Jen Easterly’s tenure as the Director of the Cybersecurity and Infrastructure Security Agency (CISA) has been a mix of progress and controversy, with bold initiatives like “Secure by Design” and a focus on board-level cyber governance.
In a recent blog post, “Corporate Cyber Governance: Owning Cyber Risk at the Board Level,” the transitioning leader restates her vision of elevating cybersecurity from a technical problem to a core component of corporate and governmental governance. However, her departure and the final narrative comes amidst significant challenges, including the Treasury breach, which revealed vulnerabilities in federal systems and raised questions about the agency’s focus and effectiveness.
As CISA transitions to new leadership, questions about the agency’s effectiveness and its evolving role in safeguarding the nation’s digital infrastructure have taken center stage. The Treasury breach serves as a stark reminder of the stakes involved in cybersecurity governance.
The Treasury Breach: A Wake-Up Call
The breach at the U.S. Department of the Treasury underscores persistent vulnerabilities in federal cybersecurity. The incident, which CISA attributed to a compromise of privileged user credentials, highlights two pressing issues:
Federal Cyber Resilience: The breach exposed gaps in the ability of federal systems to withstand sophisticated cyberattacks. Despite assurances from CISA that other agencies were not affected, the event underscores the urgent need for comprehensive audits, modernized defenses, and a more robust incident response framework across federal entities.
Evolving Threats: This breach reinforces the dynamic nature of cyber threats, with adversaries increasingly targeting privileged access credentials to infiltrate systems. It calls for a renewed focus on identity and access management (IAM) solutions and zero-trust principles across all federal systems to prevent future compromises.
While CISA responded swiftly, partnering with BeyondTrust to mitigate the incident, critics argue that such reactive measures highlight the need for more proactive strategies.

Jen Easterly, Director – CISA
“This movement can start by ensuring that CEOs and Board Members are held personally accountable for effectively managing cyber risk and directly engaged when it comes to corporate cybersecurity decisions and the cybersecurity of their companies.”
Lessons from the Treasury Breach
In her post, Easterly underscores the importance of proactive leadership in cybersecurity, with principles that apply as much to government agencies as to private enterprises. Her emphasis on board-level accountability, empowered CISOs, and integrated governance structures highlights critical areas for improvement:
Integrated Cyber Risk Management: Cybersecurity cannot be treated as an isolated IT function. Instead, it must be integrated into broader risk management processes, with leaders trained to assess and address cyber risks within the context of organizational strategy and operations.
Top-Level Accountability: The Treasury breach illustrates the consequences of neglecting cyber risk as an enterprise-level concern. Public and private sector leaders must treat cybersecurity with the same rigor as financial oversight, ensuring top-down accountability and clear governance frameworks.
Empowered Leadership: Just as Easterly advocates for empowering CISOs in corporations, federal agencies must similarly prioritize cybersecurity leadership, providing resources, authority, and direct access to decision-makers. This includes creating roles dedicated to overseeing systemic risks rather than merely operational security issues.
Progress and Pushback
Easterly’s tenure has been transformative for CISA, but it has not been without its challenges and criticisms. Key controversies include:
Balancing Collaboration and Regulation: Easterly championed public-private collaboration, emphasizing partnerships over punitive measures. However, her push for corporate accountability and Secure by Design principles sparked concerns about government overreach into private sector operations. The next leader must navigate these tensions to maintain trust and foster innovation.
Expanding Mandate: Critics have argued that CISA’s growing involvement in areas such as disinformation and election security risks diluting its focus on core cybersecurity responsibilities. While protecting democratic institutions is critical, opponents contend that such efforts may distract from more immediate threats to critical infrastructure and federal systems, such as the Treasury breach.
Election Security and Trust: CISA’s declaration of the 2020 election as the most secure in history earned praise for its transparency but also drew backlash, particularly from skeptics who viewed the agency’s involvement as politically charged. Restoring trust in CISA’s impartiality will be critical for the next administration.
Challenges for the Next Administration
As CISA transitions to new leadership, several critical challenges loom large:
Rebuilding Public Trust: The controversies surrounding CISA’s involvement in politically sensitive areas, such as disinformation campaigns and election security, have eroded public confidence in the agency’s impartiality. To rebuild trust, the next leader must communicate clearly and transparently about CISA’s priorities and actions, emphasizing its nonpartisan mission while addressing legitimate concerns.
Modernizing Federal Systems: The Treasury breach serves as a stark reminder of the vulnerabilities inherent in outdated federal infrastructure. The next administration must prioritize large-scale modernization efforts, including the adoption of zero-trust architectures, enhanced IAM solutions, and regular vulnerability assessments across all agencies. This modernization will require sustained investment and cross-agency coordination.
Defining CISA’s Scope: The agency’s broadening responsibilities from protecting critical infrastructure to countering misinformation have fueled debates about its core mission. The next director must establish clear priorities, ensuring that CISA’s expanding role does not dilute its effectiveness in cybersecurity.
Strengthening Private Sector Collaboration: Public-private partnerships remain essential to addressing complex cyber threats. However, the agency must strike a delicate balance between fostering voluntary collaboration and enforcing accountability measures, particularly when promoting initiatives like Secure by Design.
Preparing for Emerging Threats: The cyber threat landscape continues to evolve, with ransomware, supply chain vulnerabilities, and state-sponsored attacks becoming more sophisticated. CISA’s next leader must adopt a forward-looking approach, leveraging emerging technologies like artificial intelligence to enhance threat detection and response capabilities.
The Wrap
Jen Easterly’s tenure at CISA has been a mix of bold initiatives and complex controversies. Her emphasis on corporate cyber governance and secure-by-design principles reflects a forward-thinking vision for cybersecurity. However, incidents like the Treasury breach reveal gaps that require immediate attention.
As CISA transitions to new leadership, the agency stands at a crossroads. Its next director must navigate a minefield of controversies, restore public trust, and redefine the agency’s focus to address the evolving cyber threat landscape. The Treasury breach, though a setback, offers an opportunity for reflection and reform.
By addressing vulnerabilities with urgency and clarity, the next administration can build on Easterly’s legacy and steer CISA toward a more resilient future.