In this week’s episode of the podcast (#223), we are joined by Josh Corman and Lisa Young of the COVID task force at CISA to talk about the agency’s work to improve the security of critical sectors of the U.S. economy. Job #1: erase the so-called security “poverty line” that keeps small, poorly resourced firms from obtaining the skills and talents they need to protect their networks, data and IT assets.

The phrase “let them eat cake” may have never been uttered by the French Queen Marie Antoinette. But the phrase has stuck to her for centuries – less because of its historical accuracy than for an attitude it epitomized: the detachment and callousness of the French monarchy and landed aristocracy in the face of widespread, abject poverty and hunger. 

But a very similar attitude is at work these days in the information security space. Rather than standing on a balcony and calling for  cake  today’s cyber security cognoscenti instead mount stages at events like Black Hat and RSA and serve up rich desserts like “zero trust” to throngs of fellow cognoscenti. Outside the conference ballrooms, however technologically impoverished organizations in the for-profit, non-profit and public sectors are being ravaged by ransomware, data theft and corporate espionage, business email compromise scams and denial of service attacks.

Laissez-les utilizer ‘zero trust’!

Just as the aristocracy failed to apprehend the depths of hunger and poverty in society at large, large and wealthy information security firms, Industry ISACs and even federal agencies these days have failed to appreciate how unattainable “zero trust” networking is for a company with a constrained budget and without a dedicated security staffer – let alone a team. 

Microsoft adds voice to calls for federal cybersecurity agency

Those gaps – between a small number of wealthy and sophisticated firms and everyone else- are getting wider. Sadly, much of what passes for official guidance is targeted to the 1% of firms that can afford the latest technology and services, not the 99% of firms that can’t. Cybersecurity, it turns out, has an equity problem, also. 

One agency that is trying to change that is CISA, the Cybersecurity and Infrastructure Security Agency. The federal government’s point agency for cyber is young enough to be in the teething stage, but in recent months it has taken steps to address what analyst Wendy Nather termed the “security poverty line” head on. As we noted back in episode 204: that started with work to shore up the COVID vaccine supply chain, which was heavily reliant on a large number of small, specialized equipment and component makers, most of whom lacked any permanent IT security staff. 

Now the agency is expanding its work to other “NCFs” or “national critical functions. The agency is offering hygiene services like free vulnerability and application security scans for critical infrastructure providers. CISA is also trying to simplify the conversation around cybersecurity and best practices. A new site on the agency website is collecting “bad practices”  R...