In 2022 Jen Easterly the CISA Director gave a keynote regarding Culture. Faced with threat of the CCP’s moves to set up future attacks to induce “societal panic” Congress received testimony from the FBI Director Christopher Wray, the National Cyber Director Henry Coker, and CISA Director Jen Easterly. They describes the threat that the Chinese Communist Party’s Cyber Army posed to the United States Critical Infrastructure.

The CISA director’s speaking points while pinpointed may have missed an opportunity to address a systemic issue that continues to create the very vulnerabilities that she warned about.

While she was right to warn congress about the threat of Volt Typhoon, which many cyber security experts are calling the tip of the iceberg, the blame was casted on to software developer (Not the Engineers, the Manufacturers). Software vendors where accused of releasing unsecure software, while that’s true the entire internet is also unsecure and I don’t see anybody blaming scientist at DARPA (Gov Org that created the internet).

The vendors who are more importantly one of your partners are not solely to blame!

The problem starts at the consumer and the client. The people who both the vendors and congress are beholden to: The People.

Look at it from the perspective of customer account manager:

1. Regardless of who the customer is the time in which they want the product is NOW.

2. You might say “deliver a reasonable timeline”. What actually happens is the client or consumer who has become accustomed to instant gratification expects shorter timeline with less investment upfront. Most tech startups will burn millions in R&D before launch. This means that when it’s time to generate revenue they are behind in a foot race and find themselves chasing the white rabbit.

3. Sale and marketing are about service/product delivery. The KPIs that mark success are about “Yes” or creative agreement sometime even belief in unmentioned benchmarks on unseen corporate roadmaps. More clearly I am saying that the incentive in sales and marketing are not uncomfortable truths.

4. Cybersecurity is already an uncomfortable truth. When customers think about why they are paying the $$$ instead of $ they want to factor in speed. The problem is that cybersecurity and the assurance of a safe product is a quality issue that requires time. Even automated CI/CD (security checks added into software update pipelines) add a factor of time.

5. If we say we need time the competitor will offer a shorter timeline and beat us by winning a significant market share from clients who want shorter delivery pipelines.

When you look at it from that perspective it may be possible that holding the vendors accountable while we need their help to deal with upcoming cyber threats vs appealing to all involved parties to modify their expectation a little bit for the sake of security may have been a lost opportunity.