Pete Chronis, CISO of Turner, is on to something. His latest book, The Cyber Conundrum, has reached more than 10,000 people who have bought the book, attended his lectures and book signings, and learned about his concept of the cybersecurity moonshot through social media, blog posts, radio shows, and podcasts. It’s clearly struck a chord with the cybersecurity industry.
Why? Chronis wants us to consider “moonshots”—processes we used to solve seemingly impossible problems such as going to the moon, defeating fascism, and curing polio—as guides to help us completely rethink cybersecurity. Otherwise, we’ll continue to lose the war. Despite our efforts, we seem always slightly behind cybercriminals no matter how much time, money, and expertise we throw at the problem.
In an interview with the NTSC, Chronis talks about why he wrote the book, the most challenging parts of the moonshot process, and how national cybersecurity legislation (through the help of groups such as the NTSC) can help solve our cyber conundrum.
The idea originated in a personal struggle that I believe is a shared struggle with other CISOs. We are doing important work, cybersecurity innovation is strong, and we are seeing exciting developments in our industry. But we see no light at the end of the tunnel. We are “losing the war,” as I note in my first chapter.
That got me thinking about what we need to solve this kind of complex problem—and what ideas or suggestions are needed to solve this problem comprehensively. That’s where the idea of the moonshot helped me approach this problem in a new way. We spend a lot of time focusing on incremental change, but we’re not addressing many fundamental cybersecurity problems. Plus, many of the cybersecurity conundrum’s root causes aren’t cybersecurity-specific problems per se.
For example, speed to market is a problem that has nothing to do with cybersecurity on the surface. Many technologically-enabled products that we rush out into the marketplace are very intuitive to use, but locking them down or securing them is not as intuitive—or even a high priority.
This is just one example of a larger problem that’s not getting better. What do we do about it? We need fundamental change. We need a moonshot. How do we fix cybersecurity in a comprehensive way? What are the stakes if we don’t do it?
Getting momentum. My book assumes we’re very early on in the educational process about the cybersecurity moonshot. I show where I think we are right now—and we’re not very far. How can we gain critical mass and momentum? How do we turn this momentum into a groundswell movement so that we can facilitate change?
Just getting started is the hard part. We need enlightened leaders, a vanguard of influencers behind this moonshot movement to help focus and create that groundswell. Once those brightest minds get together, they need to develop a strategy that pushes the groundswell forward. Then the movement starts evolving at a rapid pace.
Enlightened leaders must develop a clearly communicated national strategy that gets these groups involved and on board. By building a coalition of supporters, you create a groundswell. The government may need to allocate money to appropriate programs, corporations may need to invest appropriately, and vendors may need to put more money into security.
Once you build these coalitions and create some awareness around a national strategy, you can start to engage policymakers. Otherwise, many of these groups will splinter off and advocate in their own self-interest—and not necessarily in the interest of the technology ecosystem or national security. Policymakers are less likely to listen if there doesn’t appear to be a strong united coalition.
Part of my book was actually based on the NTSC’s lobbying efforts on the Hill. Last year during a trip to DC, one of the legislators asked, “Do the American people care? If not, why should I?” He made a good point. If you don’t have a coalition of communities pushing for change, then you’re relying on legislators to do the right thing on their own in a world where they have a lot of priorities. Having that coalition will get legislators more likely to listen to us.
A primary reason I wrote this book was to help create a conversation and get people thinking differently about how they can solve these issues. Right now, we’re trapped looking at the future based on today. Moonshot problem solving doesn’t look at the way things are today as a predictor of how they’ll be in the future.
However, we can’t solve this moonshot without policy. We need the public sector, legislators, and policymakers as part of the conversation about a complete solution.
CISOs can’t go it alone. They need enlightened leaders at the most senior level of their company—the Board of Directors, the C-suite—helping them solve this problem. It’s not just about getting cybersecurity budget. It’s about changing the culture and the way cybersecurity is built from the ground up to make a company more secure—not just for shareholders but also for customers.
Right now, speed to market wins. We’ve got to create a paradigm where speed to market isn’t at the expense of security, and security isn’t at the expense of speed to market. This is an industry-wide problem. Every software vendor that writes operating systems releases patches. We’ve not been able to figure out a way to write bug-free code. So how do we get there? Few people are working on this problem today. And the problem is worse than ever because the number of devices we have in our homes that rely on software has greatly multiplied.
We also need a willingness to abide by a standard or set of standards that demonstrate security proficiency. In the book, I use the Underwriters Laboratories example as a great public-private partnership that improved the safety of consumer devices in our home today. Why can’t we have something like that for cybersecurity? I also reference the Cyber Independent Testing Laboratory that began with seed funding from DARPA as an example of a recent cybersecurity initiative spurred by the government.
To help incentivize companies, security must become more of a competitive market differentiator. CISOs can help spur that too. One of our current NTSC initiatives is to create some transparency around security in cloud products and help streamline the selection process by promoting more transparency in the vetting process. If CISOs follow these vetting processes, then they will potentially give preference to products that have better security. If we can create incentives around the adoption of better security for companies through legislation and policy, then CISOs through the NTSC we can move the market and help contribute to solving the cybersecurity conundrum.