Former White House CIO stresses need to design security for humans
Editor’s note: Theresa Payton, former White House CIO and a prominent cybersecurity expert, will deliver the opening keynote address at the Infosecurity ISACA North America Expo and Conference, to take place 20-21 November 2019 in New York City. Payton recently visited with ISACA Now to reflect upon her time in the White House and provide analysis on how the technology and cybersecurity landscapes have evolved in her time since leaving the role. The following is a transcript of the interview, edited for length and clarity.
ISACA Now: Are there aspects of working as White House CIO that you miss? What might those be?
Theresa Payton: Working at the White House was truly like no other experience I’ve had – it was thrilling and ever-changing. The nature of the work is one thing, but when you add to it the fast pace with the rapid advances in technology during my tenure, it made supporting the mission of the White House exciting and challenging, to say the least! I enjoyed that pace and that mission, and do still miss it. I also miss the talented staff that I worked with, many of whom still serve today.
ISACA Now: How different would that White House CIO role be if you started today as opposed to in 2006, from a technology standpoint?
Payton: I was CIO at the White House from 2006-08, right at the beginning of the social media revolution, Internet of Things devices, and the first iPhone released in 2007. It was a fabulous time for integrating digital transformations while still maintaining high levels of operational stability, resilience, and security. We were laying the groundwork for today's cybersecurity.
Moreover, while cyber criminals have been active since technology has existed, it’s the pervasiveness and creativeness of cyber criminals that differs today. Anyone with a laptop and $20 can buy a ransomware kit on the dark web, so the access to malicious tools and the ability to learn how to use them has never been this easy to do.
The attacks for 2019 and beyond will be both nation-state sponsored as well as attacks sponsored by criminal groups and hacktivist groups. The past attacks of 2016-2018 provide a barrage of alarming wake-up calls. The slowdown and widespread unavailability of the internet in the US and parts of the EU on 21 October, 2016 due to the DDoS attack against cloud services host provider, Dyn, reminded us of the fragility of the internet infrastructure we rely upon.
The disturbing trend of an increasing number of nation-states with more advanced cybersecurity capabilities continues to threaten destabilization across the globe from a national security and economic security perspective. However, there is also an increased ability for a relatively unsophisticated threat actor to be successful within the cyber domain.
The reason for this is twofold. First, the increasing availability of automated hacking tools in the public domain provides the ability for individuals or groups of individuals with a basic set of skills, or just financial means to buy their way in, to achieve success. Second, the increasing availability of elastic computing infrastructure provides attackers with the ability to design and deploy relatively sophisticated attack infrastructures with ease.
ISACA Now: What are the most important components of successful incident response?
Payton: The most important thing when considering incident response to a cyber incident is the upfront planning before something bad happens. Without proper preparation, your company could be utterly non-functioning for days or weeks.
Ensuring that you have the correct backups in place to restore your systems and making sure that all employees know the proper protocols and chains of command makes an already stressful situation much better. Storing logs for the correct amount of time and capturing the right elements of information is crucial to determining who has attacked you, how they got in, if they are still there, and how catastrophic the incident will be to your company's operations and reputation. Digital forensics also is essential because you can review the logs and facts as to what happened to prevent another attack.
The reality is that business execs can’t outspend the issue – it’s an IF not a WHEN – and they must be prepared. Cybersecurity no longer is something that can exist in a vacuum. It must be elevated to the board level and given a seat at the table. Companies can face extreme backlash and brand reputation issues if they mishandle a cyber breach. Conversely, companies that handle a breach well can not only rebound, but grow.
ISACA Now: Privacy is another of your major areas of interest. Do you sense that GDPR and other similar regulations that are being enacted will have the intended impact of more responsible data privacy and data governance?
Payton: A big fear I have is that regulation is often onerous and expensive to implement, the money spent on regulation prevents start-ups from entering the space, and it’s money diverted away from R&D. To date, the US Congress has kept legislation “technology-neutral.”
If legislation were to pass and be signed by the President, technology companies would owe consumers certain legal duties for the first time. That’s an incredible first step. What I'd like to continue to see is a culture change in big tech that consistently prioritizes consumers. That will require a close partnership between big tech, public officials and users of technology.
ISACA Now: What do you consider to be the most pressing challenges for cybersecurity professionals as we move forward?
Payton: Cybersecurity approaches and plans are evolving, and so are the tactics of cybercriminals. Cybersecurity professionals need to know as much as they possibly can about cybersecurity, and I highly recommend that they stay a constant student of their profession.
We are seeing more and more cyber professionals have responsibility for the business side of security, not just the technical side of the matter. I’d encourage all cyber professionals to know the strategic business priorities of their organization and how security relates to those priorities.
Several years ago, cybersecurity was seen as only a technical issue – and while that’s still true – cybersecurity is more than anything a brand issue. Cyber professionals must acknowledge the significant implications an adverse event can have on a company’s reputation and do everything in their power to balance implementing technologies and to create interoperability while also fending off cybercriminals.
We must design security for the human. They can’t enact these processes and procedures that are so complex that regular, non-tech employees find ways around them. You have to figure out where your company stands on the secure-ease of use continuum, and go from there.
For example, many of us have installed child-proof or safety items in our houses for toddlers or pets, yet we still tell them, “Don’t touch this.” But, just in case they do, we have designed safety features into your house with them in mind. We must build the same security safety nets into our work and daily lives. Design them for your employees and for yourself. Just know they will use free WiFi, they will recycle passwords, they will respond to emails that are tricking them into giving up information – they will break all the security rules because they are not security employees.
(This post originally appeared on the ISACA blog site, which can be viewed here).