Insights from the Cybersecurity Frontline

An Interview with Malcolm Harkins, CISO Ambassador for Reveald

Sabrena Gartland

Jan 4th, 2024

In an illuminating conversation, we delved into the mind of Malcolm Harkins, a prominent figure in cybersecurity, to explore his journey, insights, and the evolving landscape of digital threats. Here's what he had to share:

Q: How did you get started in the cybersecurity industry, and what drives your passion for it today?

Malcolm: My entry into cybersecurity wasn't planned; it was a call from Intel's CIO in late 2001, during a time marked by global turmoil and emerging cyber threats. Despite my initial reluctance due to a lack of security knowledge, I was drawn in by the mission to manage and understand the 'Rubik's cube of risk' that cybersecurity presented.

The early 2000s were a period of significant digital and physical threats, from 9/11 to cyber incidents like Code RED. Intel's then-leader Andy Grove's proactive stance on these new risks led to my unexpected career pivot. I was tasked with leading security and business continuity, a challenge I accepted with a mission-oriented zeal, despite my unfamiliarity with the field.

As I delved into the role, my initial commitment to address immediate challenges evolved into a deeper understanding of the broader landscape of cyber threats. Intel's significant tech industry presence offered a unique vantage point to observe and react to the burgeoning field of information and technology risks. This realization that we might be on the cusp of a 'perfect storm' of risks galvanized my transition from a novice in the field to a dedicated cybersecurity professional.

My journey was fueled by a growing realization of the complexities and the critical nature of cybersecurity. It wasn't just about managing risks for Intel but about shaping strategies that would impact the wider tech ecosystem. This path, which I embarked upon somewhat inadvertently, became a defining aspect of my professional life, driven by a profound commitment to understanding and mitigating digital threats.

Reflecting on this journey, it's clear that the unexpected turn into cybersecurity was not just a career shift but a call to a larger mission. It's a path that has been both challenging and rewarding, marked by continuous learning and a steadfast commitment to safeguarding the digital landscape.

Q: You're a globally recognized cybersecurity thinker. How have you seen the industry evolve over your career?

Malcolm: The cybersecurity industry has evolved considerably, especially in the last few years, with innovative startups and established players introducing novel solutions to manage risk more effectively. Unfortunately, there's a persistent downside: many organizations continue to procrastinate in addressing cyber risk adequately. I've noticed numerous peers struggling to draw internal attention to these risks, and all too often, boards and executives underestimate the severity of cyber threats. This has been a long-standing issue, though there are signs of change in recent times.

On a broader scale, while I'm optimistic about the startup sector and acknowledge the contributions of major players, the cybersecurity industry faces an economic dilemma. Generally, there's little financial incentive to proactively address some problems, as ongoing risks often drive industry revenue. This can lead to a concerning situation where some might avoid addressing issues fully if it doesn't align with their profit goals or might undermine their existing product lines.

This brings to mind the concept of a 'cyber industrial complex,' a term I've used to describe the industry's potential conflict of interest, where profit motives might compromise the pursuit of effective risk management. This complex nature of the industry means while there are many positive advancements, there's also a darker side where risks are sometimes ignored or underplayed. Vendors might continue promoting outdated technologies as effective solutions, perpetuating ineffective controls and creating a false security narrative.

In essence, while the industry has seen significant growth and innovation, it's essential to confront these underlying challenges. Balancing economic incentives with the ethical responsibility to provide effective as well as efficient security solutions is crucial for the future of cybersecurity. We must strive for a comprehensive approach that genuinely enhances digital security, ensuring strategies and solutions truly contribute to creating a safer cyber landscape.

Q: What do you believe are the most critical challenges facing cybersecurity today?

Malcolm: Internally, when managing an organization's security, one must contend with not just the external threat actors and agents and the ever-evolving technological landscape, but also with what I refer to as the internal battlefield. This battlefield includes navigating budget bureaucracies and shifting behaviors to effectively manage risk conditions and secure necessary resources and attention. Recent enforcement actions and regulatory changes, like those from SolarWinds, Uber, and SEC reporting requirements, have brought more clarity and urgency to these challenges. CISOs are increasingly recognizing their potential personal liability for the organization's cybersecurity posture and the accuracy of their risk assessments, both to external stakeholders like shareholders and investors and internally within their organizations.

On the vendor side, the industry has faced its own set of challenges. Despite a long-term trend of increasing cybersecurity budgets, the past year has seen a marked deceleration in spending growth. This slowdown can have ripple effects across the industry, affecting capital markets and the ability to fund new innovations. When the pace of innovation in cybersecurity slows, it can lead to future risks as we fall behind in developing and implementing new controls and technologies to address emerging threats. This scenario is a significant concern for both cybersecurity practitioners and vendors, highlighting the need for continued investment and innovation to keep pace with the ever-evolving landscape of cyber threats.

Q: You often talk about industry accountability. Can you elaborate on why this is important, how companies can be more responsible?

Malcolm: Accountability and responsibility are paramount in both the vendor and internal practitioner sides of cybersecurity. Internally, understanding and accurately portraying the state of risk based on data, knowledge, and logic is critical. Practitioners should be unwavering in their representation of risks and not dilute, water down, or mischaracterize risk portraits, even when facing pressure from higher-ups, including the board. It's alarming that a significant percentage of cybersecurity professionals report being pressured to underreport or alter the portrayal of risks. The stance should always be to base any change in risk characterization on solid data and logical analysis, not just because someone higher up has an opinion but offers no verified data to support their position on risk.

For vendors, the responsibility is equally significant. They must ensure their products are effective and that they're marketed accurately. As I mentioned to a security vendor recently, if a product works well, attackers will look for ways to circumvent it. If they can't find a way around, they might try to compromise it directly. Therefore, vendors need robust security development lifecycles and privacy by design. They also need to protect their internal systems because if attackers can breach these, they can potentially compromise the product itself. In essence, just as a locksmith needs to secure the design of their locks, vendors must secure their enterprise including their products and their processes.

In both realms, the goal is clear: ensure that the portrayal and management of risk are as accurate and effective as possible, resisting external pressures and constantly striving for the highest security standards. This is not just about protecting an organization or a set of users; it's about upholding the integrity of the cybersecurity field.

Q: What are your top recommendations for managing cyber risks in today's volatile digital landscape?

Malcolm: The concept of materiality is central to my approach to cybersecurity. It's about setting real design goals, not just quick fixes or compliance checkmarks like patch speed or SOC2 compliance. These are broad measures and don't equate to what I consider true design goals, which are akin to a business's targets for revenue, margin, net income, or market share. In cybersecurity, the equivalent design goal should be the prevention of any material significant event, which is what truly matters to shareholders, investors, and customers at the end of the day.

You can't entirely eliminate risk, but you can aim for a design goal that minimizes the likelihood or impact of a material significant event. For example, consider how we rate the durability of a fire safe by how long it can protect its contents at a certain temperature. Similarly, we might rate buildings for their earthquake resilience. Why not apply a similar approach to our cybersecurity systems? Determine how well they can withstand an attack from a specified type of threat actor and how hard the attacker would have to work to breach the system.

Current compliance regimes like SOC2 are about having a set of general controls, which is necessary but not sufficient. They don't really tell you about the efficacy of your defenses against an actual attack. To truly make a difference, we need to shift towards setting real risk goals and modeling our controls to effectively counter the specific threats we're most concerned about. This means understanding the nature of potential attackers and rigorously preparing our defenses to withstand those specific threats, thereby protecting our systems and, ultimately, our organizations.

Q. Can you discuss some of the best security practices that organizations often overlook?

Malcolm: Returning to the concept of design goals, I believe many organizations have overlooked establishing real, meaningful objectives, instead opting for superficial measures of motion or overemphasizing compliance. This approach is a critical error. A deeper understanding of the interconnectedness of systems, people, devices, and applications is essential. It's about recognizing how these elements can collectively trigger a material event, creating significant exposure for the company.

The recent SEC guidance has prompted many to start analyzing potential material risks, but this is something organizations should have been doing proactively for a long time. Identifying what could lead to a material impact, such as a factory going offline, seems straightforward. However, understanding the cascading effects from a cybersecurity standpoint is far more complex. Many organizations lack the necessary skills, resources, or manpower to effectively map out these risks manually. Even when they do, the landscape changes so rapidly that the analysis is often outdated as soon as it's completed.

The solution lies in seeking automation that can continuously map the attack paths and potential exposures within an organization. This allows for a more dynamic and accurate understanding of where vulnerabilities lie and how they might be exploited, leading to a more effective and responsive risk management strategy. In essence, it's about shifting from a static, compliance-focused approach to a dynamic, risk-aware strategy that truly protects the organization from material harm.

Q: You are known for advancing technological ethics. How do you see ethics playing a role in the future of cybersecurity?

Malcolm: The question of ethics in cybersecurity is profound and complex, extending far beyond the realm of legality. My approach to ethics stems from a deeply personal place, reflecting who I am and my principles. It's crucial to understand that legality and ethics are not synonymous; one can act within the law yet still be unethical. Ethics is about the choices we make and the impact those choices have on others. It's about discerning right from wrong beyond the black and white of legal requirements.

For instance, in my career, I've faced situations where, despite no legal obligation, I felt compelled to disclose security incidents or potential data exposures. This was driven by a sense of ethical responsibility to individuals or other companies who could be adversely affected. Consider a scenario where a lost laptop contains data that could put someone, perhaps escaping an abusive relationship, at risk. Legally, there might not be an obligation to notify them, but ethically, informing them allows them to understand and manage their new risk level.

This ethical perspective extends to how organizations conduct themselves. Focusing solely on protecting the company can inadvertently create risks for others, reminiscent of decisions made in cases like the infamous Pinto. True ethical behavior in cybersecurity means considering the wider impact of our actions and decisions, aiming to mitigate risks not just for ourselves but for all potentially affected parties. It's about striving for an optimization between risks and affordability that protects without causing undue harm, a nuanced path that navigates the complex interplay of risk, responsibility, and morality.

Q: You've served as a CSO ambassador. How do you perceive the changing role of the CSO in today's corporate structure?

Malcolm: The evolving role of the Chief Information Security Officer (CISO) in the corporate world is reminiscent of the transformation seen in the Chief Financial Officer (CFO) position decades ago. Historically, CFOs were primarily number crunchers, focused on accounting and financial reporting. However, regulatory changes and increased accountability have elevated the CFO role to a strategic partner in business decision-making and risk management.

Similarly, the CISO's role is undergoing a significant shift. With recent regulatory changes and heightened security concerns, the CISO is moving from a technical expert to a strategic leader. This transition is not just about managing cybersecurity risks but also about understanding and driving business strategy, much like the evolution seen in the CFO's role.

The journey ahead for CISOs might be challenging, with bumps along the road as they navigate this expanded scope and increased accountability. However, the ultimate goal is for CISOs to not just have a seat at the table but to earn it by demonstrating the same breadth of knowledge and strategic insight as their C-suite counterparts. This means that CISOs, or perhaps Chief Security and Trust Officers as I prefer, need to be well-versed in both the technical and business aspects of their organizations, ensuring they can contribute effectively to broader business goals while safeguarding the company's digital assets. The future of the CISO role is more integrated, strategic, and essential to the success and resilience of organizations in a rapidly changing digital landscape.

Q. Some argue that the role of CISO has failed to adapt and be effective in the current cybersecurity landscape. What's your take on this?

Malcolm: Certainly, I've noticed some of my peers might have struggled to adapt, but there's a significant number who are actively evolving and embracing new technologies. They're not just sitting back; they're tackling risky issues head-on and avoiding ineffective policies. For instance, rather than blocking emerging tools like Chat GPT, they're learning how to integrate and manage them responsibly. I firmly believe in being a first mover in technology, not just in cybersecurity tech. It's crucial for risk managers to lead from the front, understanding and navigating potential threats. That's how you truly manage and mitigate risk effectively. If you're always trailing behind the technology curve, you're not fully equipped to protect or guide your organization through the evolving landscape of cybersecurity threats.

Q: What advice do you have for individuals aspiring to have a career in cybersecurity?

Malcolm: In pursuing a career in cybersecurity, you must recognize it's a multifaceted journey with no definitive endpoint. First, determine your technical focus. Decide whether you want to specialize in a specific area like network security, endpoint security, or database security, or if you prefer to be a generalist with a broad understanding across various domains. It's crucial to know that it's okay to shift your focus as your career progresses.

Secondly, understand the business context of your work. The technical aspect is just one side of the coin; comprehending the business you're protecting provides essential context for your role and the risks you're managing. This means developing a level of business acumen, which becomes increasingly important as you progress in your career.

Lastly, commit to being a lifelong learner. The field of cybersecurity is dynamic, with new threats and technologies constantly emerging. Staying informed and adapting to new information is crucial. This might mean stepping out of your comfort zone and exploring areas beyond your initial focus.

Ultimately, your relevance and impact in the field will correlate with your willingness to continuously learn, adapt, and understand the broader implications of your work in the context of the business.

Q. Can you share a pivotal moment in your career that changed the way you approach cybersecurity?

Malcolm: Reflecting on pivotal moments, one stands out vividly — the SQL Slammer incident in 2003. I'd been in the role for about 14-15 months, navigating Intel through a maze of challenges, from fixing hygiene issues to implementing vital controls. Just 15 hours before the SQL Slammer hit, I'd published an internal article highlighting the millions saved by our security efforts. We'd calculated a return on investment that was substantial, considering the deflected cybersecurity incidents and the minimized downtime, all running into the nine figures. It was a moment of pride, having saved the company from significant losses through proactive measures.

However, the arrival of SQL Slammer was a stark reality check. Suddenly, we were thrust into a relentless week of hand-to-hand combat against this threat, dedicating over 10,000 man-hours to keep operations running. This experience taught me an invaluable lesson: in cybersecurity, you can never rest on your laurels. No matter the successes of yesterday, a new challenge is always on the horizon, ready to test your limits. It instilled in me a resolve to always stay vigilant, adaptable, and prepared for the unexpected, reinforcing the idea that in this field, complacency can be your greatest downfall.

Q. What future trends in cybersecurity should professionals keep an eye on?

Malcolm: Reflecting on the last year, the evolution of AI, including chat GPT and generative AI, stands out as a significant trend. However, the real game-changer is understanding materiality within your business. It's about staying current with technological trends while also keeping a broader perspective on geopolitical and threat vector trends.

Knowledge of your environment's systems and data, what creates material impact, and the controls you need is fundamental. But equally important is an accurate and objective assessment of your cybersecurity posture. This proactive approach isn't just about reacting to what's known; it's about anticipating potential unknowns and threats that could emerge as technology evolves and dependencies increase.

Trust, particularly in the security vendors you rely on, is increasingly becoming an attack surface. It's imperative to critically assess how security controls might be manipulated and to maintain a comprehensive, 360-degree view of risk. In this ever-evolving landscape, constant vigilance and a forward-thinking mindset are key to staying ahead of threats and safeguarding your organization.

Q. Do you have any upcoming projects or initiatives you'd like to share with our readers?

Malcolm: For 2024, I have some exciting projects on the horizon. Firstly, I aim to release the third edition of my book, "Managing Risk and Information Security," enhanced with new chapters to reflect the evolving landscape. Another major focus is the changing regulatory environment, particularly with the new presidential order on artificial intelligence. I plan to contribute my insights and expertise to the public policy discussion, aiming to shape effective regulatory regimes and prevent misguided policies. My role is not just about writing or advising; it's about advocating for a deeper understanding of materiality in cybersecurity and helping individuals and organizations connect the dots to better manage risks. These endeavors aren't just tasks; they're driven by my passion and commitment to the field.

Malcolm Harkins' insights provide a valuable roadmap for understanding and navigating the complex world of cybersecurity. His emphasis on materiality, accountability, ethics, and continuous learning offers a foundation for both current and aspiring cybersecurity professionals to build upon in their quest to secure the digital landscape.

Sabrena Gartland | Director of Marketing

17+ yrs in marketing and PR, excels in digital strategies, brand development, and creative content. Passionate about innovative engagement and growth.