Good Leadership Results in Better Security Practices: James Comey’s Keynote Address to OpenText Enfuse 2018

“I made a mistake.” That’s how former FBI Director James Comey introduced himself to the audience attending the OpenText Enfuse 2018 conference in Las Vegas.

I heard the murmurs around me, “Was this about the emails?”

Cybersecurity Live - Boston

Comey smiled. “I screwed up the way I entered the conversation about encryption,” he said. He was angry that, in the post-Snowden world, it was more difficult to collect data about terrorist activities and Google and Apple wanted to make it even tougher with new encryption software to improve user privacy—which meant keeping government eyes from prying into citizens’ smartphone data. In a roundtable on the topic, Comey openly complained about what the tech companies were doing, letting his opinions known. It was a dumb move, he said, because we need to have an open conversation about data security, with thoughts and ideas flowing in multiple directions. As FBI director, he had the opportunity to lead that discussion, and instead, he shut it down before it could really begin.

Former FBI Director James Comey

The Need for Good Leadership

The Enfuse conference targets professionals who work in forensics, e-discovery and cybersecurity. In the audience were members of law enforcement, lawyers, forensic experts and those who either design or deploy security tools. These are the folks at the front line of protecting all of us, both physically and in cyberspace. Good leadership is vital to make these operations work efficiently and effectively. That was the thrust of Comey’s talk. Keeping people safe begins with good leadership.

He stressed two points required for every leader. First, people need to be confident enough to be humble. Second, leaders need to shut up and listen.

“It’s hard to take risks as a leader,” he said. “You have to be comfortable being wrong and willing to fix things.”

It also means making hard choices, sometimes. Comey said he will metaphorically float above and separate himself from the group in the room, detach himself as best he can from a situation, trying to look at it with an outsider’s perspective. His decisions may not always be popular, but he believes he made them fairly.

Seduction of Certainty

So, how do his thoughts about leadership connect with cybersecurity?

Comey discussed a phrase he used in his book, “Seduction of Certainty.” It feels great to be right, he said, but as a leader that is dangerous. Always feeling that you are right and never doubting your infallibility can lead to disaster.

We see that a lot in cybersecurity. Too often, corporate leadership is convinced a security incident will not happen in their company (especially a problem with smaller businesses), and, therefore, they balk at taking the steps necessary to implement good security practices. Or they may not see the need for mitigation tools because, since you already have threat monitoring tools, the network is safe. Corporate leaders don’t always listen to the warnings. They don’t see the need to spend the money on security systems. The fall into this seduction of certainty that they are right because they are in charge.

Security versus Security

I, personally, wanted to know more about Comey’s thoughts about encryption, and he did circle back around to the topic. He believes we need to look at encryption not as security versus privacy, like the tech companies did, but as security versus security. Data isn’t equal. Neither is security. We have to think and care about security on different levels, based on what we are protecting and how we use that information.

We need to remember, he pointed out, that there are large swathes of data not answerable to the government or covered by the Fourth Amendment. In the attempt to protect data from government entities, tech companies forget (or ignore) the vast amount of information that is available to and shared by private industry. Who is protecting us from this data sharing?

Comey worries that with this emphasis on an encryption wall, what we are doing is creating a barrier that can’t be accessed in order to protect the wider good.

“Security is moving so fast,” Comey said, and a lot of the data created, our digital selves, is available without a warrant because we are sharing it willingly. It isn’t privacy that we should be worrying about as much as addressing the way we approach security to the data we want kept confidential and the data we willingly share.

Has Comey evolved since his initial mistake? I think so. He is clearly listening now.

Sue Poremba

Featured eBook
Managing the AppSec Toolstack

Managing the AppSec Toolstack

The best cybersecurity defense is always applied in layers—if one line of defense fails, the next should be able to thwart an attack, and so on. Now that DevOps teams are taking  more responsibility for application security by embracing DevSecOps processes, that same philosophy applies to security controls. The challenge many organizations are facing now ... Read More
Security Boulevard

Sue Poremba

Sue Poremba is freelance writer based in central Pennsylvania. She's been writing about cybersecurity and technology trends since 2008.

sue-poremba has 205 posts and counting.See all posts by sue-poremba