Malcolm Harkins has been the Chief Security and Trust Officer at Cylance Inc for the last four years. Prior to joining Cylance, Malcolm has had a twenty-four year long career with Intel where he was left as the Chief Security & Privacy Officer.
**Please note that this interview has been abbreviated for this blog.
Hiba Sharief: Hi, everyone. This is Hiba Sharief, CIO and Startup Advisor. We have the honor today of having with us, Malcolm Harkins. He is the Chief Security and Trust Officer at Cylance. Malcolm, tell us a little bit more about your career, and how you got to Cylance.
Malcom Harkins: I’m a bit of an oddball relative to most of my peers in the industry for a few reasons: one, I’ve only worked for two companies in 27 years. Intel Corporation for almost 24 years, and now Cylance for about four years and counting.
Malcom Harkins: I’m not a technologist and I wasn’t setting out to be Chief Information Security Officer, Chief Security Officer, or anything like that. I was always a finance/econ guy who tripped his way into security and then from there, I’ve never left the space.
Hiba Sharief: Tell us a little bit more about your career at Intel. How did your role involve heading up Security there?
Malcom Harkins: It was an interesting transition. I had always been involved in business roles like finance procurement, business operations which have a heavy control around financial integrity. Interestingly, when I tripped my way into security, I was dealing with the logical and physical issues and the availability risk issues after 9/11, Code Red, and Nimda.
Malcom Harkins: But, along that journey, in early 2004, Sarbanes-Oxley was coming into fruition, and had a line of sight. The finance team was driving it from a financial perspective, but the system side of it was behind due to a lack of full understanding around what it meant for financial integrity and financial reporting. The connecting tissue between the two wasn’t there.
Malcom Harkins: This got me a bit rowdy about the fact that nobody was connecting the dots between all of them. After a little bit of rowdiness on a Friday afternoon, came a Monday morning where I was in charge of Sarbanes-Oxley for all the systems side of things. Well, I pulled it together from there.
Hiba Sharief: What was that thing that got you all excited and interested in security as much as you are today?
Malcom Harkins: I’m a mission-oriented guy. When I was asked to run security and business continuity, that gave me a purpose, a mission. I knew why I needed to do it. Doug Busch, Intel CIO, who asked me to do that, explained why the company needed it. So I started running towards it.
Malcom Harkins: As I was doing that, I wrote about it in my book. I drew a picture that I called a ‘Perfect Storm of Risk’: how threat actors and threat agents exploit vulnerabilities that go after assets. It’s basically a confluence of independent, yet interdependent things that also has a legal and regulatory cycle, a geo-political cycle. Intel thought that if I just spent a couple years shoring up security, we could roll back go into steady state mode and I was like, “No, no, no. There’s this perfect storm of risk brewing, and my job is to understand that.”
Malcom Harkins: So, I looked at it like a Rubik’s Cube of risk. But the variables were changing themselves. I had to figure out how to stay on top of that- between the threat actors and agents, the legal and the regulatory spirals, and the fact that every company is becoming a technology company. For me, there was a level of intellectual curiosity as well as a level of deep concern around the promulgation and proliferation of the risk cycles.
Hiba Sharief: If we talk about it from a risk appetite standpoint, it’s very different when you were at Intel. Today, you’re looking and interacting with customers and thinking about them differently than you did before. Is that a correct assumption?
Malcom Harkins: Not for me. This is where you get to risk appetite, and this is one of the things that irks me to a large degree about the way in which companies view risks. The way in which CIOs and CISOs interpret it. Technology cannot only create opportunities, it can create risk. There’s an inextricable link between information security and product security.
Malcom Harkins: If a bad guy wanted to really do something very, very damaging to the world of computing- think of what you could do to manipulate the technology- implant the back door, or figure out a vulnerability that hadn’t been patched and then weaponize that as a zero day to compromise the products of a tech company. That’s always been one of my more substantial worries.
Hiba Sharief: That makes lots of sense. What is it in risk appetite as viewed by CIOs and CISOs that irks you?
Malcom Harkins: I think people confuse two things. They confuse accepting risk, which is a business process, and acceptable risk. When they think of acceptable risk, people tend to look at risk to themselves, not risk to others. When people get into risk appetite discussions it comes around technology and data protection and at that time, they’re looking at risk to the business. That’s a fiduciary accountability. I think the ethical and moral accountability is going beyond just risk to the business, and looking at risk to the customer, and potential societal risk that you might be creating based upon how you design, develop, deploy, and operate technology.
Hiba Sharief: Yes. In fact, especially now, where a lot of what I’m hearing from boards and various C-level executives, is that they’re all worried about cyber threats and cyber breach. But, mostly it’s because of the risk to others. It will obviously impact their reputation and their ability to stay in business. In reality the risk is of those customers’ social security numbers, or their PII data being out there, and the ramifications of that on the external world.
Malcom Harkins: Yes, reputational risk- that’s risk to me. Translate it into risk to your customer. Health care organizations do a good job with this. They recognize that if a system is breached and they get ransomwared, and somebody’s getting an open heart surgery and that operating room gets held hostage, somebody could die. We have to think the equivalent of those type of impacts. I see it constantly, where organizations are going, “Well, as long as I’m not liable, it’s okay.”
Hiba Sharief: So speaking of liability, what are your thoughts on cyber insurance? Should people get it?
Malcom Harkins: The cyber insurance marketplace is like the wild, wild west. I don’t know of anybody who’s ever gotten a payout from their cyber insurance policies. We try and equate it to homeowner’s insurance, or earthquake, or business interruption, or something like that, where it’s really black or white. “Did the building collapse?” “Yes.” “Okay, great. We’ll cover 75% of the reconstruction of a new one.” But, you can’t equate them to cyber. In the cyberspace, apply a cyber policy to auto insurance. They would go, “Well, your tire pressure wasn’t exactly at 32 psi, well, that’s one check off the box. You actually had a little bit of a fray on the timing belt, that’s another check off of the box. You had your radio on, which is distracting driving, so that’s a check off of the box.” And then they whittle away, and basically say, “You’re completely at fault. We’re not covering anything, because, guess what? We wrote the policy such that if any one of these things, or the combination of them, you were not on top of every aspect of it, it’s not our fault.”
Hiba Sharief: It’s definitely an interesting one, yet everybody still gets cyber insurance.
Malcom Harkins: The question is, are they getting it because people don’t understand what it’s really going to do, and it’s a feel-good thing? Or are they getting it because they actually believe that at some level, it provides some financial risk mitigation. But it doesn’t actually mitigate risk. It only mitigates the potential for a financial loss, because of the risk.
Hiba Sharief: Let’s talk about your role. You went from a Global Information Security Officer to a Chief Security and Trust Officer. Can you help explain the difference, and what Trust Officer is?
Malcom Harkins: I became Chief Information Security Officer at Intel, where I was running all aspects of information risk, security, controls, compliance-related activities, including the data protection team. But it just seemed like an appropriate title. My CISO scope was still broader than most CISOs’ at the time and today, because I had all of the other compliance activities and much more. As my role evolved at Intel, I became Chief Security and Privacy Officer, when I took on product security and that aspect of it. I was going to take the role of Chief Trust Officer, but the Chief Technology Officer, didn’t want another CTO at the time. So it became Chief Security and Privacy Officer.
Malcom Harkins: Later, I joined Cylance as the Global Chief Information Security Officer. As Cylance was growing and maturing, I’ve always believed that the issue that we had was trust in technology, in the people that are protecting our data and protecting our systems. Since I oversaw aspects of things beyond just information security, I went back to the dialogue around Chief Trust Officer. But security has the buzzword, so it became Chief Security and Trust Officer.
Hiba Sharief: But that’s changing with time. I know that the number of threats and attacks has been on the rise. But, there’s also a big change in the technology that’s being used: bots and AI. What are you seeing in terms of risk, and what advice and guidance do you have for folks on the platform?
Malcom Harkins: Well, going back to my perfect storm picture, the threat actors and threat agents are just continuing to advance what they were doing. But, by and large, the sad part is, we’ve all been using such crappy controls that the industry has sold us for years, and marketed as something that would solve the problem, that all the bad guys need to do is a little tweak to their attack vectors in order to get through most corporations. It’s basically a rinse, wash, repeat cycle for most attacks today- on consumers, or on enterprises.
Malcom Harkins: So, unfortunately, on that side of it, not a whole lot has changed, because we’ve frankly done a pretty crappy job of protecting our organizations. When you go to the information asset cycle of it, the usage models have certainly changed a lot. We’ve got the explosion of Internet of Things, more device types, more applications, and growing proliferation of bring-your-own-device, or bring-your-own-application, or bring-your-own-cloud. So that attack surface continues to evolve and change.
Malcom Harkins: Now the good side is, some portions of the security industry have certainly evolved. I’ve started seeing an innovation cycle in the startup areas, of people trying to approach things differently. You’ve got automated penetration testing. The problem is, we’re doing it in such an ineffective, inefficient fashion, we’re creating our own economic burden, and then we can’t actually go and solve the problems that are found from it.
Malcom Harkins: You’ve got companies that are doing a good job- SafeBreach is one of them- of automated penetration testing, automated controls validation etc. I say, strip the labor away. Make it more effective and more efficient to do control validation. There are companies that are improving the security development life cycle and privacy by design by creating a level of automation to build containers. They’re building them in a verifiably secure and compliant way that speeds up the development process making it way less vulnerable. I’m really excited about the innovation cycle that’s happening, and hoping that the Cylances of the world, the SafeBreaches of the world, and some of the other companies upend and put out of business the rest of the security industry.
Hiba Sharief: A lot of people focus on the external threat, mitigation and management, whereas most of the attacks are actually from the inside. What is your take on internal and external threat management? Do we have to look at things differently?
Malcom Harkins: It’s a great question. And let me ask you a question first: When you think that most are from an insider perspective, what are the actions? What are the insider risks that you’re thinking of? Because I think that’s also where people get confused on what’s an insider risk versus an external risk.
Hiba Sharief: People who have more access, or, let’s put it that way, people with elevated rights abusing their power and doing something from the inside and across the business.
Malcom Harkins: So you’re talking about specifically a malicious internal employee.
Hiba Sharief: Correct.
Malcom Harkins: Then I would argue that that’s a small amount of the real issues that are occurring. A lot of people confuse the insider risk with, “I clicked on a fish,” or “I forgot to label the data correctly,” and they label that as insider risk, but it’s non-malicious risk. I think the real malicious insider activity, to steal intellectual property, plant a logic bomb, etc. is quite low.
Malcom Harkins: If I’m a non-malicious actor, I click on a link, I open an attachment and something bad happens, that’s a failure in technology, not the individual. You could also argue the insider risk is the decision maker who thinks that something is an acceptable risk, when in reality, it’s not. When you widen it out to that, you end up with a lot of insider risk. But the malicious side, I think, is quite small.
Malcom Harkins: On the external side of it, we talked about threat actors and threat agents. When you look at all of the breaches that are public or non-public for that matter, it’s primarily because somebody executed malicious code on the system, was able to take it down to ransomware, weaponize it and do something like the Dyn attack and do a DDos, or steal data or intellectual property. That’s the vast majority of the risk cycle that we’re seeing. But the core of almost everything I’ve ever experienced is execution of malicious code.
Hiba Sharief: So, what can your fellow CISOs and CIOs do to better protect themselves?
Malcom Harkins: Well, I think that there’s a number of things that they can do. The best is do what I call a control design review. Is it manual? Is it scalable? Is it actually getting the business results and outcome that you anticipated? If it’s not, re-design the control, or get rid of it and stop wasting time and money.
Malcom Harkins: A lot of organizations have DOP. When asked why they deploy it, they say it is to prevent the exfiltration of data. Come to think of it, who would be the people moving the data to where it shouldn’t be? The external person got through your firewall, your network intrusion detection and prevention system, the alerting mechanisms, and onto your hosts, the HIDs, the HIPs. You want to tell me they can’t get past a signature-based DOP because they’ve found the crown jewel that’s labeled ‘top secret’? Do you think they’re going to be stupid enough to try and move it in the same package and the same form that’s going to hit the trigger?
Malcom Harkins: If I’m looking at stealing intellectual property, dropping a logic bomb or trying to steal personal health records in a healthcare organization. Well, I’ve already been granted access, so I’m an authorized user. Because I have been trained on the sensitivity of the data, I pretty likely know the DOP signatures too. So, unless I was being really stupid to steal stuff, I would get caught. DOP for the insider risk only really mitigates a non-malicious actor from handling the data improperly, which is a pretty good thing to do, but it’s not-
Hiba Sharief: Enough.
Malcom Harkins: … it’s not enough. And you spend all this money to deploy all the stuff, and it really doesn’t manage any of the risk that you want it to. Going back to my execution of malicious code, if I was a malicious insider, and I wanted almost 100% certainty I’d get away with it, what would I do? I’d hire a Crimeware as a Service for a couple hundred bucks, get myself fished, have the data taken out, and have complete plausible deniability that I didn’t do a damn thing.
Malcom Harkins: You’re not mitigating your risk. You’re mitigating a compliance risk, but why deploy it everywhere, then? If you have to do it for compliance purposes, go put it on the nurse’s station, in front of the data storers where that healthcare information is. Take it off of 75% of the rest of the company. And stop wasting your time and money. That’s the type of review that I would do on a control by control basis, to really see if it’s delivering the business outcome.
Hiba Sharief: Malcolm, one of the biggest challenges we’re all seeing today is the limited supply, or the increasing demand- and I don’t know which one is the problem here- of top talent, or just cybersecurity talent. Are you seeing the same thing, or do you have any secrets that we should all learn more about and try to attract and find the right folks out there. What is your take on the virtual CISO, or the SOC teams that are global.
Malcom Harkins: Talent management is obviously a multi-faceted problem. I’ve been lucky enough both at Intel and even at Cylance to work in a company where, from a technology and security perspective, people will want to work. Because if you’re a Hop cybersecurity person, I’ll probably have an easier time attracting and retaining that talent based upon the organizations I’ve worked for, than if I was working for Acme Hamburger Company.
Malcom Harkins: But, if we’re doing a lousy job of controlling for risks, that means we have the need for more equivalent firefighters. 75% of the labor shortage is because of the crappy controls the security industry has sold to us.
Malcom Harkins: Now the 25%, if my numbers are roughly correct, is because of increased demand. It’s because of new architectures and technologies, that we need to get in front of. I think it’s a mixture of evolution of information technology that’s spurring the need to understand the risks of those, and manage and mitigate them, which is growing the need for the skills. At the same time, the shortages driven by the lack of control create the problems, which create the reaction that they need the bodies to work through it. A substantial portion of the labor shortage that we’ve got has been self-created, by us, by not doing a good job.
Hiba Sharief: How are you handling that? Are you bringing in folks and training them up? Are you just finding talent globally?
Malcom Harkins: It’s a good question. It’s a little bit of both. At Cylance, I built a control stack and a set of technologies and processes that prevent the vast majority of my problems. As the company grows, you get more devices, you spread into different markets, and have more compliance activities. I’ve had to keep up with that crew. But, I haven’t had to do the whack-a-mole stuff like everybody else. So better control stack means you have less labor problems, because you don’t have the need to throw bodies at it.
Malcom Harkins: Now the reality is, we still have, as we said before, a little bit of a labor shortage in some areas. One way of dealing with it is: if you’re a middle market company that’s struggling to find good talent, you’re going to have to grow it, pull it from other parts of your IT organization, go to junior colleges, undergraduates, get people, train them, grow them. Then once you grow them and they have three years under their belt-
Hiba Sharief: They’re gone.
Malcom Harkins: Instead of making $75,000 a year, they move to a bigger city and they make $150,000-$200,000 a year, and you lose them. Your talent management has to be always one of refreshing the ranks. You’re going to grow and lose, grow and lose. You have to have a talent strategy for that, and it doesn’t mean you can’t retain, but your retention might be harder. It really just depends upon the organization, the location, and those types of things.
Malcom Harkins: People will stay with the company if you do certain things. If you grow them, their skills continue to grow. Fundamentally, I’ve always been able to retain people with a high degree of pushing 100%. It’s because I focus on creating a culture where the employees get three things on a routine basis: they feel like they believe in the mission, they believe in the management, and they believe in themselves. They should feel like they belong, because somebody gives a crap about them, both at work and at home. And at the end of the day, the work they do has to matter. I call it, “I believe, I belong, I matter,”. If you can get the employees to say it every day, you’ll never have retention issues. Rather, more people will want to come work for you, and so your pipeline is always full.
Hiba Sharief: Although it does become very difficult, so you have to look at other ways to keep talent. If we’re doing monthly touchpoints and we’re seeing the talent at a flight risk because of financials, and how fast they’re growing, there has to be a potential change in more frequent market analysis, mapping of responsibilities, role, breadth of scope etc. I do see people leaving for money where you can’t really prevent them from going because of some HR rules that say, “We can’t do more frequent or more exception based market adjustments.” And I don’t know if this is a Silicon Valley only thing, or if it’s kind of a-
Malcom Harkins: I think it’s a broad based thing. Every company does that, but that’s a leadership fault. If the manager just says, “The HR policy is we do an annual review, and that’s the only time I can give you compensation,” and you’ve got somebody that is hungry, humble, smart, they’re killing it, and you’re not willing to go to the mat, make it happen for them, you know what? I’d leave, too. It gets back to, “You didn’t demonstrate that I belonged, and that I mattered. You just said, ‘Well, there’s an annual process, and I’m sorry, I’m sorry, I’m sorry.'” Well, people have kids, they have mortgages, they have college tuition, they’ve got all of those things, like we all do.
Malcom Harkins: I was, and still am, a very aggressive person. And my march through Intel was- every 18-24 months I got myself promoted. Why? Because I was a business guy, and I wanted to rise as fast as possible. Those are okay traits, as long as people are executing to what the new, higher-level expectation is. When they perform great, give them a little bit of time to settle in, make sure it wasn’t just a one-time wonder, give them the next challenge. When they’re partway through slaying that next challenge, give them the next carrot. And you continue the cycle. So, for me, I actually look for people who just go, “I really want this. I want to climb Mt. Everest.” “Okay, great. I’ll be your Sherpa. Let me show you how to do it.” Because those folks will carry a lot of weight and get a lot of stuff done.
Hiba Sharief: Absolutely.
Hiba Sharief: Well, we really appreciate your time. It was a real pleasure speaking with you, and again, thank you.
Malcom Harkins: Nice to chat with you, too.