NFL & CISA at the Open Source Security Summit 2024

Learn more about the annual Open Source Security Summit.

In September 2024, the fifth annual Open Source Security Summit brought together participants from around the globe for engaging discussions led by industry experts on how open source strengthens trust and security through collaboration and transparency. Highlights from this year included a fireside chat with the CISO at NFL, Tomás Maldonado, and executive assistant director of the cybersecurity division at CISA, Jeff Greene.

To explore past summits, many session recordings are available for 2023, 2022, 2021, and 2020 at opensourcesecuritysummit.com or on the Bitwarden YouTube channel.

Tomás Maldonado, CISO at the NFL, and Jeff Greene, executive assistant director of the cybersecurity division at CISAjoined Bitwarden CEO, Michael Crandell, for a fireside chat to delve into best practices, common mistakes, and the breadth of resources available to organizations.

Human error remains one of the top causes of breaches. According to the Verizon Data Breach Report68% of breaches relate back to social engineering or human error. For example, one simple password was responsible for the SolarWinds security incident.

In the wake of rising phishing scams (e.g., a CEO suddenly sending a message requesting gift cards), Maldonado advises, “We need to educate individuals to be more aware of the types of psychological attacks used on them because people are very forthcoming, giving, and want to do the right thing – those are the things adversaries know how to abuse.”

Maldonado and Greene spoke on the importance and impact of empowering your workforce through security training with skills that cross-function between work and personal life because “If you help people understand how to apply security controls in their personal life – how to protect their bank account, social media – they can transfer those skills and knowledge almost unthinkingly to work” (Greene).

“Most people will say, ‘our staff are our weakest links.’ I like to think of it as ‘our staff are our greatest assets.’ If I have 15,000 people in my organization, I potentially have 15,000 security people. If I can reach them and make them a little bit more educated in cybersecurity.

They may be good canaries, good advocates for implementing controls, or evangelists spreading the word and being that first line of defense because they’re the ones interacting with systems. They’re the ones creating data. They’re the ones logging in. They’re the ones sending and manipulating information.” ~ Tomás Maldonado, CISO at NFL

To support organizations, Greene detailed the wide range of free services offered by CISAfrom vulnerability scanning to the ransomware pre-notification initiative, “cyber performance goals with baseline security measures that any entity with a public-facing business should take,” says Greene.

Regularly reviewing vulnerability databases to identify known vulnerabilities is crucial in this process. In the wake of SolarWinds, CISA has made significant progress in deploying endpoint detection and response technology across 60+ federal agencies and entities, which has prevented what Greene refers to as “next-generation attacks.”

The main takeaway: regardless of whether you want to protect yourself, your family, or your business, there are simple, effective steps you can take to stay secure from most attacks.

“We are all empowered to improve the security of our own lifeour own digital life, and our companies. As scary as it seems, most of the attacks out there are not that sophisticated. Most malicious actors are lazy; they did not go into crime to work hard. They’re taking advantage of known exploits and vulnerabilities.

If you, as an individual or small business, do the simple things – patch, software update, install security tools, use multifactor authentication – you will be ahead of most attackers.” ~ Jeff Greene, CISA