Effective CISOs and other leaders are those who plan for today but with an eye on tomorrow, and always put people first, according to Christopher Krebs, former director of the Department of Homeland Security’s cybersecurity and infrastructure agency.
“You always have to be agile around how business operations are shifting,” said Krebs, speaking during a sweeping “fireside chat” Wednesday with OneLogin CEO Brad Brooks, which touched on topics including remote work, online voting, and passwords.
“If you can plan in advance, that’s great, but you have to always be consuming information and adjusting on the fly.”
The agency’s motto was “defend today, secure tomorrow,” said Krebs, who was fired by President Donald Trump after repeatedly asserting the 2020 election was not rigged. “Yes, we have to deal with today’s problems, but we also need to be thinking at any given moment, six months ahead to what do we wish we had done differently then?”
SEE: Can your organization obtain reasonable cybersecurity? Yes, and here’s how (TechRepublic)
Krebs and Alex Stamos, former CSO at Facebook, recently formed a consulting business. Their first major client is SolarWinds, which was hacked in the worst-known infiltration of government systems.
Running DHS during a pandemic, Krebs said officials made a point of holding weekly town halls on various topics such as how to optimize technology to be effective and how to address cultural issues like civil unrest and the Black Lives Matter movement.
“Those are really challenging conversations to have in person, much less remotely where you have anonymous chat boxes where people can throw bombs in there,” Krebs observed. “No matter how uncomfortable or difficult conversations are, employees need to know you’re looking out for them and you have a degree of empathy.”
Every CISO needs to know how to work with HR, Krebs said, adding that “every organization has to have a COVID/remote workforce coordinator and needs to understand how the risk calculus has shifted.”
He also predicted a return to the workplace could happen sometime mid-summer but that a sense of normalcy may not happen for a while. “Saying a year from now is jarring, but it’s reality.”
Krebs also said he believes COVID-19 won’t be the last pandemic the world sees.
In response to a question from Brooks about his thoughts on the Real ID, an act passed by Congress in 2005, Krebs said it has taken years to implement and at great expense. “Here we are, years later, and we’re just on the cusp of a nationwide Real ID uptake.”
Looking ahead, “I tend to think no single solution will address everything” related to identity, he said. “Just like everything else in infosecurity, there won’t be a single silver bullet.”
The paradox of online voting
Brooks asked what the roadblocks are in making online voting a reality.
Krebs noted that a paradox exists because unlike so many transactions people conduct online that require anonymity, electronic voting needs to be transparent and identity has to be provable.
While there has been a lot of talk about using blockchain and smart ledgers, Krebs said he’s not comfortable with those options.
“We’re probably not really close to where we need to be on the full stack of online voting,” he said. “I think yes, there’s a way to authenticate identity, but then you get into the paradox of authenticating identity” because people want to stay anonymous but still have their vote carried through the system.
“That said, my goal would be … every vote needs to have a piece of paper associated with it for auditability,” in the event that it is challenged, as was the case in Georgia last year, Krebs said.
The continuing conundrum with passwords
The most counterintuitive issue with passwords is they are “too easy to guess and too hard to remember,” Krebs said. Frictionless multifactor authentication has to be the future, he stressed. “Single factor is so fraught with peril.”
He suggested that cloud-based mail providers should activate MFA by default in their systems but acknowledged that would create “burnout” for CISOs and other infosec professionals.
“We’re making it too easy for bad guys,” Krebs said. “What’s really going to change this [mindset] about MFA by default is leaders. They have to accept cybersecurity as a business risk; that’s the key differentiator.”
He reiterated that leaders need to understand both the risks of today and the risks of tomorrow and recognize that they have “legacy policies” that need to be updated. “They don’t want to be in a position where they’re answering questions six months from now from a reporter” due to a hacking situation.
As an example of how to do things correctly, Krebs recalled how, in 2003, after Microsoft XP experienced “a string of vulnerabilities,” the company dealt with the matter head-on and announced that it would commit to fixing the platform.
“You can emerge out of these things but it takes leadership, commitment, and investing in security,” and that is how companies can differentiate themselves, he said. “With every challenge is an opportunity. Part of this is humility and accepting a little of the pain right now, but you will get through it when you have an incident.”
In terms of what’s on his tech policy and tools wish list, Krebs said he’d like to see more transparent conversations occur about third-party risks in organizations’ environments.
Krebs said his second wish is for corporations to come together and become better citizens in fighting foreign cyber adversaries. “We’re all going to be better off making the internet more secure if we all lean forward and be part of the collective defense.”