Cylance CSO: Let's name and shame failed security controls

Malcolm Harkins believes it's time to stop blaming hacking victims and start naming and shaming failed security controls.

Harkins, the chief security and trust officer at BlackBerry Cylance, spoke at this year's RSA Conference about managing information security costs and the inefficiencies with current enterprise approaches. One of the biggest problems, Harkins said, is the lack of accountability for cybersecurity software and controls that fail customers.

Harkins spoke with us at RSA Conference 2019 about his views on enterprise security struggles, calling out vendors instead of hacking victims, and why CISOs need to change how they operate.

Editor's note: This interview has been edited for length and clarity.

In addition to your day-to-day responsibilities within Cylance, you've also been pretty vocal outside the organization about the problems you see with information security. What's your view of the industry?

Malcolm Harkins: Cylance gives me a platform as well to talk about the things that have frankly pissed me off about the industry. And I want to break it, bend it and basically expose the fact that the industry, by and large, doesn't actually care if it solves the problem. I give speeches and talks on that, and I tell everybody we need to do attribution to the control that failed and focus people on where the security industry has failed to do its job. Instead of rewarding them with more revenue and more money for selling us more crap that doesn't work, we should be holding them accountable and culpable for the issues that we've got.

Endpoint security has become a very crowded space. Do you feel like there are too many vendors and that's part of the problem?

Harkins: I think the industry likes to say there are too many security vendors in order to feed the beast of 'grow and destroy' and not actually solve the problem. It's a distraction to the real issue, which is, it doesn't matter if I have five vendors or 50 vendors. If they're delivering me the business outcomes that I need on risk and cost, then who cares if it's five, 50 or 500? Nobody's complaining about the tens of thousands of [mobile] apps. How many hardware vendors do we have? How many other software vendors do we have? And nobody complains about that, because those are IT capabilities, and some are being used in an enterprise context.

I've pushed CEOs of a lot of vendors over the years, and they've said, 'Well, I'm not going to go solve that problem because I can't make any money out of it. And if I do solve that problem, now I've got 10 other products I can't sell.' I've heard that directly from CEOs of security companies.

So, is it the number that's the problem? No. It's the outcome, and the fact that we're not delivering the outcome that's the problem. If we were delivering a better outcome, guess what? We would have a reduction in vendors, because we wouldn't be slapping the Band-Aids, bubblegum and baling wire that is being promulgated out in the industry. If you get products that work, then you'll need fewer products. Why do we have so many? It's because the stuff we bought for 20 years hasn't worked.

What do you think is the core issue with these failed security products? A lot of complaints have been centered on the fact that they generate so much data it's hard for customers to know what they're looking at and what's important. But if you're talking about widespread infectiveness, then I'm not sure it can be just a data issue.

Harkins: I agree -- it's not just the data. You may ask, 'Why are we stuck in the semi-automated to manual phase for detection and response?' In my '9 Box of Controls' post, I explain the cost gets higher for an enterprise as it moves from automated to manual. And the highest cost to me as an enterprise is the most revenue for the industry. If you get to the economic motivations of the industry, at a macro level, it doesn't have an incentive to solve the problem; hence, more products, more risk, and the cycle continues.

I've seen this, having been in the industry a long time. I've pushed CEOs of a lot of vendors over the years, and they've said, 'Well, I'm not going to go solve that problem because I can't make any money out of it. And if I do solve that problem, now I've got 10 other products I can't sell.' I've heard that directly from CEOs of security companies.

That's not great.

Harkins: Right. I've experienced that, which is why I'm jaded and I say that we've got to change the economic incentives. It's a problem. There's a good example of this; the [House Committee on Oversight and Government Reform] did a really good report on the Equifax breach.

Yes. What stood out to you?

Harkins: The thing that chafed me about this whole thing is that people are blaming Equifax, but if you look through that [report], they had everything. They had bodies, they had tools, they had [data loss prevention], they had [antivirus], they had [host-based intrusion detection system], they had [host-based intrusion prevention system] and they had databases. They had all that stuff. They had a vulnerability scanning tool that was used multiple times but did not flag the vulnerability.

So, why are we throwing Equifax and -- wrongly -- the CISO under the bus when they had what almost every enterprise that is rich enough to afford a lot of this stuff has? And the thing that really bugged me is they published the remedial report from the vendor who conducted the incident response -- and I won't name the vendor -- that said, 'If you follow these things, you will prevent further recurrence of issues at a higher degree.' And those 11 remedial actions were basically 'deploy additional this, enhance the scope of that, further speed up the deployment of this.' So, it's basically, 'Do more of the same stuff, and expect a different result.'

That's the problem with the [infosec] industry. What should have happened was people should have looked at the fact that they had security controls, those controls were insufficient and, in one case, a completely flawed control, a vulnerability scanning tool that was signature-based, did not tell them they had an issue. And what should have happened is that vendor should have been raked over the coals, and then we should have done the attribution to those other failed security controls. And it wasn't just the vulnerability scanner that failed, either. There were others like the expired certificate [for networking monitoring appliance]

Companies pay a lot of money for these products. How does that factor into the problem?

Harkins: Well, you pay a lot of money for it, and you jacked up the user experience, and you slowed down the business. Boy, that's a great result. I've not managed to mitigate any risk. I need a bigger budget because I haven't managed any risk. And, by the way, I've slowed down the business processes by 30% to 40% and affected your time to market. And, now, I'm going to go to the board and ask them to give me more money, more budget, and more people?

That's the stupidity of what's happening now. The boards are doing that, because they're not holding the CISO accountable to the business outcomes. There are only three outcomes: risk, cost and the friction on the business processes. I tell people to treat your board and your CFO like a venture capitalist. I'm going to go in and take my 9 Box of Controls, and say, for example, 'Here's where we're spending. Here's what our risks are, and here's the friction we're creating on the business process and on the business philosophy. And what I need is $8 million in 18 months.

'And here's what I'm going to do: deploy more automation to reduce cost and move into prevention to reduce risk. And if I do these things right, and I design the controls right, I'm going speed up these five business processes and improve the sales flow and improve the innovation cycle.'

What board wouldn't say, 'I'll give you the money, and I'm going to hold you accountable'? We've got to get CISOs managed like they're a business unit general manager, with those three outcomes. The pressure on the CISOs will then create pressure on the market. When we have a breach, we should be publicly attributing the failed security control, and do the naming and shaming.