In part one of this two-part conversation with Malcolm Harkins, Chief Security and Trust Officer of Cylance, he explained how millions of unfilled cyber jobs could actually be an opportunity to improve security practices. In this part, he gives his perspectives on how IT leaders can make choices that improve effectiveness… and help them hang onto essential employees.
(Don’t have time to read but still want to hear Malcolm’s insights? You can find his podcast on the topic here.)
Government Technology Insider (GTI): There’s obviously a leadership element to the labor shortage question. CIOs and CISOs need to decide where to put their limited resources. How can they effectively make the right choices when they don’t have enough of the right capabilities: people versus technology versus, “What do I do with all of this?”
Malcolm Harkins (MH): It’s an interesting question, but you could argue every organization has that same challenge. The CEO of a company, doesn’t have an unlimited budget, nor do have unlimited capital. Their job is to figure out the allocation at a strategic level to achieve the mission of the organization.
Even multibillion dollar firms don’t have unlimited budgets and unlimited resources. So, characterizing it as different for the federal government, I think, a failing in the way in which the security industry frames it. Because it’s a little bit of, “Woe is me, I’ve got a hard problem.” Well, get over it. Every business leader does.
That’s a leadership moment — instead of, frankly, complaining about it, accepting that responsibility is important. I agree this is a leadership issue, and one of the best quotes around what a leader is came from a book, “The Leadership Challenge,” from Kouzes and Posner: “Leadership is the art of motivating others to want to struggle for shared aspirations.”
This is hard, and the shared aspiration we need to have is, not only, ‘How do I tactically deal with the situation I’m in today,” but the business leader’s job is also to do transformational change, to make strategic investments for progress, which means you have to make the hard choice and allocate the staffing and the budget and the resources, all towards moving you toward a better state.
It means recognizing, “Yeah, I might need firefighters.” But I’ve got to create an architecture and an environment and a control philosophy for fire prevention. And it’s a tough choice. But, to be honest, that’s what leaders are paid to do, make tough choices.
GTI: Of course, the situation is exacerbated by the turnover in CEO and CISO positions. As we’ve seen in a number of industry studies, they’re often there for less than two years. And being consistent in achieving the mission is tough to do when the leadership keeps changing.
MH: It is tough to do when the leader keeps changing because there’s not necessarily continuity of philosophy and approach.
All the HR elements of this explain why people leave jobs. They leave jobs because they don’t want to work for that manager anymore. They don’t want to work for that company anymore. They don’t feel a part of something.
I do think a lot of CISOs hop companies and it could be for a few reasons: they’re upping their pay, in other cases, they’re disillusioned with the company they went to go work for, because they were promised one thing, they were told they were going to be able to solve some things. And when they get there, they’re not given the autonomy to go execute the changes. In which case, they don’t believe in that management anymore. So they leave.
To some extent, an organization might get rid of the CISO because the CISO over-promised and under-delivered and created too much churn and put too many controls in place that impeded the business, and not actually wanted to be accountable for real business outcomes like a risk metric.
But beyond a risk metric, a cost metric. And beyond a cost metric, a business philosophy or what I call ‘control friction metric.’ Because those are the business outcomes and the objectives the senior leaders want to see from the team: “I want lowered risk. I want good cost management and the lowering and flattening of my total cost of controls. And I want to remove that control friction on the velocity of the mission to the organization,” and a lot of CISOs don’t want to be held accountable to those business outcomes.
GTI: You’ve said that it seems, in many cases, the technology is not doing its job. Maybe it wasn’t implemented properly, maybe the expectations were wrong. Is technology, AI or machine-based security, the way to go?
MH: Definitely, it can be. If you think of the security team like a factory, you go, “How do I get yield out of my investment? How do I get yield out of my people? How do I get them to punch above their weight limit?” AI and ML can do that when properly applied and when done at the right levels. That’s why Cylance was started.
That’s why I also left my job at Intel to go work for a company that, at the time, nobody had ever heard of, because I wanted to change the dynamics. I saw the opportunity for the way in which Cylance created its artificial intelligence and machine learning to pre-empt the execution of malicious code. And doing so in an effective and efficient fashion, (which) fundamentally changed the dynamics of what is driving the cyber risk cycle.
And once you do that you’re no longer having alert fatigue. And then you can apply security orchestration and automation. So instead of a traditional security event information management system, and basically a database of alerts, you’ve stopped the malicious code cycle, and now you can have a higher fidelity to do other things.
You can use AI and ML to give you more precise focus on where an anomaly is and reduce your time to understand, and then increase the focus on what you need to do. And then you can also start using automation to do penetration testing instead of throwing bodies at it.
How do we use automation to validate our controls? How do we use automation to better validate technology before it gets implemented and do code checking and security development lifecycle? We’ve got to use the automation to change things upfront in the creation of technology but also in these other things that we’re doing today.
It can be transformative – reduce our risk, allow us to better manage our cost and, again, remove the friction on the organization. And doing those things will also reduce the labor shortage and allow me, as a Chief Security Officer, to not have the same problems and probably increase the retention of my staff. Why? Because they’re no longer fatigued, they’re no longer blamed as a part of the problem, and they’re making a bigger difference now for the organization that they work for. And who wouldn’t want to stay for a company where they’re making a bigger difference, being paid relatively well and can innovate, ideate and have a bigger impact?
GTI: Is outsourcing security is going to become more of a norm?
A lot of organizations are doing that, particularly small and medium business and even some large organizations. But I think you have to be careful in doing that. If your ‘outsourcer’ makes money because they’re responding to alerts, your outsourcer is going to be economically incentivized to continue to have a growing alert volume. So, not saying you don’t do that, but you need to think about whether or not the way in which (the outsourcer) makes money is to keep you on this hamster wheel of reaction and response.
It boils down to the outcomes and how we measure it. It’s hard work. A comment that I had made to my middle son a couple of weeks ago is, “The only place where success comes before work is the dictionary.”
We have to do the hard work, and that hard work is making tough choices and that hard work is also changing our control approach. And then we’ll have success.
To read Part 1 of Malcolm’s views on the cybersecurity labor shortage, click here.