Episode 228: CISA’s Eric Goldstein on being Everyone’s Friend in Cyber

In this episode of the podcast (#228) we’re joined by Eric Goldstein, Executive Assistant Director for Cybersecurity for the Cybersecurity and Infrastructure Security Agency (CISA) to talk about how the US government’s lead cybersecurity agency is helping companies and local government to keep hackers at bay. But are organizations ready to ask for help?

As always,  you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and Spotify. Or, check us out on Google PodcastsStitcherRadio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted. 


October is the 18th annual Cybersecurity Awareness Month – a month dedicated to educating the public and the private sector about cyber risks. What better time, then, to check in with our friends at CISA, the Cybersecurity and Infrastructure Security Agency. 

CISA: A Different Kind of Agency

Eric Goldstein, CISA
Eric Goldstein (CISA)

As the U.S. government’s newest agency and the tip of the spear for government response to cyber risks and cyber threats, CISA has its hands full. The agency is responsible for coordinating and informing the cybersecurity practices of the federal government, which employs more than 4 million Americans and has a budget of close to $5 trillion. It also is the go-to for cybersecurity intelligence and security services for state and local governments. The agency offers a series of “cyber hygiene services” that local and state governments can use to interrogate their infrastructure. CISA also helps coordinate with the private sector around emerging threats, such as ransomware gangs and the hack of key providers like SolarWinds, Kaseya, the Colonial pipeline and more. 

CISA executives are quick to point out that the agency is not a regulator nor is it law enforcement. Indeed: CISA is “a different kind of agency:” less bureaucratic, more agile and more willing to embrace technologic change. CISA’s most important objective is to be a friend to the agencies and organizations that it serves: involving itself in cyber incident response not to assign blame or mete out punishment, but to help those affected to recover and move on. 

Making the Most of Cybersecurity Awareness Month

But to do that, CISA needs to enjoy the trust and acceptance of the organizations it is trying to help: from state and city governments to critical infrastructure operators and supply chain providers in the broader economy.

To learn more about that effort, we invited Eric Goldstein,  Executive Assistant Director for Cybersecurity for CISA in to the Security Ledger studio to talk about the agency’s agenda for October, including its 4th Annual National Cybersecurity Summit, which is taking place all this month. (Check out the agenda for the October 20 and 27th events here).


In this conversation, Eric and I discuss the agency’s work on problems like ransomware, and a recent report that linked ransomware outbreaks at hospitals to increased delays and strain and stress among medical staff working there. We also talk about how his experience working in the private sector for Goldman Sachs has informed his work for the federal government – another big cyber target. To start off, I asked Eric the one question that’s on the tip of everyone’s tongue: Is it CIZA or CISA?