NYC Cyber Chief on Defending During a Pandemic: “This Isn’t a Marathon, It’s a Triathlon”

When Geoff Brown was hired to serve as New York City’s chief information security officer in 2016, he had a lot of work ahead of him: Over the next few years, he would be tapped to lead the city’s new Cyber Command agency and spearhead a number of projects aimed at keeping both government offices and everyday New Yorkers safe. What he didn’t plan for was a global pandemic that would fundamentally shift the way New York operated. But Brown, who directs the city’s response to cybersecurity incidents and advises more than 100 agencies on digital security posture, said NYC Cyber Command had taken steps that would help it adapt during such a crisis.

On a recent Friday afternoon, I caught up with him via Google Hangouts to discuss what the last few months have been like for his organization — which has grown to more than 150 employees — and how he’s preparing for the next stages of the pandemic as businesses and schools reopen. The conversation below has been lightly edited for length and clarity.

The Record: What was it like when you learned city employees would need to start working from home and that you would have to secure a totally different type of environment?

Geoff Brown: The exact date was March 13 — it was a Friday, as 13ths tend to be sometimes. Our organization, NYC Cyber Command, had just recently moved into a new office space, which would allow for the growth and expansion of the team. We were about five days into our brand new office, and the city government issued a temporary policy around 3 o’clock that Friday afternoon that would allow for a remote work posture. A few hours later, after working with members of our executive and leadership team, I was able to issue our own policy that said everyone is now going to pivot to remote work. We issued that policy around 7pm and the mayor was giving a press conference that evening, so I stayed in my office until around 9pm that Friday.

If you go backwards in time, there are a couple points that are important to focus on leading up to that Friday. A few weeks prior, members of NYC Cyber Command started working with members of NYC Emergency Management to build a playbook for a remote work posture. It put me in a position to tell NYC Cyber Command that everyone’s going remote. But if you rewind it further, it gets more interesting. If you go back three or four years, within the city’s technology department a plan was hatched that created NYC Cyber Command that adhered to three tenets: visibility, actionability, and speed across New York City’s compute base. If you fast forward to present day, we took 80,000 endpoints that were under coverage and took that up to around 750,000 endpoints and unified it under the threat management umbrella. We’ve also built telemetry pipelines and systems to get a better idea of what’s happening on our devices and networks. Like many large enterprises, it doesn’t mean we’re perfect or see everything, but we made substantive progress leading up to March 13.

Another tenet that was really important to this effort was the concept of defending the defenders. We wanted to make sure the cybersecurity defenders in all the agencies, offices, and departments across the city would be able to prosecute their mission of providing critical services no matter what the impact was across the landscape. We wanted to be able to defend those assets and eject adversaries if we needed to from city networks. To do that, we proposed building our own environment -- we partnered with Google as a cloud provider, and we built our own data pipeline, our own data environment, our own business suite with the strongest identity and access controls available, and we built a zero-trust network to perform our mission out of.

Another essential tenet was organizing. We needed to have our own processes, and when an executive order was signed by Mayor de Blasio that created a unique reporting line directly to the deputy mayor, it enabled us to issue policies that would have more of a citywide impact. Those three things were innovative, and allowed us on March 13 to make an independent decision to go remote. People picked up their laptops, used FIDO Alliance cryptographically secure keys to enter into our environment. Whenever I look back on this experience, I’m going to count it as one of the proudest moments that I had leading the organization. I was able to say to my teammates that we are going to be safer in this health crisis because of these decisions. 

"If you’re in an organization that is involved in health services and life safety response... heaven forbid you have an operationally impactful malware event like ransomware."

Geoff Brown, New York City Chief Information Security Officer

What’s really interesting is that we didn’t think about a pandemic when coming up with those central tenets. Not once when we were talking about the need to be cloud friendly, the need to build our own environment, do I recall us talking about a health crisis. We talked about a bunch of things that would affect the resiliency of the organization, and that led to the capability to keep our people safe.

TR: What were the unique cybersecurity challenges of dealing with a pandemic?

GB: In the COVID-19 threat landscape, there was and remains a significant concern around cybersecurity events that have an operational impact to an agency or organization that is either conducting a life-saving health service mission or supporting that mission. A lot of the industry, if you go back to the beginning of the pandemic, was thinking two things. First, if you’re an enterprise that needs to enable your remote workforce, how do you do that securely. And two, if you’re in an organization that is involved in health services and life safety response, or is in support of those critical missions in the pandemic, heaven forbid you have an operationally impactful malware event like ransomware. Thankfully because we had done the work to create levels of confidence in that endpoint defense strategy, we had confidence that if disruptive malware landed on a computer at a department, office, or agency, it wouldn’t spread when it would try to detonate. It would be blocked, as long as the computer had our controls. We had higher confidence those agencies would be better defended than they were three years ago.

TR: How have things unfolded since the shift to remote work, and what’s ahead for cybersecurity professionals as businesses and schools start adopting a hybrid approach?

GB: The week after March 13, I spoke to the executive team and did a short livestream for an all-hands meeting, and people were asking: Geoff, how are you thinking about all this? My response was that my priority would be people. When it comes to certain types of crises, people like to use the analogy: It’s not a sprint, it’s a marathon. The gambit I set was this isn’t a marathon, it’s a triathlon. What I knew at the time was that we were just getting in the water, but it wasn’t only going to be a swim. And when you get in the water during a triathlon, it gets pretty combative — people pull at your heels, you’ll probably swallow some water, but you’ll plane out, turn at the buoy, and head back to the beach. The thing we need to think about is that at some point we’re going to get off the beach, and like any other technical environment, like any other service provider, like any other organization, we’re going to have to completely shed the fact that we were just swimming, get on a totally different piece of gear, and start pedaling using totally different muscles.

"This isn’t a marathon, it’s a triathlon. What I knew at the time was that we were just getting in the water, but it wasn’t only going to be a swim."

I very much anticipated that in order to sustain our pace, we were going to have to forecast in our minds different shifts. And further out there, we’re going to have to get off the bike, take off the helmet, and start running. I wanted to get everyone into the mindset that we had trained, that we made the right type of gear selections, and we would be able to shift because we had a critical mission for the city. That says a little bit about where I think things are now and where I think things need to go. 

We have to be ready to embrace the innovative aspects of what’s ahead. Some of the exciting things for us as cybersecurity professionals in front of us is that CISOs used to think about all the things you would do to protect people in the physical space and apply it to the digital space, because people are more and more living their lives online. Now I think it’s equally important to help decision makers take the lessons of the digital space and apply them to the physical space in ways that respect our values. There are all different types of approaches to get people back together in restaurants, workplaces, etc., but those places might not fit the values of our country or our city. 

If you thought it was highly likely that no one at a restaurant is exhibiting symptoms of COVID-19, would you go? Probably yes. But how do you give that confidence in ways that are respectful of values like privacy. For cybersecurity leaders to say we have concepts from something like the identity and access management space that we would like to apply to allow society to come back together again — that’s a really exciting motivator. We’re doing remote work, so we have to keep that safe, but also how do we also help us be not remote anymore. 

TR: I’m going to go out on a limb and say it sounds like you’re a triathlete?

GB: I was a very long time ago. But it’s a good analogy. 

TR: Municipalities and businesses can have very different cybersecurity strategies — what lessons can they learn from each other?

GB: Cities like New York, Los Angeles, San Diego — we don’t have to approach this problem the way that JPMorgan Chase and Citigroup and Bank of America approach this problem. The financial sector has all kinds of great information sharing systems, but they are regulated competitors. We can take it a step further because we’re cities. And if we could start coming up with the technical and policy solutions to allow for greater cybersecurity unification, we could really be onto something. But we can only really do that if we take an ethics-based approach that respects the value of the people we serve. Especially for municipalities that are under-resourced, there’s a huge opportunity to do community defense in this industry in the municipal space.

TR: Are there any community defense projects under development?

GB: I think it's a dawning moment, and I think the conversations were getting more active before the pandemic and they’re probably more important because of the expanding remote work force and the expanding threat landscape. I’m thankful and grateful for our great partners in the cybersecurity space, like the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the FBI here in New York City, and standard setting bodies like the National Institute of Standards and Technology. But municipalities have a long way to go to think like a community and lock arms with each other and states. You might be seeing some of that with CISA on the election front, but we have a ways to go. 

That’s why one of the things we try to do is be open about the partnerships that have been really powerful for us. We try to go out there — I’ve spoken at Recorded Future events and other events to say this is how New York City is approaching the problem and encourage other municipalities to talk to us and teach us, because we have a lot to learn. It’s all about getting the message out. That’s one of the reasons why when I have the opportunity to have a conversation like the one we’re having right now, I try to take it. Maybe it will influence readers and maybe someone will reply back and say I have an idea for you.