The IT community needs a total reset in the way they think about cybersecurity, according to former White House CIO Theresa Payton.
“I think back ten years and I realize that we actually haven’t made a single one of your security problems go away, and you need to hold us accountable for that,” Payton said. “Name one. We have reduced risks in the security industry, name a problem we actually made go away for you,” she said. “But I’m really excited because I think we are at a turning point where we’ll have that opportunity.”
Payton, who spoke at the Forcepoint Cybersecurity Leadership Forum on Tuesday, described how the government has characterized bringing breach detection times down from over 400 days to a little more than 200 as a win in cybersecurity.
“I’ve got to tell you, this does not feel like winning to me,” Payton said.
Payton, who currently stars as the head of intelligence on the CBS reality show Hunted, explained that cybersecurity professionals often see the behavior of non-cyber employees in the same way that audience members view the mistakes of fugitive contestants on the show. To an outside observer, the behaviors look idiotic, and the expert is unable to figure out how to correct the behavior.
“That has been the problem with the security profession for so long, because our perspective was, ‘why would you do that?’” said Payton. “I really think that security is fundamentally broken, and it’s been that way for a long time because we don’t focus on the human.”
Payton said that instead of inundating employees with too many cyber rules and procedures to follow, organizations should focus on a couple scenarios that could be disastrous for them and train to prevent those specific things.
“Get very focused. Don’t create the 100 do’s and don’ts,” said Payton. “Talk about those critical assets at your company, those digital assets that if they’re stolen, held for ransom, destroyed, or posted on the internet would ruin your company.”
She also emphasized the importance of teaching basic cyber hygiene, such as using a virtual private network when away from company Wi-Fi networks. While at the RSA Conference last year, Payton was able to spy on the digital movements of even cyber professionals in her hotel, using only a $100 portable rogue Wi-Fi hotspot.
“When you go into a hotel lobby and you see a toothbrush lying on the floor, do you use it? I mean, this is a nice hotel, why not? You can’t trust the hygiene on the toothbrush. Same thing with Wi-Fi,” Payton said.
Payton also characterized cybersecurity best practices checklists as “the worst thing to ever happen to your and my security,” because they enable complacency after all the checks have been made without solving core security problems.
“Candidly, when you look at some of the significant security events, and some went well and some had data breaches, it really is a window into the soul of what’s wrong with cybersecurity,” Payton said.