In the opening keynote at BSides Las Vegas, Bob Lord, CISO of Democratic National Committee (DNC), talked of the “Ghosts of Past, Present and Future” and considered what we need to do going forward.
Lord, who also served as CISO of Yahoo, Netscape and Rapid7, talked about stories such as the Yahoo attack and breach, and how the lessons learned “should be talked about,” but there are too many cases where we “talk technology but have forgotten how to tell stories to executives.”
He said that this problem of communication is “repeated breach after breach” and that the industry often fails to tell a story and be heard.
Pointing to his current work at the DNC, Lord said that this involves working with state parties and campaigns, which have separate funding and separate charters, and are separate legal entities with different levels of maturity.
This led to a suggestion to kill the checklist of security best practice, which Lord called “a roadmap of our failure to build usable security in products”. The only way to resolve it, he offered, is to sit down one-on-one to get it done. That, he countered, doesn’t scale.
He said: “We realize doing the basics is hard and time consuming” and if have to do it one-on-one we have “failed users” and we need to take a more active role and move to “secure by design.” This includes making updates painless, automatic and transparent, enabling encryption on laptops which doesn’t have to be paid for, and is not hard to install.
Lord also called for better security standardization, especially in authentication. Instructing someone how to use a password manager, he said, “is a real struggle to help someone under the best circumstances.”
He pointed at the case of 2FA. If a user has to search for how to enable 2FA, he said, then “something is not quite right.” He also advised against connecting to “sketchy wifi,” but conceded that it is hard to determine what a “sketchy wifi” network looks like.
“You shouldn’t have to pay more to be good at security,” Lord said. “Don’t treat it as a luxury item.”
He concluded by saying that things should be more “secure for default for average folks, in all devices and services, with no action required by users” and praised the work of FIDO Alliance which he said is “a real game changer in making things secure for the average person.”