maxkabakov - Fotolia
McAfee CISO: Leadership buy-in essential to boost cybersecurity
As online risks continue to evolve, making sure company leadership buys in to efforts to improve cybersecurity posture has become essential, says McAfee CISO Grant Bourzikas.
McAfee products protect millions of computer systems around the world, but it falls to Grant Bourzikas to protect the Santa Clara, Calif., maker of security technology. As the company's CISO, Bourzikas is responsible for McAfee's cybersecurity and physical security strategy; essentially, he's charged with securing the high-level cybersecurity company.
Moreover, as leader of McAfee Labs, Bourzikas is responsible for threat intelligence data telemetry, content generation, content delivery and analytics for McAfee customers. Between his 20-year tenure in the industry and his current post at McAfee, Bourzikas has developed a broad perspective on cybersecurity.
In part one of this two-part Q&A, Bourzikas discusses the ways cybersecurity has changed as threats have become more complex and how this evolution has influenced CISO leadership roles.
Editor's note: The following has been edited for clarity and length.
What has been the biggest change in cybersecurity since you entered the profession in the late 1990s?
Grant Bourzikas: The bad actors and criminals are getting very good at what they do, and they're doing what businesses do, which is calculating the ROI: What can they do from a capability standpoint? What is the risk? How much can they get? That's what we've progressively seen: the adversaries getting stronger.
But we're starting to see tools like machine learning and artificial intelligence that are intuitively using algorithms to help us get better at detection. That's something we have, but we'll see our adversaries also start to use our own tools against us.
Another change is cryptocurrency and cryptomining as a way for moving money -- and for money laundering -- around the world. That's something that didn't even exist 15 or 20 years ago.
Then, there's the one thing that I think has gone under the radar, and that's the nonattacks. [I'm referring] to two things: The first is fileless attacks. These types of attacks weren't prevalent 15 years ago. We have transitioned from network-based attacks to malware-based attacks. And, now, the latest attacks are the fileless attacks.
[The second is] supply chain attacks, like NotPetya. MeDoc was the software company from the Ukraine that was exposed. They distributed the NotPetya malware to companies that used their software as part of a normal software update. Supply chain attacks are becoming far more prevalent these days, as attackers target the supply chain to attack larger, more sophisticated, mature, secure companies that are dependent on their supply chain or third parties to operate their business.
What has been essentially the same over the past two decades?
Bourzikas: One of the things I like to talk about are the basics. Good, strong security architecture hasn't really changed over the past 20 to 30 years. Firewalls, protecting assets, patching, vulnerability management -- those were all around when I started in the late '90s, and they're still around today.
Grant BourzikasCISO, McAfee
We often think that a technology like machine learning and artificial intelligence will solve our problems, but I think those are great augmentations to doing the basics that have been around for 20 years. It's great to have the latest technology; it helps you stop the attackers. But applying the latest technology to the basics is the recipe for success.
What is currently the biggest challenge to CISO leadership practices?
Bourzikas: Establishing a really good culture is important to the success of a CISO -- making sure the organization has the right appetite for security, that you're having the right conversations at the executive and board level about the organization's cybersecurity posture and security controls. That's something that I am very passionate about, because security teams will never be successful in the execution of a strategy without buy-in.
What do you mean when you say that CISO leadership must have 'the right conversation?'
Bourzikas: It's being very honest about the cybersecurity posture of the organization and being very truthful. When you can articulate the risk from a business standpoint, the CEOs and the CFOs can understand the security points you're talking about. Once you can articulate the risks and they understand them, they always make the right decisions.
What we have to do as CISOs and leaders in cybersecurity is create that conversation and really inform our executive team about the risks we face. We can't solve [security challenges] as a security organization; we have to solve it at the company and industry level.