McAfee CISO: The importance of a strong cybersecurity culture

At McAfee, Grant Bourzikas is in charge of securing the cybersecurity company: He is the CISO of the security technology provider, based in Santa Clara, Calif., that is among the leaders in the industry. This role -- and the role of the CISO in general -- has become more complex in recent years, Bourzikas said, mostly because the old rules to "protect the perimeter" simply don't apply. "The perimeter is eroding, so what it leaves us with is networking that's not as secure internally," he said.

These rapidly evolving threats have made a strong, companywide cybersecurity culture essential to data protection for modern companies, Bourzikas said. In part two of this two-part Q&A, he discusses what this culture should look like and how evolving cybersecurity risks are changing the desired skill sets for security professionals.

Editor's note: The following has been edited for clarity and length.

Do you face increased cybersecurity risks due to the nature of your company? In other words, are you are a target in ways other organizations aren't?

Grant Bourzikas: We are a target. We see a lot of targeted attacks and a lot of things that are sophisticated. But I have some of the best developers, engineers and product management people in the world at my fingertips to help, and that's one of the coolest things about what I do. I can call in the best people who can help defend against that.

The other thing we've established is when we see that, we have a program where we use our own products, or come up with innovative products, that we can take to market based on the attacks we see internally as well as externally.

Grant Bourzikas

You talk about the importance of cybersecurity culture, and how security is everyone's job. These aren't new ideas, but they haven't been fully embraced across organizations. What are you doing to change that in your organization?

Bourzikas: All new employees go through the McAfee pledge, [which starts], "We dedicate ourselves to keeping the world safe from cyberthreats." That's really setting the cybersecurity culture at McAfee from the beginning of their employment here. Our employees are the first line of defense, whether the attacks are [based on] phishing or social engineering. We have great technology, but we need to know if employees are doing something suspicious. We want a businessperson asking about a transaction looking suspicious. You need to put those two things together: systems and seeing suspicious behavior with your own two eyes. That's often overlooked from a security standpoint.

But the hard part of this is everyone in an organization has a different level of sophistication from a cybersecurity standpoint. If you're talking to our engineers, they're going to have a different standpoint than someone in human resources or in the finance department. So, when you look at training, it has to be at an individual- or department-level of understanding. The conversations I have with a finance group are different than the ones I have with the IT organization or with customers asking about how to communicate security needs to their boards. It's a targeted communication.

You've talked about using gaming and other techniques to train the next generation of security professionals. What are you doing on this front?

Bourzikas: When you look at the talent pipeline and look at the gaming things we're doing, we're trying to attract people into this industry who are diverse. Diversity, in my mind, is diversity of thought. We've had some failures in our industry in the past 20 years, and if we keep hiring the same people, we'll end up with the same results.

In the next few years, the shift will be to use more data science in the cybersecurity world to apply better capabilities.

We need to target different skill sets, and one of them is gaming. Gamers are interested in technology and computers and how things work. They're very inquisitive. Those are things that cybersecurity people need. People ask me what I think are the most important skills to have in cybersecurity and I say the desire to learn and inquisitiveness. We look for gamers, and we try to game within our own system, whether it's tabletop exercises or it's red team-blue team penetration testing.

What do you see next in terms of the cybersecurity risks and cybersecurity in general?

Bourzikas: I'll give you two spectrums: a business one and a technical one. The first: I do think the midterm elections are going to be interesting. We saw already the involvement of a nation-state with the last presidential election.

And the other thing I think is very valuable this year, next year, three years out: The use of data in the cybersecurity world. Look at the footprint we have: over 400 million endpoints (McAfee customers, corporate and consumer). Using our own data to defend customers is very vital to what we do. In the next few years, the shift will be to use more data science in the cybersecurity world to apply better capabilities.

You started as a certified public accountant. How does that background add to your abilities in cybersecurity?

Bourzikas: The accounting helps me translate the cybersecurity and the technical jargon into financial terms and business risks. That's something I've always been able to do because of that accounting background, and that has helped me from a business standpoint.