NYC CISO Geoff Brown Protects the Greatest City in the World

October 2, 2017 • Amanda McKeon

When someone mentions New York City, there are a variety of images that may come to mind. The Statue of Liberty, the Empire State Building, Times Square, or maybe Wall Street or Central Park. And, of course, 9/11. It’s no wonder the city of New York is often called “the greatest city in the world.”

Mayors of other cities may take issue with that label, but there’s no argument that New York is one of the largest, most important cities in the world, with over eight and half million people.

Geoff Brown is the chief information security officer for New York City, and he’s our special guest today. He heads up New York City Cyber Command, a new cybersecurity organization for the city of New York that works across more than 100 agencies and offices to prevent, detect, respond, and recover from cyber threats.

This podcast was produced in partnership with the CyberWire and Pratt Street Media, LLC.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and thanks for joining us for episode 26 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire. When someone mentions New York City, there are many different images that may come to mind. The Statue of Liberty, the Empire State Building, Times Square, or maybe Wall Street or Central Park. And of course, 9/11. For me, growing up when I did and being a huge David Letterman fan, when you say “New York,” I can’t help but hear this phrase in my head.

David Letterman:

From New York, the greatest city in the world.

Dave Bittner:

I’m sure there are mayors around the world who would argue with that label, but there’s no argument that New York is one of the largest, most important cities in the world, with over eight and a half million people living there. Geoff Brown is the chief information security officer for New York City and he’s our special guest today. He heads up New York City Cyber Command, a new cybersecurity organization for the city of New York that works across more than one hundred agencies and offices to prevent, detect, respond, and recover from cyber threats. Stay with us.

Geoff Brown:

About 18 months ago, I joined the New York City mission. Before that, I came from financial services, very much dedicated in threat management. In one organization, building the threat intelligence tower. In another organization, building the total threat management discipline, inclusive of intelligence, response, countermeasures … but to go further back, I began my career very much thinking about international security problems, and what can you really do about that. I’ve been involved in this space, whether from a think tank perspective, from a government perspective, and then a private sector perspective.

Dave Bittner:

Let’s start off by just going through this executive order. What prompted the creation, the execution, of this executive order from the mayor?

Geoff Brown:

The executive order signed in July is really a natural evolution in how New York City is thinking very carefully about cyber as a domain, and then very much recognizing that to execute appropriately on that mission, we have to create a center of gravity around all the things that we need to do. How do we get there? As I mentioned, I started about 18 months ago. When I began, the citywide CIO along with City Hall had decided to take a very careful approach towards cybersecurity. They had decided to — in city government — they had decided to take the function and move it into a direct report to the citywide CIO. That happens in a lot of different enterprises where, as security becomes top of mind, the executives, they start to elevate that position and the officer who’s accountable for it.

When I joined, I came in reporting to the citywide CIO, and she is the head of the department of information technology and telecommunications, which here in New York City we refer to as DoITT. That was the first step. What we needed to do was build what was already a strong IT security foundation, but to take a perspective where … we started to very much approach all of the things that City Hall cares about, and all of the things that the residents, the visitors, the businesses here in New York City care about, because they receive so many great services from the various technology deployments that we have.

What do we do? We began doing a number of assessments in different environments and starting to put together a picture of what we had, and that picture started to teach us that in order to take a new approach, in order to have a mission that really accounted for the total aggregate cyber risk, the city had to organize in the same way that it organizes against its various other critical mission sets. Whether that be how we deliver water, whether that be how we manage finances, whether that be our great police force and our great fire department, et cetera. The city decided to create an entity that would have that central center of gravity, just like it does in some of the other disciplines. That was really the driving force.

The most unique thing about it, from an organizational perspective, is it creates New York City Cyber Command reporting directly into the first deputy mayor. And the first deputy mayor you can think of as in the private sector, you can think of him as an individual whose roles and responsibility encompass CAO, COO, and beyond. This new entity, New York City Cyber Command, reports directly into City Hall but works in a collaboration with the Department of Information Technology and Telecommunications, that being DoITT and the citywide CIO, in her capacity, as the overseer of the technology strategy for the city.

Dave Bittner:

What, specifically, does the executive order empower you to do?

Geoff Brown:

The executive order signed by Mayor de Blasio in July, at a very high level, you can think about as the elevator pitch. It gives New York City Cyber Command the ability to defend the city, and what do we really think of when we think about the city? All those services and capabilities that are provided to the residents, the visitors, the businesses, that are enabled through technology. We have to defend that as a cyber organization. What else do we do? We need to guide the various agencies, keeping in mind there’s over a hundred different agencies with different services. We need to guide them as they evaluate their own cyber risk and in the end, what do we have to do? We have to advise City Hall on the aggregate of all of that activity because in the end, City Hall is the government of New York City and they are incredibly invested by public trust in the success of cyber as a mission, just like they are in so many other things that New Yorkers expect out of their government.

If you start to read through the executive order — and I invite the audience to look it up, it’s executive order number 28, signed by Mayor de Blasio in July — we are responsible for directing citywide cyber defense and incident response and mitigating cyber threats. You can think of that very much as the threat management discipline. How do you do that? You need to be able to have technology that goes out there, gives you visibility, gives you technical controls over the various systems that could be impacted in a cyber event.

What else do we do? The corresponding function is very much governance, in nature. We have to set and ensure compliance with information security policies and standards. That is really the traditional government versus compliance mission. We have to make sure that all of New York City and all of those government activities have an umbrella of cyber policy, and then each of those agencies, they may be able to because say for instance, they’re performing a critical service with a certain prescribed data set perhaps, they have the optionality to turn the dial up, so to speak, when it comes to how they want the policies to apply within their individual environments.

I would also say, within ensuring compliance and policies and standards, there’s a very important education awareness mission. Many practitioners think about the fact that there’s always humans behind the keyboards and sometimes click on things, and education awareness programs are important in the overall mission.

What else do we do? We provide guidance on the aggregate cyber risk to City Hall, and that, to a certain extent, is very important because what the executive order does, is it gives New York City Cyber Command a voice to the highest executives in the city. That also means that that capability from that centralized organization can, in times of great exigency, make sure that the needs of the cyber mission are brought to the appropriate executives who can really help the mission do something to buy down that threat.

What else do we do? We can mandate the deployment of tactical and administrative controls. Cyber is a machine-to-machine domain, and in order to be successful in that domain, you have to make sure the defenses have some uniformity. Uniformity in deployment, uniformity in strategy, uniformity in operations. And how can we make sure that there is a centralized strategy? Sometimes it does all go to how the dollars are being spent. Cyber Command can review cyber-related spending. That’s an important piece of the mission. We need to make sure that, being owners of public trust, we have to make sure that the tax dollars are being spent in the best way for the city for the total. We have that capability to review those spending requests.

And finally, we need to collaborate with our partners. As cyber practitioners, we always think about information sharing and the various information-sharing regimes. Cyber Command can represent New York City with whether it be state, federal, NGO, private sector … that whole great ecosystem that contributes to community defense.

The one last thing that is incredibly important is there is a call out within the executive order that directs New York City Cyber Command to be incredibly mindful around the unique importance of a critical services environment such as critical infrastructure, public safety, and health. When it comes down to it, there’s sometimes not a “one-size-fits-all” approach to these things, so we need to make sure that we’re being very mindful and giving a nod out to how other regimes are prioritizing those critical services that are expected by the residents, visitors, and businesses. At a very high level, the EO gives cyber the highest level of executive sponsorship and attention.

Dave Bittner:

With a city as large as New York is, you’ve got eight and a half million people in your city, and that city has a rich history, going back hundreds of years. How do you establish a baseline to figure out what exactly you have to defend?

Geoff Brown:

There’s a number of different ways of doing that. First and foremost, what we need to do is understand the missions of the various agencies. When it comes down to it, there are services via technology that are provided from city government that we have to understand. Then from there, you use various technical systems to be able to see the environment. To start to aggregate what the vulnerabilities for that landscape are and then start to build the strategy out as to whether you need to do something tactical or something strategic to close those vulnerabilities, react to threats that are ongoing within the landscape, and put together programmatic approaches to change the defenses if you need to, to meet what’s coming around the corner.

Dave Bittner:

You mentioned, at the outset, that you had come from the financial side of things. Obviously, New York has Wall Street there and that’s, I would imagine, to a lot of people around the world, that’s a big bull’s eye in terms of something that they may want to hit. It’s that old joke, “Why do you rob banks? Well, that’s where the money is.” How does having something with a global importance of Wall Street affect your approach to your overall strategies?

Geoff Brown:

When we see any of the critical environments that New York City is known for, certainly, Wall Street is one of them. There’s other things that the city is known for, whether that be in media, in arts, all kinds of different things. But when you think about that environment, I think of it in the same way that I might think about some of the utilities that aren’t necessarily directly under city government control, but are seen as critical to the success of our city. I think of Wall Street, the financial services, and other capabilities that draw people to New York City as an ecosystem of partnerships, and partnerships that thankfully through the executive order, we can reach towards from this unified entity and create information sharing, understand what are their priorities or the threats that they’re seeing, and enrich the citywide defenses via that conversation.

Dave Bittner:

Take us through that. What sort of collaborative processes do you have between the city and folks in the private sector?

Geoff Brown:

They’re pretty robust. It’s not just because of cyber, it’s because … if you think about it, there’s so many — you mentioned, hundreds of years of history here in New York City — there’s so many other domains that have had to respond to significant events, and all of us can name them as being top of mind. We have an organization, we have the emergency management, we have our police department, we have our fire department, we have our health services. We have a number of different ways where we have relationships with the private sector that are very productive, and one of things that cyber needs to do is leverage those already standing, tried and true, trusted relationships and apply them against our domain.

Dave Bittner:

When you come into work every day, what’s the process by which you set your own priorities?

Geoff Brown:

To a certain extent, there is … as the person accountable for the success of the program, what I’m trying to keep my eyes on is the “go-forward” strategy that allows us to build towards the future, recognizing the great foundation we’re building upon. To take you through that, what I become really mindful of is within New York City — and a lot of cities are like this — there is historically the technology core, and if you’re in an enterprise environment you can think of that as the things that a CIO or a CTO traditionally is the custodian of. Here in New York City, we have a great department of information technology and telecommunications held by a terrific leader, commissioner Rose. That, to a certain extent, is the foundation of the security paradigm here in the city.

But what do I oftentimes think about? I think about how the city needs to execute against a strategy that is going to take the success of the past and apply it into what is becoming incredibly interwoven, interconnected, in some senses greatly increasing the technology landscape in the future. How do we take the past, but then apply where technology is going in new ways, how do we leverage newer types of technology to make sure that we’re preparing for a city that has to be interconnected? The term is “smart city.” There would be deployments in various technologies, whether through government services or whether through manufacturers and private businesses, and even just the residents themselves. We have to provide a platform for those services to continue to be safe, and continue to be appropriately good custodians of privacy. I oftentimes think about that. Are we building towards where the city is going? Because that’s what we need to do. We’ve done such a great job with getting to where it is.

Dave Bittner:

It’s an interesting point, this notion of being reactive versus being proactive. How do you balance those two needs?

Geoff Brown:

When I think about proactive, I can think about making sure that we’re leveraging the technologies that we have and being different in how we’re thinking about it. There’s a lot of shift in how we’re applying threat intelligence in our environment. One of the shifts that we’re really thinking about here is making sure that we are challenging the paradigm of normal operations, and normal operations meaning you need to, in every step of the chain, assure that you’re building your case to make a decision. There are some new approaches that allow an incredible amount of automation, incredible amount of machine logic to make that decision very quickly, because that’s going to turn the clock back at the adversary. We’re very cognizant of that and that’s a different approach.

In fact, I often say to the team, if we’re not doing something the bad guys care about, then why are we doing it? I’ve actually charged our threat management function with taking the approach that things are guilty until proven innocent, from a machine perspective. I’m not sure if we have the time that we used to have within our industry to investigate, investigate, investigate, investigate, check, check, check, check, check, check, check, call a bunch of people, and then do something about it. In fact, technology nowadays, if you’re looking at things like anomalous behavior detection, stuff like that, gives you the capability to stem or triage the wound very, very quickly and then as many of us know, sometimes that process means that there was something, a business process that you were unaware of that calls the activity and then you have to release, so to speak, the machine but in today’s landscape unless you’re being more proactive than is traditional within enterprises then you’re not acting fast enough.

Dave Bittner:

I’m curious from your point of view, in your position, it’s common for people to think of cybersecurity as being primarily a technical domain, but by necessity, you have to have a political component to how you do things as well. I’m curious, what sort of advice do you have for people? Perhaps, in terms of … not neglecting that the ability to be diplomatic is an important part of what we do.

Geoff Brown:

Very much so. In fact, in many ways setting a tone of diplomacy is incredibly important especially when you’re dealing with … here we have different agencies, but in other environments we have different business units with a high degree of priority and a high degree of drive for their activities. The best way is going back to that technical mantra which is not necessarily saying no but saying let’s work at this. There is risk inherent in what we’re attempting to achieve and if we think more carefully, in some ways, if we take into account some of the things that are relevant from a cyber perspective, then we will not only achieve that goal, that business goal, but we will also do so in a way where we’re being mindful of the security and the privacy needs.

That is to your point, the diplomatic approach, and I see that as being very successful in this environment because the other approach, unfortunately, fractures relationships and in technology sometimes if a relationship is fractured, it means people will go their own way without the guidance that’s important from a cyber perspective.

Dave Bittner:

Describe to us, how do you get people onboard? What is your approach to getting people to support the things that you do? Because I can imagine there might be resistance from people who say, “Hey, we’re doing our job, we’re doing this way, this is the way we’ve always done it and please go away and leave us alone.”

Geoff Brown:

Hopefully I don’t encounter too many of those conversations.

Dave Bittner:

Right.

Geoff Brown:

When you have over a hundred different agencies with different objectives, we just have to be mindful that the residents expect public safety and security to be top of mind. That is something that we carry with us in many of the conversations, and I would say to a certain extent, we are having terrific conversations with our partners here in the city, and that’s likely because we’re taking a very logical approach. At times, it takes a while and a couple meetings to be able to convince others about the power of your logic, but I would much rather do that than to convince individuals or organizations via the pounding of my fist. It’s that old thing, power of logic over pounding of fists.

Dave Bittner:

You spoke about the importance of physical safety. Again, the scale of New York City and also the history of New York City, we see documentaries about the layers and layers of telecommunication systems and so forth that run underneath of that city. Can you take us through the integration of the physical security and cybersecurity?

Geoff Brown:

Because of what we’re seeing globally in the general threat landscape, we cannot ignore that via cyber, there can be highly physical real-life impacts. That’s recognized. The best way that we’re approaching that is not only by making sure we’re being good custodians of our responsibility to defend the machines, but by building the relationships with the great New York organizations agencies that have prosecuted the physical mission for many, many years in great ways. We have world-class police and law enforcement agencies, world-class fire and emergency services.

To a certain extent, that is very much the relationships that we’re building, and I would also add to that … maybe something that’s not directly related to the question, but is really important to note, we are a city that is being incredibly embracing of our interconnected future, we have a great desire to be the type of place where companies who want to innovate and how they’re connecting to the physicality of our city from a technology perspective … companies can grow here. Manufacturers who are doing great things in the IoT space need a place to apply those technologies, and New York City wants to be that place. We want to make sure that those capabilities are being fielded by the residents that expect them.

But we need to be incredibly careful in sense that, of course, that interconnected future comes with a need for security and privacy, and so we’re very active in those conversations, hip to hip with the individuals and executives in the city who are working on that strategy. That’s very encouraging because without having security be top of mind and how those technologies and devices interact physically with the city landscape, then we’re certainly missing the opportunity to do the best thing for our city.

Dave Bittner:

So, this is the Recorded Future podcast and we talk about threat intelligence. Can you just take us through what is the role of threat intelligence in your day-to-day operations?

Geoff Brown:

Sure. To a certain extent, the role of threat intelligence in our day to day operations is, for all of us, changing. Here in New York City, there’s a number of different ways we’re thinking about it. Of course, there is the requirements-driven process, the tried and true process of any intelligence practitioner. What are those things that we need to do to provide decision support to the deciders? I’ve heard it said, and I’m not the one that came up with this, but I certainly believe that intelligence is the art of mitigating the impact of surprise. How do we keep an awareness of what’s going on so that we can prepare for that eventuality of, in some way, shape, or form, being surprised?

At a high level, we think about that. More tactically consuming, more technical intelligence at machine-to-machine speed is the right way to go, and then being able to develop decision support materials that allow different agencies, different executives, and certainly, City Hall, to understand the risk presented by cyber as a domain. The things that are happening internationally that may in fact prioritize some of our initiatives. That is the other thing that we’re doing with threat intelligence, and via the support of some great third-party partners, we have a very active ecosystem, as all of us listening to this podcast know, we’ve got great partners in the threat intelligence space and so we’re actively, actively leveraging those insights.

And the great thing about New York City, I would say, and the great thing about this mission, is a lot of people recognize that it is one of the best missions in our space. If you think about it, practitioners oftentimes don’t get the opportunity to interact with different technology systems that are servicing all kinds of different things. Everything from a utility like our great department of environmental protection that does delivery of our water and wastewater filtration. So, it’s a water system. That’s a great thing, but our practitioners who joined this mission get the opportunity to also work with the department of finance, the dollars and cents of the ecosystem of New York City. Then they get to work with fire environment, they get to work with the police environment, they get to work with health data, they get to work with IoT and smart city workflows. It’s an incredibly diverse mission, and underpinning that is the importance of doing these things in a way that helps secure what we think of us, and what I think of us, as the greatest city in the world.

Dave Bittner:

For folks who are trying to stand up organizations similar to yours in smaller cities — and here in the United States, they’re all smaller cities than New York City — what’s your advice to them? What do you think is the best way to approach something like this, to get your arms around an endeavor this large?

Geoff Brown:

There’s a lot of different frameworks within our community that can be used as reference points. There’s a lot of cities and municipalities doing great work in this space. But to give some thought process on how we’ve approached that mission, I would say to a certain extent, it is a technological mission. Understanding what that landscape looks like to begin with is very important. But to a certain extent, also understanding what the intent of the executive who runs that enterprise … what is that executive’s intent? Making sure that cyber is prioritized is another big piece of the puzzle, and that exists in private enterprise just like it does in the pursuit of public goals.

What I would say to them is, here in New York City, what we’re thinking about is making sure that we can provide, in a unified, centralized way, those things you expect, perhaps out of an MSSP partner. How do you do threat management? How do you do governance? How do you have a guiding end in risk management? How do you have a guiding hand in engineering architecture? Those things are really important. And I would also say, building the right team is absolutely essential to the success. I would say, no matter what city, no matter what state you come from, there’s very few missions that are as exciting as taking this civil servant mission. You can do this in many different capacities, and there’s great teams out there, but to a certain extent, doing this with the public trust at least gets me out of bed. When you talk in your recruiting efforts, when you talk to people to bring them into the mission, that oftentimes is a winner.

The one item that I think is exceptionally interesting, too, is we are New York City. What New York City does in cyber — we are very aware — has a certain weight, and as we consolidate this mission, as we really take a very considerate approach on what’s happening nationally and internationally in this domain, there may be some perspectives that we take in the defense of our residents, in the defense of our businesses, in the defense of our visitors that will be very unique, but we are New York City and we take a lot of pride in that. And we should take a lot of pride in that because we oftentimes lead the way, and what I expect out of the city is to take the same approach in this domain. That’s a different thing, that’s exciting.

Dave Bittner:

Our thanks to Geoff Brown for joining us. Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Amanda McKeon, Executive Producer Greg Barrette. The show is produced by Pratt Street Media with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner. Thanks for listening.

Related Posts

Exploring the Future of Security Intelligence at RFUN: Predict 2019

Exploring the Future of Security Intelligence at RFUN: Predict 2019

December 5, 2019 • The Recorded Future Team

Just about a month ago on October 29 to 31, more than 600 Recorded Future partners, clients, and...

Threat Hunting, Mentoring, and Having a Presence

Threat Hunting, Mentoring, and Having a Presence

December 2, 2019 • Monica Todros

Our guest today is O’Shea Bowens He’s CEO of Null Hat Security and a SOC manager for Toast, a...

From Infamous Myspace Wormer to Open Source Advocate

From Infamous Myspace Wormer to Open Source Advocate

November 25, 2019 • Monica Todros

If you are of a certain age — an age where you may have spent a good bit of your time online...