Deloitte cyber expert and former White House director of Cybersecurity and Communications, Billy O’Brien sat down with ExecutiveBiz to discuss the aftermath of the 60-day Cyberspace Review and what every CEO should be asking themselves about the security of their company. O’Brien appreciates that the 60-Day review included vowing to protect our nations national infrastructures, that privacy and civil liberties were a major factor in the published 60-Day review and for labeling cybersecurity as a “˜strategic national asset’. O’Brien is also waiting to see action from the Obama administration and believes the private sector will be able to help the public sector with the future of US cybersecurity by providing a unique prospective and already trained cyber experts.
ExecutiveBiz: Can you describe your current role at Deloitte & Touche, LLP as it relates to cyber security?
Billy O’Brien: In my current position, I provide expert counsel to Deloitte’s Federal clients on how to navigate and understand the cybersecurity policy landscape. Our deep bench of cyber expertise allows us to provide solutions to our clients’ most critical challenges. I also continue to work on a number of strategic initiatives, including our most recent global publication, Cybersecurity: Everybody’s Imperative – Protecting our economies, governments, and citizens (www.deloitte.com/cybersecurity <http://www.deloitte.com/cybersecurity> ).
ExecutiveBiz: Could you comment on the President’s 60-Day Review press conference?
Billy O’Brien: I applaud President Obama for declaring cybersecurity a key management priority and ordering a 60-day cyberspace policy review. His staff engaged many public and private stakeholders to frame and prioritize multiple key issues.
I was particularly intrigued by three topics the President mentioned:
- The declaration of cyber as a strategic national asset. This may have legal implications for private sector organizations that own and operate Internet infrastructure (i.e. ISPs) or provide technical services to government organizations through Networks.
- Convergence. Traditional telecommunications and IP-based infrastructures are integrating and the government must anticipate the impact to priority communications services, next generation networks, and resiliency.
- Privacy and civil liberties. This is a high-visibility topic and it will be a challenge for the Administration to manage expectations to protect critical systems while maintaining a high standard of privacy. The public should realize that the protections in place are not designed to read email, rather, they are sophisticated tools intended to protect government information networxs.
However, some questions remain unanswered. For example, the report calls for an updated cyber strategy, which will certainly have greater significance and substance than the 60-day review. Will the White House change or request additional authorities? Will DHS maintain the lead for execution? Will the Administration choose to further the Comprehensive National Cybersecurity Initiative or change direction?
ExecutiveBiz: What do you think the qualifications of the next Cyber Czar should be? Do you think the Coordinator will be able to overcome the turf battle that exists historically among agencies?
Billy O’Brien: President Obama has intentionally used the term “Cyber Coordinator.” Accordingly, one primary qualification should be the ability to diplomatically but effectively “coordinate” and oversee the vast number of issues, initiatives, and projects across departments and agencies. The Coordinator should understand how to utilize the existing White House policy processes to hold Federal organizations accountable for their respective deliverables while ensuring they receive appropriate levels of funding from the Office of Management and Budget and ultimately Congress. Lastly, the Coordinator should possess the ability to translate extremely technical information into digestible material required for the President to make informed decisions.
ExecutiveBiz: What is the proper role for government contractors to solve the cybersecurity challenge facing the country?
Billy O’Brien: The private sector, particularly consultancies, typically offers immediate and scalable human resources, specialized skill sets and capabilities, independent perspectives, and often, the expertise of seasoned government executives who have left service. Given the sheer size and aggressive schedule of the Comprehensive National Cybersecurity Initiative combined with classified activities in the defense and intelligence communities, the government will require the expertise of consultancies to manage, implement, enhance, and operate these programs. However, the government is seeking to build a skilled cyber workforce, which will decrease its reliance on contractors.
ExecutiveBiz: What question should executives, CEO types be asking of their CTOs or their IT departments at organizations as it relates to cyber security?
Billy O’Brien: Executives should work with their CTOs to identify and prioritize their most valuable data assets, such as proprietary or sensitive information. Subsequently, they should ask their CTOs to determine the greatest risk to these assets and evaluate whether funding and protections are proportionately allocated to mitigate their risk profile – this prioritization will lead to efficiencies and cost savings. Many executives will find that their end users present the greatest cyber risk, which can be mitigated through training and access restrictions. Lastly, executives should not allow their CTOs or CISOs to act autonomously; rather, they should remain actively engaged in cyber security decisions.