Former White House CIO Theresa Payton on Battling Cyber Threats
November 11, 2014 | Security and Risk | John Worrall
By John Worrall
We’ve wrapped the 2014 CyberArk North American Customer Event and wanted to share some great insight that our guest keynote presenter shared. Former White House CIO, Theresa Payton, is a well-respected authority on internet security, net crime, fraud mitigation and technology implementation in the U.S. She has deep experience across both government and financial services industries, in addition to being the first woman to hold the position of White House CIO from 2006 to 2008.
Payton gave a candid, humorous presentation, discussing the current state of the cyber security industry, sharing some stories from her time at the White House. Throughout her presentation, Payton hit on a few key themes that every organization should take to heart.
Battling Cybercrime = Fighting Evil
Throughout discussions of cyber threats on the enterprise-level, Payton continually reminded us of her view that fighting cybercrime is essentially fighting evil. While the security industry would hope its efforts are making a difference, I’m sure many of us in the industry would be hesitant to label ourselves as “fighters of evil.” Yet Payton’s argument makes sense. The money amassed through the acts of cybercrime generally go on to fund things like human trafficking, child pornography, gun-running and terrorism.
Payton discussed the growing cybercrime black market and its increased demand. She told a story about working with a private company whose website “disappeared,” only to discover it was being held for a half million dollar ransom in a country outside of the jurisdiction of the FBI. Her point was to pull our noses away from the daily grind of protecting company assets, reputation and customers, and look at the bigger impact of our jobs. As Payton pointed out, there is a concerted, well organized adversary out there that likely views each company as a piece of a larger goal, and that we as security professionals should not lose track of the greater good we do – it should serve as motivation.
We Need to Change the CEO Conversation
Payton told the story of a senior White House staffer coming to sit with her IT team. He bluntly asked, “So, tell me what you all are doing to make sure we don’t get hacked.” This is a common question many CEO’s or board members ask of senior IT teams.
Payton thanked this particular senior staffer for his interest and invited him to sit in on a team exercise to practice their response to what could be considered an advanced persistent threat – someone hacking in and stealing the president’s schedule. Once the staffer was able to see first hand the importance of being able to identify and respond to a breach, Payton pulled him aside. “The truth is, technology people are uncomfortable telling executives the truth – that everything is hackable,” she said. “Even when we break up into teams of good guys versus bad guys and hack ourselves, the bad guys always get in. You just can’t protect yourself 100 percent of the time. Better questions to ask your IT team are, ‘I know it’s inevitable, but what are you doing to prevent a breach? And what steps are you taking to handle a breach if it does occur? What can I do to help you?’ These questions open up an honest dialogue around the real challenges your security and operations team are confronting.” Educating senior executives is absolutely critical to defending against cyber attacks and every organization would benefit from this process.
How Do You Measure Success in Security?
Before speaking with Payton, the senior staffer in the previous story probably would have defined her team’s success based on their ability to prevent 100 percent of breaches. But that’s not how Payton defines it. She believes it comes down to correctly identifying legitimate cyber threats, stopping breaches early and being able to find and push cybercriminals out of the network. We can’t stop every breach, but we can find them and contain them.
The bottom line is that the security industry needs to protect its most critical assets. Payton ended her talk by putting up a photo of a bike wheel secured to a pole. Clearly, the owner took steps to secure his property, however, did he manage to identify its most critical assets – whether that was its frame, its basket or its bell? Our security policies must focus on protecting the most important pieces of our business and more importantly, we must never underestimate our adversaries.
Given the significance of privileged accounts in every advanced attack, whether it’s Edward Snowden using a privileged account to pilfer secrets from the NSA, or a third-party contractor not properly managing privileged connections to a network as in the recent retail breaches, protecting your most critical assets hinge on privileged account security.