Jeff Greene (Former CISA) on Zero Trust, EO 14028, and What’s Next in Cybersecurity
Delinea's Ginelle Osworth sits down with Jeff Greene — former CISA cybersecurity division leader and White House NSC alumnus — for a candid conversation on where federal security programs are succeeding, where they're struggling, and what to prioritize right now.
Agencies today are still working diligently to fulfill that mandate, that executive order. And some of them now are continuing to kind of pause. I'll say hit the pause button. As it relates to the cyber strategies, both across all the administrations that you've been exposed to, I think one of the challenges that both government and industry is having is how, with the heightened awareness of where we are in the world today, agencies and industries work collaboratively to continue to execute that zero trust strategy — and how do you feel like it should be tweaked or changed to make sure that we continue to keep the mission and cybersecurity at the forefront?
I mean if you rewind to what was in 14028, one of the things that I do feel a decent sense of ownership of was making sure we had a ZTA focus in it that led to the OMB work. But that came out of my time at NIST. I was at the National Cyber Center of Excellence. And one of the projects that I was most involved with in my time there was Zero Trust Architecture. We started developing that project, incredible interest from the private sector. Where I worked at NIST, we brought together the private sector, government, academia to develop this is how you actually can do something that will improve your security. So I brought that mindset into 14028. The OMB carried forward. So when I was at NIST, I was a career employee — Trump won.
It was during Biden, I was a career employee at the White House and we were working on ZTA as part of 14028. I don't think it should change at all today. This is not a partisan issue. I think the White House strategy they put out doesn't have anything specific addressing it. It's a good statement of intent and policy. Let's see what they do when it comes to implementation. I have a hard time imagining the world where they're gonna back off any of the ZTA requirements that the career experts have developed over the past four, five, six, seven years. So if I'm sitting in the agency's shoes, I'm looking at what's out there now and wanting to drive forward from that point. I don't think you're gonna get punished for pursuing what is a fairly straightforward approach to the type of security you should be putting in place now.
Now, in the federal space, where we're experiencing here at Delinea right now, is within the ICAM space. We're noticing that customers, to some degree, or agencies to some degree, are hitting, again, the pause button, and they're reevaluating. They're reevaluating their entire security posture. They're looking at tools that they have in place, and a lot of that, I think, is government — I'll call it — influenced right now on products that they're choosing or not choosing in some cases.
Do you, in your opinion, when you look at this — so if they're looking at tool sets and they have that opportunity to pick different teams and move forward with an ICAM, I'll call it a strategy, that clearly involves zero trust — you said something earlier that was very meaningful, which was just get started, right? Make that decision and make an investment. I don't care where it is, right? Just make the investment. Those were my words, not yours by the way. But just so that I heard that correctly — what advice or guidance would you give to those agencies that either A) haven't started, or B) have put the pause button on? Where would you encourage them to go forward with?
I think it is very understandable, given the past 18 months we've been through of turmoil, turnover, for agencies to pull back — funding issues, not knowing the certainty of it, whether they have the legal, physical, human power capacity to move forward. The longer you wait to implement, the more your debt is going to grow, the harder it's going to be in terms of potential compromise.
There are a lot of things running through my brain that I saw when I was at CISA, the worries that we had about what could happen in agencies. What you mentioned about my comment when we were talking earlier — this has been part of my stump speech going back over almost 14 years. I used to get a lot of questions: well, I don't know what to do first. And my answer quickly became: anything, even if you take a step in the wrong direction, overcoming that inertia is often the hardest part, and you can quickly readjust if you need to, but you gotta get going. So the agencies that have paused — unless there's somehow a legal bar that they can't go forward — get moving again. Reassess what you were doing then, but the adversaries are not waiting for us to sort out our difficulty with contracting and everything else right now. So it is important that we not sit back, to the extent we can, move forward. For agencies that haven't started, you need to start exploring what is in the art of the possible. I think there's good OMB guidance out there.
There's still White House guidance from when I was there. And NIST is always a great resource to take a look at what they're doing. They can get support. The hardest thing right now is personnel — how much staff do you have left? And that's where I think I suspect you might be running into a lot of issues at agencies where you have four people doing what eight people used to do.
Yeah, absolutely. The other thing we're running — so I want to touch on two points that you just made. NIST NCCoE — I know Delinea is an active participant in that program as well and provides some feedback there, which is fun and interesting, clearly on the technical side. Is that an area where we — well, industry — should kind of help out? NIST in that NCCoE arena, or are there other places that we should be looking?
So in the policy development phase, there are others — maybe not so much — but in the "this is how we secure stuff" part of the world, the NCCoE is an excellent environment for coming up with real practical solutions. What we try to do — and say "we," it's been a few years since I was there — is you come up with a project for which we think there's an actual solution today. Gather private sector to help come up with a plan to do it, and actually go into a physical lab in the NCCoE building in Gaithersburg, Maryland, and build that solution. You see how it works. We publish a guideline that says: this is what we've done and this is what we found. There are multiple vendors involved, so it is traditionally vendor-agnostic but actually uses real products. So if you want a roadmap of what to do as a consumer out there trying to secure your networks — take the ZTA, for example — you can see what to do. There are all sorts of different projects, but NCCoE works best when you get private sector involved. It is built to be — and I want to use this "pointy edge" of this — the very most forward-leaning part of NIST to engage with private sector to build actual security improvements. And I think it's a good way for industry to understand the challenges that government faces as well, because it's a collaboration of both groups.
That's great. I'm very interested in NIST and the work that they do and how to leverage that, quite honestly, here at Delinea. And I think we're doing it — we definitely need to improve upon that.
Next question I have for you: around AI and non-human and human identities. We also talked about that. As far as zero trust and Executive Order 14028 — how do you see emerging technology fitting in? Speaking of AI and, like, crypto — quantum crypto, cryptography, am I saying that right? How do you see that playing a role in Zero Trust and the executive order?
It all works — post-quantum cryptography, PQC. If you talk about AI agents or service accounts or whatever the non-human — from my perspective, and from the pros I've talked to — how are you controlling your access? It doesn't matter whether that identity has a pulse or is virtual or agentic. You need to understand what it can access, when, and why, and you may put different controls around it. But you need to be careful not to step back and assume that because it is an automated identity, you can somehow give it more freedom without observation. So my instinct is you treat it pretty similar from the baseline and then figure out what exceptions you're going to apply to it.
PQC, post-quantum cryptography, from a zero trust standpoint — if you're not thinking about that as you're thinking about your overall security deployment, you may wake up with a big surprise one day if we get to that day when there is a functional quantum computer that will immediately break all the cryptography out there. Thankfully, it's not something that's going to be at every street corner — it's going to be limited who can do it initially. But the transition period to post-quantum cryptography, the transition period for new cryptographic algorithms — another project I worked on at the NCCoE was on this issue — was how do you transition. We used to say about 10 to 15 years to fully deploy. So if you're not doing that now, you're not preparing for a future that we are pretty certain is coming. And irrespective of whether it is "Q-Day," we will need to be upgrading our crypto as we go forward.
Again, if you want to look at the NCCoE, they put out a guide saying this is what organizations should be doing now to get ready for that transition. And there's a lot of other work ongoing. I personally — when ChatGPT, when AI blew up in the fall of '22, I think — I thought we were just getting to critical mass on focusing on PQC, and I worry we've lost the focus on that.
How so? What should we be focusing on?
We should — as governments, corporations, non-profits, whatever — be figuring out: are we preparing to deploy these algorithms that are quantum-synced? NIST has published algorithms that are quantum-resistant. They're out there, they're approved. How to deploy them is, in a lot of ways, much harder than developing them. So we should be focusing resources on doing that.
And that same thing, when you look at manufacturers such as Delinea or anybody else out there — what is the piece of advice, where would you say, what would you tell them to look for and/or give them guidance on, for the future of what they should be looking towards in their product portfolio to make technology that's more mission-centric or focused?
The starting point for all of this, in my view, is secure development. We are solving, through cybersecurity tools, problems that are created by really poor technology from some of our biggest companies in the world. And if we don't shift our building of technology, we are perpetuating a problem, and we're always going to be falling further behind — and this is a generational fix that we didn't talk about. When I was in government, "secure by design" was the mantra — the label we put on it. I don't care what we call it, but we have built this reward system where there is very little benefit to being secure to market — it's all about being first to market — and because of that, we have a lot of products being developed that have core vulnerabilities, hardware and software I'm talking about. So particularly when you're building a security tool, you need to make sure that you are applying the known strategies for building a secure product from the get-go. And I think you will increasingly see — certainly governments, but vendors more so — wanting to know that you have applied those secure design principles from the beginning, as opposed to trying to bolt on the proverbial security afterward.
So I think we like to refer to that at Delinea as our cloud-native 99.995% uptime. But I understand your point — it's got to be secure from the ground up.
Exactly, yeah. With some of the more hardware-focused problems we dealt with when I was at CISA, it seemed like our adversaries knew these products better than the people who designed them. We need to get past that. It's a little scary. There are things I would like to unknow from my time in government.
Tell me more about what you're doing now, now that you're out of government. You have a new company? And I'm going to butcher the name, so — who told me about the name?
It is Civira Partners, C-I-V-I-R-A, with a focus on civic responsibility, resilience, infrastructure. I'm working with several of my very close friends from when I was in government, and we have a breadth of private sector, government sector, policy, and operational experience. So we're a small boutique, and we work with municipal entities, public companies, some smaller companies, startups. Our goal is to provide any type of security advice you need — whether it's governance, tabletop exercises, or true operational work. And being small, we have the opportunity to bring in the teams that are appropriate for each program — like one we're working on right now with a big operational technology provider. We've brought in experts from our time in government. There's a good supply of former government folks out there. So we build the team we need, whether it's cybersecurity or physical security. We help our clients get from "what is the threat specific to them" to "what is the security approach and outcome that actually works for their specific circumstances." A generic threat analysis leading to a generic solution is both not effective and often not implementable. So we try to bridge both.
Very cool — it sounds like exciting things, that you can go both public sector and private sector. When you're making recommendations, or when you're working with your customers, I should say — are you pretty product agnostic?
Typically we'll talk down to the level of the engagement we have. Here's the type of way you should structure your security, your governance, your compliance. Here's how you meet the threat. We have not gotten to the point at this stage where we say "you should use technology A or B." That is a service we have available, and what we would do in that case is bring in some of our former colleagues who've been either CISOs, or there are a few threat hunters from government, a few offensive cyber folks from government. So we would bring them together and say, here's the threat we see for Entity X, here's what they're trying to secure, what do you think is the best suite of tools. So that's something we have in our roster of abilities, but to date we're staying more at the "are you structured right and are you meeting the right threat" level.
The thing that's been the most surprising to me is how many of the clients we've talked to have been working off a very generic assessment of the threat environment that they've gotten from other consultants. We start with: what is the threat specific to you? Who is coming after you? What are their typical techniques? Overlay that with your governance and regulatory requirements, and then come to: here's how we think you can structure security. And this can be physical or cyber. It's pretty cool — it feels like we're still helping people improve their security. That was our goal, and we're working with some critical infrastructure providers, so it feels like a lot of our government mission is carried on.
Well, I think the relationships and the history that you have, and your experience in cyber — it's a great avenue for you to pursue. So that's awesome. Thanks for telling me a little bit about that. Appreciate it.
So just to close the loop on our conversation this afternoon — we talked about cyber strategies of government and private industry, we talked about zero trust and the impact that it still has, that it's still very relevant, and that it will continue to evolve with all the threat vectors, as you mentioned, that are out there and developing faster than we are. We talked a little bit about the ICAM stack and the focusing of the stack, and then what's next. What is next for cybersecurity? Any closing thoughts on what would be great to share with our customers or the public — best practices?
I mean, I've been coming to this show for 15 years, and I've watched the words change — like this, "agentic" is everywhere. ZTA, and the ZTA concept, has been here longer than anything I've ever seen consistently. And at the core of that is access management — knowing who's in and out of your networks, when and why, and controlling that. That, to me, is fundamental. So if I'm going to say what you're doing going forward, it's maybe don't chase all the shiny new objects. If you're not doing the basics right — when I think about the things I said that scare me coming out of government, there's no complete solution to all of them, but a very big element of it, both to prevent and to understand what's happening, is that access piece. And when I go to some of these clients, one of my first questions is: how do you do this, and do you have the type of control? I would resist chasing the shiny new object, as I said, and really focus on the fundamentals.
Awesome, great feedback — appreciate your time, Jeff. Thank you so much.