Cybersecurity in defense of this nation depends on strong public-private partnership and coordinated collaboration. But the systematic dismantling of CISA over the past six months has raised questions about whether the government is still a reliable partner. As DOGE trekked through government, indiscriminately chopping CISA personnel by 30 percent, and with a budget cut of 20 percent likely coming in 2026—responsibility for protecting the U.S. against cyberattack is naturally shifting to private sector companies and perhaps the states.
As Tim Mackey, head of software supply chain risk strategy at Black Duck, notes, “Historically, the US government and industry have enjoyed a collaborative cybersecurity relationship designed around a premise mirroring defense in depth – not everyone needs to know nor prepare for all hazards, but someone should be prepared for any hazard.” But as uncertainty in the form of discontinued agency priorities, reduction in funding for existing programs, and a reduction in collaboration swirl, the cumulative effect is to “increase risk for defenders and may represent exploitable opportunities for cybercriminals.”
CISA, of course, is not the only line of defense or opportunity for government and private industry to partner against threat actors, particularly those working on behalf of nation-states. But hobbling it—starting with the firing of former CISA Director Chris Krebs, in what felt like the settling of a political score at the end of President Trump’s first term, and undermining/denigrating its work—can only serve to dilute its strength as a partner and undermine the good work the agency has done.
“Staffing changes at CISA earlier this year saw the departure of several key personnel, including roles such as the lead of zero trust, section chief of cybersecurity, and lead of identity and access management,” says Jason Soroko, senior fellow at Sectigo. “These moves have raised concerns about potential short-term disruptions to operational continuity and the broader challenges of recruiting and retaining specialized cyber talent.”
The abrupt and sweeping changes in both staff and leadership may be disruptive, but that doesn’t mean they “will be detrimental to the long-term health of an organization,” says Bruce Jenkins, CISO at Black Duck. “The immediate question is whether these changes will have a net-positive or net-negative effect.”
Every administration has its priorities and these changes may be part of a broader, well-reasoned plan—though it’s difficult to divine exactly where the Trump administration stands, or how firmly and consistently, when it comes to cybersecurity and what that broader plan might be. On the one hand, the president has signed a flurry of orders aimed at bolstering cybersecurity, on the other hand, he has shown a softer touch than previous administrations when it comes to Russian cyber meddling (likely an artifact from his sensitivity over Russian election interference in 2016). And, the president has put his weight behind AI development, though without the guardrails that many security pros would like to see in place.
And more responsibility falls to the private sector to pick up the slack at a time when cyberattacks are on the uptick, threat actors are more savvy and aggressive, budgets are tight, and the tools at miscreants’ disposal are more sophisticated and easier to obtain.
Filling the void
Businesses don’t have the luxury of waiting for the government to sort out a new path for CISA or flesh out cyber policy and divvy up responsibilities. As Soroko points out, “Dependence on government services for cybersecurity should always have a back-up plan. Without one, “then there is an opportunity for the commercial industry to fill that gap.”
And fill it they are, hardening their own security, modernizing their operations, adopting zero trust architectures, proactively tracking down threats, bolstering the supply chain, practicing better hygiene and more aggressively patching vulnerabilities.
Speaking from a CISO perspective, Deepwatch CISO Chad Cragle, says “a unified cybersecurity framework, similar to other countries, but with more requirements, to prevent a fragmented approach with constantly evolving state-level mandates” would go a long way. Current frameworks like the NIST Cybersecurity Framework should be must-haves for organizations, though the “requirements” are recommended, not mandated.
As the federal government regroups around cybersecurity, there is plenty of room for state governments to step in, polishing their cyber prowess and forming close ties with the private sector. In this regard, the federal government’s loss may well be the states’ gain. “State governments ramping up their efforts to attract top cybersecurity talent have an ideal opportunity to attract top talent from the federal workforce,” says Darren Guccione, CEO and Co-founder of Keeper Security, encouraging federal cybersecurity professionals to “position themselves accordingly.”
He suggests those workers keen on moving to state positions highlight their experience in security critical infrastructure, managing public-sector risks and responding to complex threats—critical skills for protecting essential services and mitigating the impact of cyber-attacks on public systems.”
Since agencies like CISA “already collaborate closely with state governments through joint risk assessments, incident response efforts and the sharing of threat intelligence,” Guccione says, those overlapping areas of expertise “can facilitate a smooth transition, allowing federal cybersecurity professionals to build on these familiar partnerships.”
And hopefully with new leadership at CISA—Sean Plankey was nominated by Trump to lead the charge and recently faced grilling by the Senate Committee on Homeland Security and Government Affairs—the agency will regain its footing, funding and the faith of the White House and lawmakers. Ellis expects “a continuation and expansion of initiatives like vulnerability disclosure programs (VDPs) and public-private partnerships” and points to CISA’s recent work with Bugcrowd to launch a federal VDP platform as “a strong example of how collaboration can scale security efforts effectively.”
He remains optimistic that the future might bring “a push for more aggressive timelines on patching known vulnerabilities and broader adoption of zero-trust architectures across federal agencies, both of which align with the administration’s prior directives, and will hopefully see a continuation of the good work done by CISA around providing data, tools, and cyber leadership to American defenders with initiatives like Secure By Design, KEV, and so on.”
Not everyone shares that optimism, judging by the questions Plankey had to field, it seems that some members of Congress are concerned that the administration’s machinations have left CISA considerably weakened. Only time will tell. In the meantime, though, all eyes are on the private sector.