Two CISA officials jump ship, both proud of pushing for Secure by Design software
(2025/04/22)
- Reference: 1745350256
- News link: https://www.theregister.co.uk/2025/04/22/top_cisa_officials_jump_ship/
- Source link:
Two top officials have resigned from Uncle Sam's Cybersecurity and Infrastructure Security Agency, aka CISA, furthering fears of a brain drain amid White House cuts to the federal workforce.
In Monday posts on LinkedIn, Bob Lord and Lauren Zabierek both announced they were leaving the agency – tasked with, among other things, protecting America's critical infrastructure from cyberattacks – highlighting their work on the [1]Secure by Design program, which pressed software makers to build better security into their products from the get go.
"I've made the difficult decision to leave CISA," [2]wrote Lord, a senior technical advisor at the agency since April 2022.
[3]
"I'm deeply grateful for the opportunity to help lead the agency's work on Secure by Design software," he added, noting that he will continue contributing to the CISA-led effort, "but first, I'm taking a short break."
[4]
[5]
Zabierek also referenced her work on the [6]Secure by Design initiative, which included [7]wrangling more than 250 software makers into signing a voluntary pledge to do seven things, such as bake multi-factor authentication into their products, reduce default passwords, and increase patching by customers.
"After an incredible journey at CISA, I have made one of the toughest decisions of my career: I will be resigning my role at the agency," [8]wrote Zabierek, who started working at CISA in January 2023.
[9]
"This was not an easy choice," she continued, adding: "I'm particularly proud of our work on the Secure by Design initiative."
The fact that both ex-CISA staffers specifically called out Secure by Design possibly suggests dissatisfaction with the direction of the program under the Trump administration. Lord and Zabierek have not yet responded to a request for comment, but we'll update this story if they do.
In the meantime, the acting director of the agency emailed a statement to The Register hinting that changes to Secure by Design are afoot.
[10]
Here's the full statement from Bridget Bean, the senior official performing the duties of the director at CISA:
CISA remains laser-focused on working across the public and private sectors to improve the nation's cybersecurity, a critical element of which is ensuring that technology companies do their part. This is why we continue to urge companies to develop products that are secure by design, instead of passing the cost of poorly designed products on to consumers. While CISA's approaches to Secure by Design evolve, our commitment to the principles remain steadfast. I thank Bob Lord and Lauren Zabierek for helping to lay the foundation on which future work in this space can be built.
The resignations come as the agency [11]braces for the ax to fall on as many as 1,300 — nearly 40 percent — of its employees, following the [12]firing of around 130 staffers last month.
Also in March, CISA cut [13]$10 million in funding , or about half the total budget, for the Multi-State Information Sharing and Analysis Center (MS-ISAC).
[14]As CISA braces for more cuts, threat intel sharing takes a hit
[15]CISA boss: Makers of insecure software must stop enabling today's cyber villains
[16]Cyber congressman demands answers before CISA gets cut down to size
[17]CVE fallout: The splintering of the standard vulnerability tracking system has begun
More generally, the Trump administration seems to be treating cybersecurity as a low to low-ish priority. Shortly after returning to office, the President [18]terminated all memberships on advisory committees within CISA parent Homeland Security, including those focused on cyber threats and information sharing, such as the Homeland Security Science and Technology Advisory Committee, the Data Privacy and Integrity Advisory Committee, and the Secret Service's Cyber Investigations Advisory Board.
These cuts, described by retired US Navy Rear Admiral Mark Montgomery as the "gutting" of CISA, are weakening America's cyber defenses, he told The Register in an earlier interview.
"Firing cyber personnel at CISA harms national security on a daily basis — this goes well beyond disruption and is actually causing destabilization," Montgomery said. ®
Get our [19]Tech Resources
[1] https://www.cisa.gov/securebydesign/pledge/
[2] https://www.linkedin.com/posts/lordbob_personal-update-ive-made-the-difficult-activity-7320094582770216960-dwyf/
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aAgRjPzqMKv2VkZm9X2wpgAAAcE&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aAgRjPzqMKv2VkZm9X2wpgAAAcE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aAgRjPzqMKv2VkZm9X2wpgAAAcE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2024/09/20/cisa_software_cybercrime_villains/
[7] https://www.theregister.com/2024/05/09/68_tech_firms_sign_cisas/
[8] https://www.linkedin.com/posts/laurenz1010_after-an-incredible-journey-at-cisa-i-have-activity-7320101011182800896-3c8B/
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aAgRjPzqMKv2VkZm9X2wpgAAAcE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aAgRjPzqMKv2VkZm9X2wpgAAAcE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[11] https://www.theregister.com/2025/04/08/cisa_cuts_threat_intel/
[12] https://www.theregister.com/2025/03/18/cisa_rehired_doge/
[13] https://www.naco.org/news/multi-state-information-sharing-and-analysis-center-ms-isac-loses-federal-funding
[14] https://www.theregister.com/2025/04/08/cisa_cuts_threat_intel/
[15] https://www.theregister.com/2024/09/20/cisa_software_cybercrime_villains/
[16] https://www.theregister.com/2025/04/14/swalwell_cisa_cuts/
[17] https://www.theregister.com/2025/04/18/splintering_cve_bug_tracking/
[18] https://www.theregister.com/2025/01/22/trump_cyber_policy/
[19] https://whitepapers.theregister.com/
In Monday posts on LinkedIn, Bob Lord and Lauren Zabierek both announced they were leaving the agency – tasked with, among other things, protecting America's critical infrastructure from cyberattacks – highlighting their work on the [1]Secure by Design program, which pressed software makers to build better security into their products from the get go.
"I've made the difficult decision to leave CISA," [2]wrote Lord, a senior technical advisor at the agency since April 2022.
[3]
"I'm deeply grateful for the opportunity to help lead the agency's work on Secure by Design software," he added, noting that he will continue contributing to the CISA-led effort, "but first, I'm taking a short break."
[4]
[5]
Zabierek also referenced her work on the [6]Secure by Design initiative, which included [7]wrangling more than 250 software makers into signing a voluntary pledge to do seven things, such as bake multi-factor authentication into their products, reduce default passwords, and increase patching by customers.
"After an incredible journey at CISA, I have made one of the toughest decisions of my career: I will be resigning my role at the agency," [8]wrote Zabierek, who started working at CISA in January 2023.
[9]
"This was not an easy choice," she continued, adding: "I'm particularly proud of our work on the Secure by Design initiative."
The fact that both ex-CISA staffers specifically called out Secure by Design possibly suggests dissatisfaction with the direction of the program under the Trump administration. Lord and Zabierek have not yet responded to a request for comment, but we'll update this story if they do.
In the meantime, the acting director of the agency emailed a statement to The Register hinting that changes to Secure by Design are afoot.
[10]
Here's the full statement from Bridget Bean, the senior official performing the duties of the director at CISA:
CISA remains laser-focused on working across the public and private sectors to improve the nation's cybersecurity, a critical element of which is ensuring that technology companies do their part. This is why we continue to urge companies to develop products that are secure by design, instead of passing the cost of poorly designed products on to consumers. While CISA's approaches to Secure by Design evolve, our commitment to the principles remain steadfast. I thank Bob Lord and Lauren Zabierek for helping to lay the foundation on which future work in this space can be built.
The resignations come as the agency [11]braces for the ax to fall on as many as 1,300 — nearly 40 percent — of its employees, following the [12]firing of around 130 staffers last month.
Also in March, CISA cut [13]$10 million in funding , or about half the total budget, for the Multi-State Information Sharing and Analysis Center (MS-ISAC).
[14]As CISA braces for more cuts, threat intel sharing takes a hit
[15]CISA boss: Makers of insecure software must stop enabling today's cyber villains
[16]Cyber congressman demands answers before CISA gets cut down to size
[17]CVE fallout: The splintering of the standard vulnerability tracking system has begun
More generally, the Trump administration seems to be treating cybersecurity as a low to low-ish priority. Shortly after returning to office, the President [18]terminated all memberships on advisory committees within CISA parent Homeland Security, including those focused on cyber threats and information sharing, such as the Homeland Security Science and Technology Advisory Committee, the Data Privacy and Integrity Advisory Committee, and the Secret Service's Cyber Investigations Advisory Board.
These cuts, described by retired US Navy Rear Admiral Mark Montgomery as the "gutting" of CISA, are weakening America's cyber defenses, he told The Register in an earlier interview.
"Firing cyber personnel at CISA harms national security on a daily basis — this goes well beyond disruption and is actually causing destabilization," Montgomery said. ®
Get our [19]Tech Resources
[1] https://www.cisa.gov/securebydesign/pledge/
[2] https://www.linkedin.com/posts/lordbob_personal-update-ive-made-the-difficult-activity-7320094582770216960-dwyf/
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aAgRjPzqMKv2VkZm9X2wpgAAAcE&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aAgRjPzqMKv2VkZm9X2wpgAAAcE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aAgRjPzqMKv2VkZm9X2wpgAAAcE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2024/09/20/cisa_software_cybercrime_villains/
[7] https://www.theregister.com/2024/05/09/68_tech_firms_sign_cisas/
[8] https://www.linkedin.com/posts/laurenz1010_after-an-incredible-journey-at-cisa-i-have-activity-7320101011182800896-3c8B/
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aAgRjPzqMKv2VkZm9X2wpgAAAcE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aAgRjPzqMKv2VkZm9X2wpgAAAcE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[11] https://www.theregister.com/2025/04/08/cisa_cuts_threat_intel/
[12] https://www.theregister.com/2025/03/18/cisa_rehired_doge/
[13] https://www.naco.org/news/multi-state-information-sharing-and-analysis-center-ms-isac-loses-federal-funding
[14] https://www.theregister.com/2025/04/08/cisa_cuts_threat_intel/
[15] https://www.theregister.com/2024/09/20/cisa_software_cybercrime_villains/
[16] https://www.theregister.com/2025/04/14/swalwell_cisa_cuts/
[17] https://www.theregister.com/2025/04/18/splintering_cve_bug_tracking/
[18] https://www.theregister.com/2025/01/22/trump_cyber_policy/
[19] https://whitepapers.theregister.com/
Re: Oh dear
Jou (Mxyzptlk)
Those two don't want anyone to pick up the pieces, they want full software freedom without responsibility 'cause that is their revenge on intelligent people. Once a bully, always a bully. We will see how it plays out, and I hope my plans are not nuked on the way being far away.
Re: Oh dear
Andy Non
"someone else will pick up the pieces and do it all anyway?"
I'm sure there will be lots of extra personnel and resources applied to checking out US cyber security... though mostly in China, Russia, Iran and North Korea.
Re: Oh dear
abend0c4
Do they think that these things do not matter or that someone else will pick up the pieces and do it all anyway?
There's a reasonable argument to be made that the US taxpayer shouldn't be picking up the tab for this - certainly for more than 3000 staff - and a reasonable argument that the work needs to be done. It does seem that the US government may have taken a lot of this kind of work on board simply owing to a reluctance to mandate that industry should do it. There's clearly an issue of compliance (c.f. UK water companies and the Environment Agency), but governments have the power to compel industry to pick up the pieces if they think they're being taken for a ride: it's not simply a binary choice between the government doing it or it not being done. If, however, you paint yourself into a corner by decrying business regulation in principle...
I doubt Trump knows the first thing about internet security.
Tron
Presumably he is taking 'advice' from someone. As he seems to be ticking a lot of boxes on Putin's wish list for damaging the US, perhaps the FBI or CIA can examine who that someone is (before they get sacked, to save a few bucks).
Oh dear
the President terminated all memberships on advisory committees within CISA parent Homeland Security, including those focused on cyber threats and information sharing, such as the Homeland Security Science and Technology Advisory Committee, the Data Privacy and Integrity Advisory Committee, and the Secret Service's Cyber Investigations Advisory Board
Do they think that these things do not matter or that someone else will pick up the pieces and do it all anyway?