January 5, 2021

  1. ISA, World Economic Forum, and National Association of Corporate Directors finalize their Cyber Governance Report, identifying six core principles for board-level cyber-risk oversight. This Report completes phase I of the ISA-NACD Forum collaboration.
  2. ISA is one of three US organizations invited to present at the G-20 Global Cybersecurity Forumand Digital Economic Security Conference in Riyadh, Saudi Arabia.
  3. ISA World Economic Forum and National Association of Corporate Directors jointly launch phase II of their collaboration, “The Cyber Experts Program” The program consists of a series of joint, invitation-only events– ISA & Forum members only – bringing together cyber experts from these two comminutes to build on the principles they have jointly created and identify empirical tools yielding metrics by which use of these Principles can be measured against a set of independently generated outcome security variables.  The two organizations will then jointly publish the results of these meetings generating a catalog of field-tested procedures to measure effective cybersecurity.ISA sponsors who have already presented at these events in 2020 include JR Williamson (Leidos), Greg Montana (FIS, John Frazzini (X-Analytics), and Demi Stratakis (BNY/Mellon). Among those to be scheduled in 2022 are Michael Higgins (L3/Harris Jason Escaravage (Thomson Reuters) and Tim McKnight (SAP), and Richard Spearman (Vodafone).
  4. ISA launches “Rethink Cybersecurity” Social media campaign in sync with the new Congress and Administration taking office.  Based on ISA’s newest public policy book written by the ISA board of directors (Fixing Cybersecurity: Creating a Strategic Public-Private Partnership — Georgetown University Press), ISA attempts to alter the approach to cyber public policy by recrafting the book into a series of blogs, tweets, and other messaging. Working with 1631 Digital, ISA reaches nearly 50,000 cyber practitioners who come to the ISA website to read this material.  Nearly 8,000 sign up to the ISA database for ongoing communication.
  5.  ISA’s “Re-Think Cybersecurity” is successful in persuading multiple senior government officials to adopt the “rethink cyber” rhetoric in the public pronouncements. Among those who integrate the ISA “Rethink Cybersecurity” messaging are the Chairs of the Senate and House Homeland Security Committees, Senator Gary Peters and Representative Bennie Thompson, Cybersecurity Subcommittee Chair Congresswoman Yvette Clark, Cybersecurity and Infrastructure Security Agency Director Jen Easterly, as well as many others.
  6. Working through its leadership position on the IT Sector Coordinating Council (ITSCC), ISA and the ITSCC advocated for CISA to initiate a more strategic/economics-based approach to cybersecurity.  One of the major themesof the Fixing Cybersecurity book constructed by the ISA board in 2020 was the need for the government to take a more strategic and economics-focused approach to cybersecurity. The IT SCC agreed to advocate for CISA to launch such a program.
  7. In an exceedingly rare display of bipartisanship, seven Chairman of Congressional Committees with jurisdiction over cybersecurity and their Ranking (GOP) colleagues jointly wrote to President Biden’s National Security Advisor “stressing that cybersecurity is not just an IT issue but rather an economic issue with national security implications which is the core messaging of the ISA (ISA’s stated Mission Statement is to integrate advanced technology with economics and public policy to create a sustainable system of cyber security).
  8. Cybersecurity and Infrastructure Security (CISA) launches the Cyber Strategic Planning Initiative.  Based, in part, by lobbying from industry groups, CISA initiates a programmatic effort to focus more on strategic issues and not solely on technical, operational aspects of cybersecurity. In phases I of this initiative, CISA hosts a series of extended discussions with industry groups on: 1) Critical Infrastructure interrelationships 2) Market drivers 3) Law Enforcement 4) Information Sharing 5) Supply China Management.  ISA is asked by ITSCC to provide the background briefing papers to CISA on behalf of industry.  Initial reports from CISA are largely reflective of ISA messaging.
  9. ISA, in conjunction with 26 industry associations, helps to form the Critical Infrastructure Cyber Forum,a new cross-sector industry coalition devoted to creating a more cohesive industry-wide cybersecurity government policy. ISA was asked to provide the background policy papers upon which the group will engage with Congress.
  10. Coupling “Rethink Cybersecurity” with traditional lobbying efforts to put forward ISA policy recommendations yielded numerous legislative victories, including:  increased funding for cyber law enforcement and cyber education; establishing an initiative to understand and price cyber risk and create more accurate risk models, adopting an economic view of cybersecurity as opposed to a technical operations viewpoint; and additional funding was allocated to support small manufacturers, to support their response to cyber-attacks and to identify priorities for small business cyber risk management initiatives.  ISA’s call for government to vastly increase funding for cybersecurity was directly reflected in the bipartisan infrastructure packages in the form of an infrastructure bill that allocated $20 million for cyber response and recovery, including additional funding for the Cybersecurity and Infrastructure Security Agency and the new White House Office of the National Cyber Director; and the extension of an additional $35 million to support stakeholder engagement and public-private partnerships on cybersecurity.
  11. The House Appropriations bill and Infrastructure bill adopted numerous ISA policy recommendations, including: Increased funding for cyber law enforcement and cyber education; Establishing an initiative to understand and price cyber risk and create more accurate risk models, adopting an economic view of cybersecurity as opposed to a technical operations viewpoint; Additional funding to support small manufacturers in responding to cyber-attacks and identifying priorities for small business cyber risk management initiatives. The infrastructure bill includes $20 million for cyber response and recovery, including additional funding for the Cybersecurity and Infrastructure Security Agency and the new White House Office of the National Cyber Director; The infrastructure bill would also offer an additional $35 million to support stakeholder engagement and public-private partnerships on cybersecurity.
  12. 2021 National Defense Authorization Act was passed by both Houses and sent to President Biden. The final bill contains a variety of ISA supported provisions such as clarifying rules of engagement with respect to private sector organizations under nation-state attack, creating systematic evaluation of government cybersecurity programs, streamlining and deconflicting cybersecurity procedures and regulations, addressing regulatory burdens on small companies, and expanding information sharing between defense agencies and private sector entities.  The final bill also did not include several proposals the ISA did not support, such as expanded notification requirements for a vastly expanded definition of critical infrastructures.
  13. Kogan-Page agrees to publish ISA’s book Cybersecurity for Business, based on principles ISA created in conjunction with the National Association of Corporate Directors and retargets these principles to the management level audience.  A dozen ISA board members collaborate on these chapters, which identify the roles and responsibilities for a wide variety of organizational departments (legal HR, audit PR, etc.) in creating an enterprise-wide cybersecurity program. Kogan’s review of the field indicates the book will be attractive to both academic and general business markets and will be released on April 26.
  14. Association of Governing Boards (AGB) and ISA produce the first sector-specific Cyber Risk Handbook targeting universities and foundations’ unique cyber needs. In consideration of ISA’s work in producing the handbook, AGB pledges to assist ISA in promoting Cybersecurity for Business.
  15. ISA and the NACD agree to develop a fourth US edition of the Cyber Risk Handbook, which is endorsed by both DHS and DOJ.  An agreement is reached with the World Economic Forum that the joint ISA-NACD-Forum book will be marketed to an international audience, and the ISA-NACD book will remain the dominant publication for the US market.
  16. In collaboration with AIG, ISA produces the first pan-Asian edition of the Cyber Risk Handbook for Corporate Boards. The Pan-Asian handbook is the fifth international and third regional edition of the Cyber Risk Handbook, which sets a de facto Global set of best practices for board oversight of cyber risk.
  17. The Federal Office for Information Security in Germany (BSI) initiates collaboration with ISA on the second edition of the Cyber Risk Handbook for Germany. The German edition of the ISA Cyber Risk Handbook was the first of the five international and will be the first to get a second edition. SAP agrees to Chair the project for ISA.
  18. ISA hosts a private dinner for the President of the German Office of Information Security, Arne Schonbohm. ISA’s relationship with Mr. Schonbohm goes back nearly a decade when he was President of the Cybersecurity Council of Germany and co-authored, with ISA, an edition of the Cybersecurity Social Contract for Germany.
  19. ISA teaches a course in cyber risk management for the Wharton Schools Executive Education Program Cyber Security.  This is the fourth year ISA has taught this course at Wharton.  In the first two years, it was a team-teaching project involving several ISA board members. Due to the pandemic in the last two years, it was taught by ISA staff. 
  20. Group of Harvard Economists led by Oliver Hart, who won the 2016 Nobel Prize in Economics, makes a proposal to the ISA board to relate an economic model based on ISA core principles of the economics of cybersecurity, including recommendations for policy changes to use market forces as opposed to regulatory mandates. ISA will need to find funding partners for the proposal but is in contact with potential industry and government partners. 
  21. ASPEN Institute reaches out to ISA to propose a joint ISA-Aspen effort to create material targeting underserved industry sectors on cybersecurity best practices modeled on the work ISA has done with the National Association of Corporate Directors.
  22. ISA is appointed to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency’s Resilient Investment Planning and Development Working Group (RIPDWG). RIPDWIG is a public-private partnership of subject matter experts designed to advise CISA on the resilience of critical infrastructure. Their goal is to “Addresses obstacles to investing in infrastructure resilience such as federal policies that limited funding and lack of incentives for private investment in resilience of infrastructure systems. RIPDWG’s traditional focus has been on natural events (hurricanes/floods/ etc.) and has asked ISA to join to add the perspective of cyber threats to critical infrastructure.
  23. CISA’s Director of the National Risk Management Center, Bob Kolasky, meets with ISA Board. Mr. Kolasky invites ISA to participate in two invitation-only subject matter expert sessions CISA holds on addressing systemic cyber risk.  Klosky communicates his support for funding ISA work on systemic risk as well as the Prysm study (above) on developing an economics-based model for cybersecurity.
  24. ISA Board meets with a wide variety of senior congressional policymakers, including Chairman Donald Payne, the Office of Transportation and Infrastructure Pipelines Subcommittee, Homeland Security Committee Ranking Member John Katko (R-NY), Homeland Security Committee, to discuss his efforts to create a public-private stakeholder process for designating systemically important critical infrastructure to prioritize cybersecurity support to private entities of greatest importance. Chairman Andrew Garbarino (R-NY), Homeland Security Cybersecurity Subcommittee, Ranking Member Rick Crawford (R-AR), Transportation and Infrastructure Pipelines Subcommittee.
  25. ISA adds three new sponsor companies to its board of directors, Baker Hughes, Mastercard, L3/Harris bringing ISA membership to 24 sponsoring enterprises (ISA by-laws limit sponsorship to 25 companies).