountable for maintaining a certain level of cyber resilience. 

Furthermore, in 2023, the U.S. Office of the National Cyber Director (ONCD) put out a request for information on harmonizing cybersecurity regulations in critical sectors. SecurityScorecard stresses the importance for sectoral risk management agencies (SRMAs) to utilize continuous risk metrics in order to measure the overall resilience of the sector, spot trends in risk vulnerability and risk mitigation, and evaluate the efficacy of regulatory requirements using objective external factors that can be independently verified. Embracing continuous metrics across multiple sectors would help to facilitate the identification of problems and best practices that transcend individual sectors and that may therefore be appropriate targets for regulatory harmonization. 

Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly said it best to Congress in 2021: “I think it’s hard to say you’ve reduced risk unless you know how to measure it.” SecurityScorecard agrees with this statement; in the end, you can’t manage what you can’t measure, and you can’t defend what you can’t see.”

 

“I think it’s hard to say you’ve reduced risk unless you know how to measure it.” 

-CISA Director Jen Easterly

 

Cyber resilience in the supply chain

Third-party cyber risk is now one of the biggest threats today, with many of the recent major breaches (SolarWinds, Log4j, and MOVEit) resulting from a single vulnerability. SecurityScorecard’s joint research with the Cyentia Institute found that 98% of organizations have a relationship with at least one third-party entity that has experienced a breach in the last two years. Organizations must continuously assess cybersecurity risk, including across their entire supply chain and vendor ecosystem, and produce quantitative metrics to measure that dynamic risk in a standardized, actionable way. We believe this approach can undergird sensible and measurable regulatory requirements to make it easier to evaluate and communicate the impact regulations have on cyber resilience.

 

Looking ahead 

The cybersecurity landscape is only becoming more precarious, but it’s exciting to be part of an organization whose mission is to make the world a safer place. I am eager to contribute to the great work SecurityScorecard has already done (and I’m grateful to my new colleagues for their patience as I learn their names). Their insights, experience, and perspective has been invaluable and I am thankful for their contributions to a safer cyber ecosystem. This year promises to be an exciting one for cybersecurity policy and regulations, so stay tuned here for more posts from me on those topics.