This article from CISA Director Easterly (Read More below) is a beacon of hope that we will see improvements in cybersecurity protections across critical infrastructure and C-Suite Executives and BoD members will be held accountable.

My suggestion to Executives and BoD members is simple, don't wait until you're facing a shareholder lawsuit, and personal liability/financial loss or regulatory actions. Start collecting, and preserving evidence of effective cybersecurity controls now, you may need this data someday to present in your own defense, and it all starts by performing risk assessments of software products, before procurement and before installation. The evidence collected during a software supply chain risk assessment will show judge and jury that you implemented appropriate due diligence in your cybersecurity oversight.

Here are a few "telling" excerpts from the article that all BoD members and C-Suite Executives need to be aware of:

• Over the past decade, adversaries of the United States have developed increasingly sophisticated offensive cyber-capabilities.
• cyber-intrusions are a symptom, rather than a cause, of the continued vulnerability of U.S. technology.
• The incentives for developing and selling technology have eclipsed customer safety in importance
• They accept products that are released to market with dozens, hundreds, or even thousands of defects. They accept that the cybersecurity burden falls disproportionately on consumers and small organizations, which are often least aware of the threat and least capable of protecting themselves. 
• When cybersecurity is considered a niche issue, rather than a foundational business risk, organizations are not motivated to be part of a broader solution.
• Under this new model, cybersecurity would ultimately be the responsibility of every CEO and every board. Collaboration would be a prerequisite to self-preservation. Such a culture shift requires the recognition that a cyberthreat to one organization is a threat to all organizations.
• Government can smooth the way by making clear its expectations that technology is designed and built with safety as a top priority, by advocating that cybersecurity be considered a CEO-level business risk, by providing opportunities for entities to share cyberthreat information, by holding itself accountable for being transparent and adding value, and by ensuring that regulatory frameworks encourage companies to comply
• Technology manufacturers need to take responsibility for the security outcomes of their customers as a fundamental issue of safety; otherwise, the critical infrastructure of the United States, its communities, and its way of life will remain at untenable risk.
• Consumers and businesses alike expect that cars and other products they purchase from reputable providers will not carry risk of harm. The same should be true of technology products. This expectation requires a fundamental shift of responsibility. Technology providers and software developers must take ownership of their customers’ security outcomes rather than treating each product as if it carries an implicit caveat emptor.
• Strong security should be a standard feature of virtually every technology product, particularly those that underpin critical infrastructure such as energy, water, transportation, communications, and emergency services.
• Every organization should demand transparency from its technology providers about whether they have adopted strong safety practices.
• organizations across sectors should commit to requiring strong security practices when purchasing or upgrading technology, and technology providers should commit to taking responsibility for the security outcomes of their customers. Every technology provider must consider it a duty to ensure that its products are safe for use and to warn customers when that is not the case.
• First and foremost, in every business, the responsibility for cybersecurity needs to be elevated from the IT department to the board, the CEO, and the senior executive level.