White House IT, Ransomware, and Navigating OT Security
From Parody to Policy: “As You Phish” and a Real-World Conversation with Max Everett
Cybersecurity isn’t just serious business—it’s also full of opportunities to educate, inspire, and laugh. That’s the idea behind the animated short As You Phish Part One, a cybersecurity parody of The Princess Bride, created by Ron Gula and Gula Tech Adventures. In this first installment, classic fairytale sword fights are reimagined as duels between firewalls, VPNs, and two-factor authentication tools, as our heroes flee from the Dread Malware Roberts through FedRAMP Ridge and secure gateways, debating the illusion of security, exploit vectors, and privilege escalation. It's a comical yet insightful take on how modern cybersecurity tools work together—or don’t.
The short sets the stage for a more grounded, in-depth conversation with Max Everett, who’s had a storied career defending everything from political campaigns to the nation’s nuclear infrastructure. Everett currently serves as CISO of Shaw Industries, but he’s also held pivotal roles as CIO for the White House and the Department of Energy.
The OT and Cyber Risk Balancing Act
At Shaw Industries, Everett faces a unique blend of manufacturing, operational technology (OT), and enterprise IT risk. His approach is pragmatic: cybersecurity isn’t about locking down every system—it’s about managing risk to keep the business resilient. Instead of panicking over unpatched legacy OT, Everett focuses on compensating controls like micro-segmentation and a culture of cyber awareness among long-time engineers.
His message to new cyber hires? "It’s not about zero risk—it’s about knowing the business and managing that risk in a way that allows the business to thrive.”
Bridging Government and Industry
Everett has a unique vantage point on the intersection of government and private industry. As a government veteran, he has worked with agencies from the NSA to DOE. As a private-sector CISO, he appreciates the improved sharing from agencies like the FBI and CISA, especially the Known Exploited Vulnerabilities (KEV) list. But he’s also skeptical about the layers of oversight—suggesting that between CISA, ONCD, the SEC, and other agencies, the U.S. needs clearer, unified cybersecurity leadership.
“There are too many voices,” he warns. “Five people telling you what to do with funding for only one of them—that’s a recipe for box-checking, not real security.”
Security in Politics: Campaigns and Conventions
Everett’s resume includes cybersecurity leadership at every Republican National Convention since 2000 and helping to run IT for George W. Bush’s first presidential campaign. He’s also been deeply involved in Defending Digital Campaigns, a bipartisan effort to offer free cybersecurity products to political candidates.
Campaigns, Everett notes, often lack the resources to protect themselves, yet remain high-value targets. “When you’re protecting an arena full of delegates and a massive media footprint, you’re a prime target for disruption. But even a small House race can become ground zero for cyber interference,” he said.
The stakes are too high, and the threat is too real to ignore—which is why he applauds the bipartisan support for DDC’s work with vendors like Google, Microsoft, Cloudflare, and Yubico to offer tools to campaigns at no cost.
The DOE Challenge: Secrets and Science
Perhaps Everett’s most challenging role was as CIO of the Department of Energy, which oversees both cutting-edge scientific research and the design of U.S. nuclear weapons. With 17 national labs ranging from basic science to weapons development, Everett had to walk a tightrope between academic openness and national security.
He emphasized a federated model—letting lab CIOs make their own risk decisions while ensuring accountability and communication. “Cybersecurity is only one risk,” he explains. “A good CIO understands that and weighs it against all the others.”
During his tenure, Everett also led the push to comply with the FITARA law, which required cabinet agency CIOs to report directly to their Secretaries. He was the first to make that happen at DOE, reinforcing the role of cybersecurity leadership in federal governance.
Views on AI, Microsoft, and Regulation
Everett isn’t shy about the complex relationship between cybersecurity and innovation. On artificial intelligence, he points out that AI amplifies the existing challenge of Shadow IT—when employees use cloud or AI tools without oversight, potentially exposing company data.
Regarding Microsoft, Everett describes them as both indispensable and imperfect. Their massive footprint makes them an inevitable target, but it also makes it hard to tell whether they’re failing or simply absorbing more attacks than anyone else.
When it comes to regulation, Everett sees real risks in overlapping directives from agencies and calls on Congress to step up with legislation that makes sense in today’s cyber landscape. He supports revisiting Section 230 of the Communications Decency Act and argues for greater accountability around user data and privacy.
Final Thoughts
Everett’s closing message is clear: cybersecurity is not a partisan issue. It’s a national one. Whether you’re a technologist, a parent, a policymaker, or a CEO, your role in protecting data and systems matters. He applauds bipartisan work on initiatives like Defending Digital Campaigns and urges leaders not to “throw out the baby with the bathwater” when administrations change.
In Everett’s world, cybersecurity is about teamwork, resilience, and shared responsibility—from national labs to carpet factories, from campaign headquarters to critical infrastructure.
And yes, maybe even a little bit of Princess Bride-inspired swordplay between VPNs and EDRs.