In October 2017, One World Identity, an independent strategy and research company focused on identity, named Joe Stuntz, as Vice President of Cybersecurity. Stuntz was recently served the Director of Program Performance for the White House Office of Management and Budget (OMB) Cyber and National Security unit.
During his time at the White House, Stuntz helped develop the following cybersecurity initiatives: Executive Order 13800, The Cybersecurity National Action Plan (CNAP) and The Cybersecurity Strategy and Implementation Plan (CSIP). To find out what these initiatives were about, the on going threat of cyberattacks and the focus of One World Identity, we spoke with the technology expert.
Digital Journal How big is the cybersecurity risk facing developed economies?
Joe Stuntz: Because developed economies have connected more of their infrastructure and systems to the Internet, they are at a large risk of attack. In many cases what allows the economies to make progress and grow through the use of new technology and people connecting is also increasing their risk. Because connectedness is only going to increase with the introduction and adoption of smart devices known as the Internet of things, the risk will also increase.
DJ: Which types of risks do you think are the most significant?
Stuntz: Outside of the very very unlikely catastrophic cyber attack that has physical impacts and causes loss of life, the risks I worry about are to the financial sector. If trust, confidence, and safety in the markets disappear, an economy could collapse and because of the interconnectedness of economies today it would be a global crisis. Also it is important to think about the definition of cybersecurity risk and think beyond the typical image of a hacker in a hoodie in a dark basement with a glowing keyboard.
This risk includes lots of data stewardship issues where companies or countries use data to target fraud or misinformation. The advances in technology have made new types of commerce possible, but are also being used to create instability. Cyber hygiene is still critical and the fundamentals still address many of the common issues, but it should be part of a larger trust and safety strategy around managing data.
DJ: Are these risks greater from different countries?
Stuntz: Each country has a different level of maturity in terms of cybersecurity, and a different number and type of threats. As mentioned above, some countries are not as technologically advanced which may be limiting their economy, but also reduces their cyber risk.
Cyber attacks can also come as a reaction to international relations, political positions, or non-cyber attacks or sanctions. The focus should be for countries to understand the broader context and see cyber as a tool that a country or actor can use to accomplish broader goals.
DJ: How aware do you think government, businesses and the public at large are about cybersecurity risks?
Stuntz: I believe the awareness has increased a lot in the past few years, but it was starting at a very low point. Government has been more aware of than business or the public because they have a responsibility to protect the data that is provided to them and because agencies like DoD, DHS, and others have security in their mission. Unfortunately this awareness has not always translated to better security, but things are improving.
Also government is demonstrating this awareness by drafting policies and regulations like GDPR in the EU that will force increased awareness and action by business and consumers. In addition to regulatory drivers, businesses have become more aware due to large public corporate breaches and a desire to not be next. In many cases, it is seen as something to add in or be compliant with and unlike government, the private sector has traditionally not perceived cybersecurity and effective data management to be a core business mandate.
That’s slowly changing as high profile data breaches have led to huge costs both in terms of balance sheets and consumer trust. Finally, the public is more aware as frustration about passwords and personal information breaches are common, but because it hasn’t impacted actions day to day, awareness is not at the level of government or business.
DJ: Please can you explain the different cybersecurity initiatives you instigated during your time at the White House?
Stuntz: The initiatives I was involved with built on the success of the previous efforts. Soon after I started, the OPM breach led to the creation and execution of the cyber sprint. This was a tactical, time boxed effort that focused very narrowly to try and address critical issues. After the sprint, the Cybersecurity Strategy and Implementation Plan (CSIP) was developed that built on the good work of the sprint by expanding the scope and giving a more long term view but focused only on government information.
The Cybersecurity National Action Plan expanded the scope beyond government and looked at not just what can be done today but what could we start doing now to get ahead. Finally EO 13800 and the work required by it continues addressing cybersecurity in both the public and private sectors and gives cybersecurity the authority and importance of an Executive Order.
DJ: How did you evaluate the success of these initiatives?
Stuntz: The evaluation of cybersecurity is a constant challenge as you cannot prove or measure a negative. Did someone not get hacked because their defenses are great or because nobody attacked them? If a tool blocked 1,000 attacks, did it block 1,000 out of 1,001 or out of 1,000,000? So to evaluate these initiatives, the performance management team across government tried to focus on metrics that we could drive outcomes with and were not only compliance and number focused, like usage of something instead of possession of something.
Compliance is and probably always will be part of security, but if you are measuring and driving the right outcomes compliance is usually a side effect. Going forward, metrics have to continue to move towards automation of evaluation. Previously agency performance was updated quarterly as any more frequently becomes a resource burden, but quarterly isn’t good enough for the speed of technology and change today.
DJ: What else should those running the current Administration do in relation to cybersecurity?
Stuntz: I believe they are moving in the right direction in focusing on defending the government as an enterprise. Anything the Administration can do to share, reuse, and consolidate will save resources, reduce the risk surface, and improve security. For example, the workforce model could change to have all cyber talent come from one agency and then get rotated across agencies to address some of the serious hiring challenges.
Agencies will always have different resources, missions, and expertise and anything that can be done to centralize and standardize capabilities will make improve security.
DJ: What does your current role One World Identity involve and what spurred your decision to join this company?
Stuntz: My current role at One World Identity involves playing the role of advisor and accelerator. As an advisor I focus on organizations that need to think about security through their business processes. Many organizations have tried to stay up to date with technology, but have not changed their business processes to be able to best leverage the new technology.
Also I am passionate about the translation of the value of security and identity to leadership of organizations. Leaders in most cases are not experts in cybersecurity or identity, and they don’t need to be if the technical information is translated into business risks and opportunities so that leaders can make a decision and move forward.
Finally, my role as an accelerator is very energizing as OWI interacts with many innovative companies that are trying to solve hard problems and being able to work with those organizations to push the boundaries forward is exciting.
I made the move to OWI because of the importance of identity and the quality of the people. We believe that identity has the power to enable accessibility and security regardless of sector and I wanted to focus even more on this. In terms of the team, I have known some of them almost ten years and their experience and expertise will challenge me.
I had the privilege of working with some of the most intelligent, hardworking, public servants in government while at OMB and I get to now combine my positive experience in government with people from some of the most innovative technology and financial firms.
DJ: Which types of clients do you work with at OWI?
Stuntz: Identity and security are central to business processes and transactions across government and in all industries, but we currently focus on financial services.
Because of the potential impact to businesses as well as the regulatory environment, we see financial services as a staging area for solving hard problems that will then drive change everywhere else. Once someone has been empowered to act within the global economy we can effectively solve many non-financial services identity problems.
DJ: What can developers of applications do to enhance cybersecurity?
Stuntz: Developers of applications should sit in the same room as the security team. It is easy to tell a developer to build in security, but they are incentivized to focus on features and speed as these drive revenue, not security. But if they are working closely with the security team they can work together in a more collaborative way.
The security team can understand the drivers for the developers, and the developers can learn what the security team looks for and can start to see the security team as a way to put out a better product versus people who slow things down and don’t allow innovation.
DJ: How about the typical business. Is there anything they can do to enhance protection?
Stuntz: There are many things the typical business can do. I think that if the typical business focused on a few of
the fundamentals they would be significantly better off. First, multi-factor authentication. Regardless of which study you prefer, they all say that passwords are still one of the biggest problems and with the introduction of new authenticator apps, hardware usb tokens like Yubikeys, and other technologies there are more user friendly multi-factor options than ever before.
Second, vulnerability management. Addressing known vulnerabilities in a timely fashion through patching or other mitigations is not fancy and takes consistent effort, but makes a real difference. Thirs, outsource often. A typical business today can almost outsource all of the basic infrastructure and technology and focus on their core competency. Whether it is storage or email and productivity applications, if you are dealing with office technology you can likely outsource it.
One World Identity seeks to “enable change in the identity industry by facilitating shared language, promote cross-sector collaboration, and connect the next wave of innovators to experts and resources that allow them to build the next breakthrough in the industry.”
