Former CISA executive worries about the impact of staff reductions

If former CISA Assistant Executive Director for Cybersecurity Jeff Greene had to express his thoughts on the agency today in one word, it would be “concerned.”

That’s because of the growing exodus of young talent from the cybersecurity agency, which is responsible for securing IT across the federal government, Greene said during an Oct. 8 webinar on global cyber resilience hosted by Travelers Institute, the education and public policy division of insurance company Travelers.

“What worries me is that Nick [Andersen] and Sean [Plankey] don’t have the tools that I had because a lot of young talent has left, and more folks are leaving,” Greene said, referring to two agency leaders, when asked about his thoughts on CISA amidst federal government spending cuts. In June, the House Committee approved a fiscal 2026 funding bill that would cut CISA’s budget by $135 million.

Greene, who departed CISA in January, said he is confident in CISA’s current leadership team and the work being done at the agency, but worries about the downstream impact of talent cuts and the resulting burnout among those remaining. In June, a spokesperson from the agency told Cybersecurity Dive that it had lost 1,000 employees this year under the current administration.

“People are really tired and they need some relief, because you can’t go at the pace that they’ve been going at,” Greene, who is now a distinguished fellow at the Aspen Institute and founder of his own consulting firm, said. “And I don’t know that we’ll ever be able to track a specific incident to a cut here or a cut there, but it’ll happen.”

Tips from the former CISA exec. During the webinar, Greene extended several tips to businesses on how they can up their cybersecurity stature. He recommended employee education as a way to combat wire fraud and social engineering attacks, while shutting down naysayers in the industry who question the effectiveness of it: “If we can string together a variety of different tools that can educate 10%, 15% of people at the time, then we’re going to put some security [in place].”

Greene also stressed the importance of not only having an incident response (IR) plan, but also engaging in exercises to simulate an attack. He recalled a recent incident with a consulting client who received an email from a bad actor claiming to have stolen their data; in that instance, some practice would have been handy.

“They had an IR plan, but their first few minutes of panic were so intense that they didn’t pull it out…Knowing what to do, having a little bit of muscle memory is essential,” he said, adding things flowed “more smoothly” once the company followed the plan.

For businesses seeking to protect themselves from fake job applicant schemes and similar threats, Greene advised to stay up-to-date on attackers’ latest tactics and to be cautious of dream applicants.

“The old cliché is, if it sounds too good to be true, it probably is,” Greene said. “If someone who perfectly suits your needs pops up and is willing to work for below market value, it might not be the bargain you think it is.”

What’s ahead? When asked about the emerging threats that will test the resilience of businesses the most, Greene pointed to quantum computing, specifically the arrival of “Q-Day,” a term in the industry used to describe the eventual day when quantum computers are able to crack traditional encryption methods used to secure the internet. The arrival of Q-Day will require companies to shift their attention to quantum-resistant cryptography, a quantum-proof way to secure data.

“I’m worried that when we reach Q-Day, or whatever you call it, it’s going to blow up and we’re going to be trying to put Band-Aids all over a big wound,” Greene said. “So, if you can work with your organizations, ask them, ‘Do they have a plan to migrate to post-quantum or quantum-resistant cryptography?’”