CISOs and CIOs are bombarded with a lot of cybersecurity noise: data points, threats, scares, and pressures to take action, sometimes before all the information is available. Cutting through the noise was the focus of a discussion with Malcolm Harkins Chief Security and Trust Officer at Cylance. Sharing real-world examples, he offered his insights on how it get past the clutter and look at the real issues that could seriously impact your business, your customers and society as a whole.
Government Technology Insider (GTI): Malcolm, you were on four panels at the RSA Conference and I’m sure you attended several more of the presentations and discussions. So I’d like to zero in on the issues that were addressed in your sessions. In security, it seems the sky is always falling and Chief Information Security Officers are bombarded with information on the latest threats, the latest tech, and how no matter what, it seems the bad guys will always have the advantage. So how do they cut through the fog and zero in on what’s really important?
MH: It’s a bit of a challenge and, in fact, one of the panels that I was on with Mark Weatherford who’s at vArmour, Patty Titus, and Merlin Namuth, the title of the panel was around this cybersecurity noise and the decision maker dementia that that folks can get because the alert fatigue and the tactical issues coming up. It can even come from the noise generated by the media that gets the attention of the CEO and the board, which causes more inquiries and churn for them. You know, I think that the basic way that I look to do it is have a set focus and strategy.
I’m a morning guy so I get up early. I look through the news and what’s in that news cycle and what happened overnight, perhaps with my teams, and I try and stay in front of my management. So that way if I see something in the news, I can say this isn’t a big deal, or don’t worry about this, or we’re looking into this. So that we can manage management, if that makes sense. That’s one way to deal with some of the noise that fact and stay in command and control.
The other aspect for me is having a set of priorities, monthly quarterly and strategic plans where you’re constantly looking at where you’ve been where you’re at where you’re going and then put in context of that the threat and risk dynamics and paying particular attention not to the attribution that the media does in the security industry it likes us to focus on, which is the threat actor and threat agent, because as a Chief Security Officer, Chief Information Security Officer, I have no control over a threat actor or a threat agent, but doing kind of a quarterly review of what I call weeding and feeding: what controls failed because that you can do with 100 percent attribution. So where did I have an issue, attribute the control that failed, the process that broke down, and again do the weeding and feeding. Get off of the controls that don’t work and then focus on the new things that you can do to make a better bend in the curve of risk and better manage your total cost of controls.
GTI: That makes a whole lot of sense, to try and stay ahead of the curve instead of waiting for things to happen and being reactive.
MH: One of the other things that you could do on a quarterly or semi-annual basis is do an emerging risk review and think “out,” because we’re so focused on what’s, top of mind today instead of thinking about where the future risk is for the organization, where is the company going, where’s the business units going, how is that going to generate risk? Where do I imagine the risk might hit me a year from now, two years from now, three years from now, and having that, almost, future-casting of where risk is headed will also make you less reactive over time.
So my advice is find ways out of being reactive and embrace n the mindset that says don’t cling to a mistake just because I spent a lot of time making it. That applies to people, process, and technology become the security leader who says, “We’ve got a clutter of controls that aren’t working” and then systematically go through, revisit them, fix them, get rid of them, and move to something better.
GTI: When they’re getting all this information about threats about technology, about approaches, does the source of the information make a difference, whether it’s coming from a vendor or from an analyst from peers in the industry or from the media?
MH: Absolutely! You always have to take the information and the spin of that information with a grain of salt. You need to ask: “What motive does the creator, or the distributor of that information, have?” Then once you understand their motive, you can determine how much you rely on that information set. One of the things that I’ve always tried to do, both when I was in finance as well as in security, I think of my job sometimes as a choice architect, because the decisions that we make today and the choices that the business makes today affects future risk.
Getting to the RSA Conference theme of “now matters” — “now” has always mattered. But, the elements of “now” that I like to think about is the choices that we make and how that will affect the future risk. And, many times people go gather information to affirm their position rather than to gather information to inform their position. And that’s a subtle difference, but you have to think about it when your teams or you are reviewing data, are you doing that to inform a choice and have a little bit more objectivity, or are you doing it to affirm your position, and if you’re affirming your position, there’s almost, to some extent, an intention, or at least, some level of bias that might be tainted in that information.
GTI: True science, of course, is about learning the truth based on the facts that you gather as opposed to just saying, “Yes, I’ve made an assumption and now I’m finding the facts to prove that.”
MH: Right, and the security industry that profits from the insecurity of computing and makes more money, the more problems and more reaction that exist, preys on the fact that CISOs have that psychological phenomena of the recent bias or the confirmation bias. For example, I have the confirmation bias that the controls aren’t effective,” and then the industry narrative comes along and says, “Accept that they’re going to get in,” rather than rising above that and saying, “My job is to prevent risk as much as possible.”
GTI: Sometimes the CISO has to say, “We’ve been doing it this way for a long time but now we’ve got to go another direction,” and that’s a difficult thing for people to make a choice about.
MH: Oh, it’s definitely a tough thing to instead of making incremental progress, to totally reimagine and rethink what’s possible and think beyond the existing paradigms of compromise… think beyond the existing paradigm of compliance and in really get in front of things with a proactive stance. You know, the industry by and large lags for the most part, right? We need victims in order to try and prevent other things based upon signatures and behavioral capabilities. It’s one of the reasons why Cylance’s AI and ML have been so effective. The mathematical capabilities that we’ve developed allow us to predict good or bad, and we just recently released at RSA a study that we had SE labs do, because we had done an internal study on what we call temporal predictive advantage: how far back can we go in our products and demonstrate that we were in front of zero days?
We had done some analysis on it a year and some ago, and we had come to the conclusion (that) it’s about 18 months. We asked SE labs to go look at this concept of predictive advantage. And, we only update our math models once or twice a year, so it’s not the constant barrage of DACs and definitions and behavioral changes that are happening every few minutes with the other capabilities. And, what they found when they went back and looked at multiple sources of malicious code that were all never seen before, they came to the conclusion, we had a two and a half year predictive advantage. So, imagine that in your enterprise, and being two and a half years in front of a threat vector, what you could do and how that would allow you to get out of the reaction mode.
Tomorrow we’ll publish part two of our interview with Cylance’s Malcolm Harkins. Don’t want to miss it? Subscribe here.