Critical Infrastructure Security , Government security IBM executive floated for CISA director as concerns persist for agency May 18, 2026 Share By Steve Zurier (Adobe Stock) Tom Parker's name emerged over the last few weeks as a potential new director of the Cybersecurity and Infrastructure Security Agency (CISA). The global leader at IBM Security where he works with the X-Force team, Parker was quoted recently that he’d welcome the conversation with the Trump administration about the CISA job , but nothing more has been made public except for a few stories in the security trade press. Parker was the preferred choice of the new Homeland Security Secretary Markwayne Mullin, according to NextGov/FCW . The stories also said Mullin wants someone with private-sector experience and Parker fits the bill, including a recent stint with start-up Hubble, which was acquired in 2024 by NetSPI. Whether it’s Parker or some other name bubbles up, whoever winds up with the job is in for a tough assignment. CISA has taken a hit in the past year. In the second Trump administration, the agency has lost roughly one-third of its workforce, with personnel dropping by nearly 1,000 employees from around 3,400 to roughly 2,200 to 2,400. On top of that, the Trump administration’s FY 2027 budget proposes a $707 million cut to CISA — that’s roughly 30% of its budget — targeting to reduce 867 positions to focus on "core" critical infrastructure protection. President Donald Trump also made his priorities clear: CISA will focus more on critical infrastructure and less on "Secure by Design," an initiative popular with the industry because it focuses on wrapping security into software before it gets deployed. Trump famously feuded with former CISA Director Chris Krebs over security levels during the 2020 presidential election, so there’s a long history there. Still, at least among security pros, there’s a clear consensus that the industry needs a strong, proactive CISA, one that can take on the challenges of protecting Americans during wartime and manage the rise of AI. Parham Eftekhari, executive vice president at CyberRisk Alliance where he works closely with private-sector CISOs, said top CISOs overwhelmingly want to see strong federal leadership in cybersecurity and digital modernization efforts. “Large enterprise CISOs are seeking opportunities to educate and partner with policy makers,” said Eftekhari. “They want to be active participants and contribute to our national and economic security posture.” Security researchers especially depend on CISA and its Known Exploited Vulnerabilities (KEV) catalog as an unbiased, independent voice to help them prioritize which vulnerabilities to focus on. “The industry depends on CISA more than most people realize,” said Denis Calderone, Principal/CTO at Suzu Labs. “We point clients to the KEV catalog constantly. It's one of the few resources that carries real weight in a prioritization conversation because there's no commercial interest behind it.” According to Calderone, when CISA says "this is being actively exploited, patch now," that's a signal security pros can take to their top leadership without anyone questioning the motive. “Vendors can't be their own referees,” said Calderone. “Threat intel companies have product lines to sell. CISA is the closest thing we have to a neutral broker in vulnerability prioritization, and that's not something the private sector can replicate no matter how much money we throw at it.” Bob Ackerman, co-founder and managing director of DataTribe, added that unfortunately, over the last 16 months, CISA has suffered from the lack of long-term leadership and regular funding that’s essential to the agency executing on its mission. “What we need are dedicated resources that are trusted by industry, that can engage with industry proactively to provide guidance on threats, that can share playbooks, and that can share strategies for what can be effective,” said Ackerman. “CISA probably is the closest thing we have to an organization that can mobilize the level of awareness that's necessary, share the lessons, and execute a call-to-action with the industry.” So while it's positive news that IBM's Parker has been put forward, Ackerman said he hopes it’s not another one of those highly qualified candidates that languish on the sidelines for a year like what happened with the candidacy of Sean Plankey. “We need a strong, experienced leader, and Tom Parker certainly meets those criteria,” said Ackerman. “So time is of the essence for Mr. Parker's confirmation and for his efforts to rehydrate CISA so it can engage with industry and deliver the guidance and support industry needs. We need a CISA that’s going to operate at the speed of the threat. With AI, we no longer have the luxury of time, and that problem is only going to get worse.” Vishal Agarwal, chief technology officer at Averlon, said security teams depend on CISA more than the conversation usually reflects. The KEV isn’t just a list, said Agarwal — it’s the analytic work that small teams can’t do for themselves, delivered in time to matter. CVE-2026-20133, the Cisco SD-WAN information disclosure CISA added in April, was one example Agarwal pointed out. With a low CVSS score of 6.5, it was ignorable on paper. However, Agarwal said KEV placement tips off a resource-constrained team that a medium-severity bug is actually part of an active nation-state exploit chain. “Without CISA doing that correlation, every CISO has to build a threat intel pipeline that can spot the same pattern, and most can’t,” said Agarwal. “A diminished CISA in the AI era widens a gap exactly where the system is most fragile. Mozilla just patched 271 vulnerabilities in a single Firefox release that an AI model surfaced in weeks. Mozilla has the engineering depth to absorb that. A state DMV, a rural hospital, a mid-sized utility doesn’t. The organizations that lean on CISA the most are the same ones AI-accelerated vulnerability discovery hits hardest.” Richard Brown, senior managing operator at Bishop Fox, added that a diminished CISA means fewer AI best practices, less pressure around Secure by Design, and potentially less trust in how organizations are implementing AI, especially at the federal level. Brown said CISA has already been moving on this front, including coordinating with G7 partners on AI software supply chain transparency and minimum SBOM elements for AI systems. A weakened CISA risks slowing the development of global standards for emerging AI policies, and that matters, said Brown, because CISA is one of the main conduits between government, cloud providers, infrastructure operators, and private industry. “The agency needs to rebuild trust and consistency with the industry after a prolonged period of leadership instability and reported staffing reductions,” said Brown. “It would be great if they could accelerate vulnerability prioritization and exploitation intelligence as well. After that, they should advance Secure by Design principles across the software ecosystem and prepare critical infrastructure sectors for AI-enabled cyber threats.” CISA needed more than ever, security pros say John Watters, chief executive officer at iCounter, added that the cybersecurity industry needs a strong and operationally credible CISA now more than ever. Watters said security teams across both the public and private sectors rely heavily on CISA not just for alerts, but for prioritization, coordination, and shared visibility into which threats represent real-world risk. “In an environment where exploitation can occur within hours of disclosure, agencies cannot operate at a traditional government pace,” said Watters. “They need the authority, resources, and technical depth to function more like a real-time cyber defense nerve center.” Watters said a diminished CISA creates risk far beyond federal civilian and defense networks. It weakens the connective tissue between government, critical infrastructure operators, technology vendors, and the broader security community, said Watters. That becomes especially problematic as AI accelerates both attack automation and defensive complexity. “Secure by Design also cannot become a secondary priority,” said Watters. “The industry needs stronger incentives for resilience and accountability upstream, otherwise defenders remain trapped in a perpetual cycle of patching and incident response.” Watters said moving forward, CISA’s priorities should center on machine-speed threat coordination, operational collaboration with industry, AI-driven defense capabilities, and scalable vulnerability prioritization that helps overwhelmed security teams focus on reducing the time from intelligence collection to action. “Leadership matters, and experienced operators like Tom Parker bring important credibility, but sustained effectiveness ultimately depends on whether the agency is empowered to execute with clarity, stability, and long-term strategic support,” said Watters. Matthew Hartman, chief strategy officer at Merlin Group, pointed out that security teams don’t always depend on CISA to tell them every vulnerability that matters, but they do depend on the agency to create a trusted national signal amid overwhelming noise, especially now that the window between disclosure and exploitation has collapsed from weeks to hours. Hartman said the nation benefits tremendously from a CISA that’s effectively executing its authorities: rapidly validating threats, sharing actionable intelligence, and aligning government and industry around a common operating picture before attackers can achieve exploitation at scale. “With AI accelerating attack automation and defensive complexity, a confirmed CISA director has never been more necessary,” said Hartman. “I don't know Tom Parker personally, but I do know that Acting Director Nick Andersen and the CISA career staff are extraordinarily committed to the mission and are doing outstanding work des