The Network Edge

The Network Edge - Our Interview with Malcolm Harkins

Published February 15, 2022 by Benny Lakunishok

Malcolm Harkins, the Chief Security & Trust Officer at Epiphany Systems, is an independent board member and advisor to several organizations. He is also an executive coach to CISOs and others in a wide variety of information risk roles. Previously Malcolm was the Chief Security and Trust Officer at Cylance and was also previously Vice President and Chief Security and Privacy Officer (CSPO) at Intel Corporation. Malcolm is the author of Managing Risk and Information Security: Protect to Enable.

Tell me about your background.

I’m a bit of an oddball compared to most security folks. I didn’t get my start as a technologist. I got my undergrad degree in economics and did an MBA in finance, and I started my technology career in Intel at procurement – not security.

But then in 2001, there was a wave of crippling malware incidents like [the computer worms] Code Red and Nimda that got me thinking: how can we apply the frameworks and mental models of the business world to protect the enterprise? Over the next 13 or 14 years, I was given the opportunity to wrap my arms around all elements of security at Intel. Eventually I took over privacy and product security. From Intel, I went on to become the Chief Security and Trust Officer at Cylance, and now I lead security and trust at Epiphany Systems – while serving as an independent board member to several tech organizations and advisor to CISOs.

What unique insights do you think your non-traditional background gave you?

My cybersecurity philosophy has always been “protect to enable.” That’s the opposite of protection for its own sake. It means that security should be in the service of helping the business create and deliver value more efficiently and reliably. How can we do that with as little disruption as possible? How can security function less as a gatekeeper and more as a “choice architect” to the business?

Another area is around my approach to human capital management. On paper, I wasn’t an obvious candidate for a security leadership role at Intel. But [Intel CEO] Andy [Grove] was relentlessly focused on impact and results – not pedigree – and the CIO I worked for at the time kept increasing the scope of my responsibility.

That’s a lesson that I’ve carried over into my own leadership experience. Seek out talent in counterintuitive places: non-traditional functions in the organization, schools that aren’t part of the conventional recruiting pipeline. I hire people who are hungry, humble, and smart. And I try to over-invest in instilling a sense of belief in the mission, management, peers, and self.

It’s not just that recruitment costs are lower and retention is higher. Diversity fundamentally strengthens any security organization.

How does diversity strengthen a security organization?

Our biggest challenge in protecting an organization is the fundamental misperception of risk. We all have biases that cause us to perceive risk through a specific lens. This isn’t bad in and of itself. But some of the most catastrophic disasters have come from choosing the wrong lens to interpret risk.

The only way to combat the misperception of risk is through diversity of perspective.

If you look at misperception of risk as a vulnerability, the only mitigation strategy is to cultivate a diversity of perspective. That’s why it’s been so rewarding to see an increase in diversity over the past few years – more female CISOs and greater racial and ethnic representation in security organizations. This is absolutely the right thing to do. And it’s also smart for organizations that want to counteract this blind spot.

What does it mean to misperceive risk?

Ford knew about problems with the Pinto before it decided to ship it. But it moved forward anyway. Why? Because, as their internal documents showed, they framed it as a P&L decision – not in human terms.

When the shipping giant Maersk was hit by NotPetya ransomware a few years ago – sure, it cost them a few hundred million dollars. But what were the macroeconomic consequences? What if there was medicine on those shipping containers? Or food that was going to an impoverished nation?

Too often we’re focused on the risk to myself vs. Others, which in my view is too narrow of a lens. And this prevents us from making the best decisions, holistically, for both the company and society.

Let’s go back to your thinking on “protect to enable.” How do security leaders make that a reality?

A lot of security thinking is still lodged in an old “detect and respond” world – dealing with known threats, largely once they have breached an organization’s defenses. Reactively response to threats not only incurs high costs and exposes the organization to great risk. It also taxes the business severely with what I call a “drag coefficient” – the controls that stifle business velocity and innovation.

I introduced the 9 Box of Controls to articulate what I see as a better way: a more proactive, adaptive, and agile approach to prevention as opposed to response.

On the vertical dimension, the 9 Box contains three different types of security controls – prevention, detection, and response – which go from low to high risk. The horizontal dimension contains three different approaches to control implementation – automation, semi-automation, and manual – which grow from low to high cost.

There’s also a third dimension not pictured here, which is “friction.” How much drag does a particular control put on the business – how much does it slow velocity and innovation?

When I work with organizations to map out their security controls, they overwhelmingly sit in the upper right-hand quadrant: the “detection/response” paradigm, i.e., costly manual interventions to known risks. What should they be doing? Always be shifting to lower-cost, more automated solutions. Always stripping away friction from the business.

How should an organization get started with the 9 Box of Controls?

Map your portfolio of controls to the 9 Box model. For example: which controls involve a costly, manual, high-friction “detection and response” model? Which are lightweight, automated or semi-automated prevention controls?

In part, the goal is to identify opportunities to “reweight” the control portfolio by embracing more automated, lower-friction approaches to risk prevention (as opposed to response). But there’s also a question to be asked about each control: how well is it performing? For example: you might have a preventative control, but if it has low efficacy then it’s really not achieving the desired outcome.

There are a lot of approaches out there to measuring the efficacy of a given control, like quantitative measures and maturity scales. But I think it’s fine to start with a qualitative assessment. Where are there opportunities to increase protection at a lower cost?

2021 was the year of “ransomware on steroids,” and I anticipate troubling new developments in this domain in 2022. A few examples of how ransomware could evolve to be even more pernicious:

  • Ransoming a system below the operating system – at the firmware level. Even next-gen endpoint solutions might not be able to stop these types of attacks, and the consequences could be devastating: having to brick a system and do a full hardware replacement.
  • The blackmail twist on ransomware. Many enterprises are naturally focused on preventing critical systems like manufacturing and POS from getting ransomed. But imagine a company’s HR or legal database being compromised. How much could malicious actors extract to prevent damaging information – e.g., confidential settlements of sexual harassment suits – from reaching the public eye?

In 2022, we'll almost certainly see increased intertwining of personal and corporate liability in the security domain.

I see this intertwining of personal and corporate liability becoming a fascinating development in 2022 in a few other ways as well.

The first is around critical employees and their home systems, particularly in an era of remote work. It’s not uncommon for a company to spend $100k a year (or much more) on the security of key employees. But think about the challenges – logistical, privacy, and liability – that come with extending the corporate perimeter into the home. Do you want IT forensics done on a home system?

The second is around the personal liability of the security leader. Should CISOs/CSOs be held personally liable for negligence or incompetence in discharging their office? I believe so – just as general counsel or CFOs can be for legal or financial malfeasance.

Finally, the slippery slope of ethical issues related to AI and machine learning will be a defining feature of the 2022 landscape. What unintended biases might be introduced as a result of well-intentioned actions (e.g., seeking greater automation within the 9 Box framework) – and what might this mean for individuals? If done right, security can lead to lower cost, lower friction, lower risk. But we have to contend with the possibility that security tech is actually generating new sources of risk.

What recommendations would you make to security leaders heading into the new year?

Three reflections: one technical, one organizational, and one related to people leadership.

My technical recommendation: rethink how you’re implementing zero trust. Zero trust is absolutely a worthwhile aim, but far too complex and multidimensional a problem to handle through a portfolio of manual controls. You need automation to tackle the problem at the scale of the modern enterprise.

My organizational recommendation: enlist cross-functional support of your initiatives. Go beyond looking at your own budget. Look at the IT budget. Look at the company’s budget. Suddenly it’s limitless. The key is all in the framing and the notion of “protect to enable.” How can your initiative strengthen security while helping the company faster? I’ve never come across a head of sales who isn’t open to a conversation like: “Hey, we’ve got this antiquated process for the sake of checking a box on data protection. What do you think about partnering to update the process to remove friction for sellers (while keeping our data more secure)?”

My people leadership recommendation: Invest in renewing team members’ sense of mission and self. During this team of upheaval, it’s more important than ever to fortify the culture of your team. How do you transmit your beliefs? How do you recognize achievements? Every person on the team should be able to say, at all times: “I believe I belong. I matter.”