Mayor Pete Buttigieg’s former CISO and Splunk security advisor Mick Baccio explains the cybersecurity best practices he learned from protecting a presidential candidate’s campaign.
Dan Patterson, a senior producer for CNET and CBS News, spoke with Mick Baccio, former CISO of the Pete Buttigieg campaign, and now a security advisor for Splunk, about keeping a campaign safe from cyberattacks. The following is an edited transcript of their conversation.
Mick Baccio: I was the CISO for Pete Buttigieg, “Mayor Pete” out of South Bend, IN, when he was running for president. I was the first CISO on any presidential campaign. It was basically putting a security program, security culture, security awareness into a place where it had never been. It never existed. It’s akin to if you are a small business startup, something like that, you’re doing the same thing. And with a campaign, it’s super weird and unique, just because the way campaigns are funded. It’s unlike any environment I had been in. The budgeting is essentially month-to-month rather than quarter-to-quarter, a year-to-year, or something like that.
SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
[I was] putting all the nuts and bolts of a building blocks security program, putting that in and making the trains go, and then creating an awareness program to make people buy on a security like you would anywhere else. I think when you look at security, cybersecurity, whether you’re a SMB or whether you’re a startup, somewhere in the middle, I think the building blocks of security, putting those in place are the same, no matter where you work, no matter what environment you’re in. You’re building a security program, whether it’s your incident response life cycle, your remediation life cycle, all these different things that you put into consideration, and you build that program out, kind of custom to your environment.
I think a campaign and a small- to medium-sized business, or a startup, something like that, they are very, very similar, to a point. And then like any security program, you tailor it specifically to your vertical. On a political campaign, there are just some unique things that you have to look out there. But underneath all of it, the building blocks should be the same. I think having a good team, good program to try and get ahead of some of the new threats that are out there. And ransomware has been around for a while. Emerging threats are coming around. Recently, you saw the Drovorub, the Linux rootkit that was attributed to the GRU. That maybe affected a dozen people, but at the same time, Linux rootkits are still a very, very common vector for cyber attacks. Those building blocks that you have in place, those basics help you with those emerging threats.
I think it’s important to know if you’re figuring out what to do, what you can control and what you can’t control. As the CISO of a political campaign, I do the cyber bit of it. The disinformation, the discourse manipulation, whatever you want to call it, that’s not my wheelhouse, there’s nothing I could do about that. But I think it’s super important that it supplies into any environment, startups, small and medium business, is that having those contacts, having those partnerships with people that are responsible for them and get ahead of those emerging threats as best you can. I think people want it to be spy stuff all the time. They want it to be APT [advanced persistent threats], whatever you want to call it. But honestly, I think when you look at just business email compromise, generic ransomware, just crime is the biggest thing more than any nation-state activity.
SEE: Identity theft protection policy (TechRepublic Premium)
I think that is the biggest threat when you look at any environment. Just generic crimeware business email is compromised, things like that, I think that’s the biggest threat that people still have. When I meet someone new coming into the industry, or I have meetings with CISOs and, “Hey, this is my experience, what I’ve done,” I think the advice I try and give them is to have that solid foundation of your security program. I think doing the basics right helps you get to the next level. And all you’re doing as a CISO, all you’re doing at any security program is you’re constantly raising the bar. You want your program to get better, so you’re 100% defended, 100% of the time. And it’s rare. You might never get there, but I think the journey along the way is the important thing. I think communication is one of the big things that I try and champion, being able to explain the cyber zeros and ones that no one really gets into a nontechnical audience and make them understand, get them to understand that and buy into it. I think your communication takes you farther along.