Talk about a hot seat, Grant Bourzikas is the cybersecurity guy at a cybersecurity industry leader, McAfee. A CPA by training, he’s held CISO jobs at financial, utility and gaming companies. He’s been rolling out FAIR at McAfee this year, and we checked in with him on how that’s going, how the cyber world looks to someone whose organization looks at over 1 million pieces of malware a day, what it’s like to be Customer Zero, and what are the two biggest problems in security operations, according to McAfee’s 100,000-plus corporate clients.
Looking at your job description, you are wearing many hats.
My first charter is to run all the operational security things: Protect the McAfee business units source code, intellectual property, customer data and so on.
Charter 2 is making sure I am the first person to use all McAfee products and services. I’m Customer Zero. Our charter is to deploy everything that is released to the public two to four weeks in advance so we can work out the bugs.
The third role is sharing our success with our customers in a broader educational platform, whether it’s around products and services or the FAIR method.
And in late 2017, I picked up a group of 200 that is the Labs Operational Content Group. We have 500 million endpoints across the world, we look at 1 million different pieces of malware a day, and we field 55 billion requests from customers daily. All the content that comes down to protect you--your antivirus signatures, your host intrusion signatures--all of that comes from that organization.
How did you come to FAIR?
An important point to know is that McAfee is about a one-year old company. We spun off from Intel in April, 2017. I did not have complicated risk models that had been there in previous versions, I could draw my own picture of what risk management should look like from a cybersecurity standpoint. So, we set out to create a revamped security strategy, and that was when we found FAIR, particularly as a good frame of reference for how we can articulate risk to the the business and the board.
I’ve been a CISO for about 15 years, and I’ve self-created different algorithms for NIST controls or different types of maturity modeling, and I’ve been pretty successful at board communication. But I can tell you that boards don’t have confidence in many of the self-generated models that cybersecurity people create. They ask, how do you know this is working? Is it a provable model? FAIR is a quantifiable, repeatable methodology that has a proven model behind it that is actually relevant to our business.
I think people don’t fundamentally understand that boards are made up of accountants and lawyers for the most part. They do not understand cybersecurity risk from a platform standpoint.
If we can actually articulate risk and threat likelihood and consequences, it gets us in a good position as a trusted adviser to the board, where I’m not just talking about segmentation or fileless type threats or adversarial machine learning - boards will never want to understand that. They want to understand what’s the risk, what are you doing to address the risk and then show me how you are actually managing the risk.
What’s been the reaction in your organization to FAIR?
Reaction has been good. When we started on this a few months ago, it was a different methodology than people had previously seen but I think they saw value very quickly. And to be able to show some quantifiable numbers and some bell charts really helped articulate the story. Most organizations, when the risk is shown to them, they want to fix it.
Are maturity models still in use?
We still use maturity models but now in a slightly different way. I have an operating model I call FAIR-centric: What is the risk to the organization? The second piece of risk ties closely to a maturity model, looking at how we do operational maturity: security operations maturity, incident response maturity, software development maturity and we look at compliance maturity. We measure how well this ecosystem is working from an operating model, and everything we do maturity wise or metrics wise or for projects has to move the needle on the risk model.
Is FAIR part of your customer communications?
I do a lot of customer visits and get asked questions about how we run our SOC, our tools and processes, up to risk management and communication. One of the things I articulate that stirs a discussion about FAIR is the importance of talking about risk and threats. It’s important to talk about a security program but I have found that nobody really understands the program – what matters is the metrics driven out of the program affecting risk. I talk about that because a lot of cybersecurity people are very focused on technical challenges vs CISOs needing to lead the organization forward on making the right decisions, based on risk.
From where you sit, you have great visibility into state of cybersecurity. How is it looking?
There are two areas I hear a lot about from customers.
One is the talent shortage. I did a presentation at RSA with Chatelle Lynch [Chief Human Resources Officer at McAfee] on how to build a talent pipeline because without the right people in your organization you will never be successful at defending against attackers.
We need to look at diverse set of people. We have a heavily white male dominated industry that tends to think the same way. To combat security challenges of the future we need people to think differently. I view diversity as diversity of thought and ask how do I bring people on my team that might challenge my biases of the past. We have numerous interns, looking to build that diversity of thought.
The second challenge is around how we actually manage operations better. It’s very hard to combat all the new threats and attacks if your entire team is focused on operations.
Overwhelmingly, cybersecurity people say they’re spending most of their time on trying to maintain the toolsets vs security. That’s another challenge: How do we gain some automation and how do we look at a strategy that allows us to execute vs. always managing tools. Thousands of security companies will sell you the next artificial intelligence machine learning tool that will solve all your problems. And it just introduces a new tool you have to manage and takes focus away from the next security breach that will affect your organization.
At McAfee, we spend most of our time around process, how we operationalize toolsets and people. Of course, I’m biased because I use every one of McAfee products, we have the technology stack already so the focus is not on vendor A, B or C, it’s on how to get this to work best in our environment. A focus on process or people development puts us in a better spot at the end of the day to drive risk mitigation for the whole organization.