In this episode of Redefining CyberSecurity, host Sean Martin discusses the challenges and failures of the CISO role with guest Malcolm Harkins, exploring the importance of clear design goals and integrity in decision-making.
Guest: Malcolm Harkins, Chief Security & Trust Officer at HiddenLayer [@hiddenlayersec]
On Linkedin | https://www.linkedin.com/in/malcolmharkins/
On Twitter | https://twitter.com/ProtectToEnable
____________________________
Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin
____________________________
This Episode’s Sponsors
Imperva | https://itspm.ag/imperva277117988
Pentera | https://itspm.ag/penteri67a
___________________________
Episode Notes
In this episode of Redefining CyberSecurity, host Sean Martin engages in a thought-provoking conversation with guest Malcolm Harkins about the challenges and failures of the CISO role. They discuss the importance of setting clear design goals and standards to determine success or failure. The conversation delves into risk management and the complexities of goal-setting, highlighting the role of integrity in the CISO's decision-making process.
They explore the gray areas and potential conflicts that arise when balancing risk perspectives within an organization. Sean also touches on the idea of having multiple specialized CISOs and the inflation of job titles in the industry. They examine where breakdowns occur and whether they stem from lack of clear design or succumbing to company pressure or vendor hype.
The episode also take a turn to exploration the CISO's role in ensuring the cybersecurity integrity of a company, drawing parallels to the roles of general counsel and CFO in maintaining legal and financial integrity.
Throughout the conversation, Sean and Malcolm provide insights and anecdotes from their own experiences, offering valuable perspectives on redefining the CISO role and addressing the challenges faced in the cybersecurity industry. The discussion encourages listeners to consider the ethical implications of their decision-making and the importance of designing control environments that prioritize true protection over profiting from insecurity.
If you're interested in gaining a deeper understanding of the complexities and failures of the CISO role, as well as exploring the gray areas and conflicts that arise in risk management, this episode is a must-listen.
____________________________
Watch this and other videos on ITSPmagazine's YouTube Channel
Redefining CyberSecurity Podcast with Sean Martin, CISSP playlist:
📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
ITSPmagazine YouTube Channel:
📺 https://www.youtube.com/@itspmagazine
Be sure to share and subscribe!
____________________________
Resources
Materiality Matters: https://www.icitech.org/post/materiality-matters
Integrity Matters: https://www.uscybersecurity.net/csmag/integrity-matters/
Integrity Matters (RSAC): https://www.rsaconference.com/library/blog/integrity-matters-lets-keep-the-conversation-going
____________________________
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-cybersecurity-podcast
Are you interested in sponsoring an ITSPmagazine Channel?
👉 https://www.itspmagazine.com/sponsor-the-itspmagazine-podcast-network
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
[00:00:00] Sean Martin: And hello everybody. You're very welcome to a new episode of Redefining Cybersecurity here on the ITSP Magazine Podcast Network. This is Sean Martin, your host, where I have the, the, the fortune of connecting with people from all over the place, uh, to look at how we can operationalize security and do it in a way that's not only protects the revenue that we generate, but actually helps companies.
Create some of that revenue in the first place, uh, being more efficient and, and wise in their risk management, uh, procedures and efforts. Um, so you know, the show, if you're listening to listen for a while, um, I go all over the place today. We're going to look at a role that I think a lot of you will be interested in, especially with some of the news that's been been happening and that's where CISOs.
Don't always win. May not make the best choices. May not have the best supports. May not, uh, get the results that. That they were anticipating. We can talk about it all different ways, but failure is the one summation of, of, uh, of all of that. Um, and for those that follow me on LinkedIn, you probably saw that I I've written a few blogs in this.
It's a four part blog. I'm holding on the fourth part, but it's. Why am I, am I wrong for not wanting to be a CISO is the name of the series. So, uh, I talk a lot about the challenges and the, uh, opportunity to fail, uh, in, in those posts. Um, but today I'm happy to have a conversation. With Malcolm Harkins. And we're going to, we're going to talk about some of his learnings and experience in the industry and, and connection with others in the field.
And we'll touch on some news things. I'm sure as well, Malcolm, it's great to have you on.
[00:01:53] Malcolm Harkins: Thanks, Sean. I'm happy to be here.
[00:01:55] Sean Martin: And, uh, I think you've. One thing that's a constant is change, right? So, the CISO role a few years ago looks different than it does decades ago. And, uh, today's, tomorrow's going to look different than today.
And speaking of change, you've been, uh, you've been on the move yourself. Uh, doing some cool new things. So why don't you, uh, a moment and give folks an update on... What you're up to these days.
[00:02:26] Malcolm Harkins: Yeah. Thanks for that, Sean. So I recently joined, uh, a company called Hidden Layer, winner of the 2023 RSA Conference Sandbox Innovation Award, uh, company was launched, uh, almost two years ago, give or take a little bit, uh, just closed.
It's a round of funding. We're in the space of protecting people's advantage, protecting their artificial intelligence and machine learning. And I'm excited to be again on the bleeding edge of not only the explosive growth of AI in the world, but going to something near and dear to my heart. Cause I've always worried about the implications of compromised AI.
And machine learning and, and how it could be weaponized in different ways, how it could be manipulated for malicious purposes in different ways. And, you know, while we've seen that explosive growth, we've also seen a wide variety of different ways to, to breach and manipulate, um, artificial intelligence and traditional controls don't work.
And so, uh, it's great to be at that kind of edge of new controls. And the edge of, of new technologies to again, do what I have my, my trademark tagline, protect to enable people, data, and business.
[00:03:52] Sean Martin: I love it. We think alike there, Malcolm for sure. And, uh, you have a long history in, in bringing new and advanced and funny enough, AI enabled protections again, uh, to, uh, to market and, uh.
Yeah, I mean, I've, uh, followed you along through the years and, uh, it's always, always amazing to see the good things you work on and all that you do for the community. So again, thanks for having me on, um, or having, joining me, I should say, it feels like your show. Um, so as many times it happens, uh, A conversation is, is inspired by a post, typically on LinkedIn, and, uh, this is no different.
Um, I follow you there. You, you did a post, uh, back in August. We finally got around to chatting about it now, but it, the title of it is, is it time to accept that the C, the current role of the CISO has failed? And. It was around this time that I started to put the series of posts together that I was working on as well.
And I thought, let's have a good chat. So tell me first off, what was the impetus for putting that together? Was it an event? Was it an aha moment? Was it you overheard something from somebody and you thought... I need to get this off my chest now.
[00:05:20] Malcolm Harkins: Well, so go back in time. I've actually said for many years that the security industry has failed, uh, as an industry itself. Um, and some of that is because of the economic incentives, because a lot of security companies, not all, but a lot, and certainly Traditional ones who've been around for a long time, profit from the insecurity of computing, right?
They make money, the more risks that exist. And in some cases they wait till the risk. Has, uh, manifested itself long enough that they can profit from it before they go solve it and bake it into existing solutions. And we've seen that over and over again. I think, again, the, the startup community is holding, I'd say the traditional players much more accountable to, um, really being, you know, hopefully more innovative, um, versus kind of milking their cash cows, which we've seen for years.
Now, now getting to the CISO side of it, and, and the post, uh, there was a, actually a post that I read from somebody else. That had talked about the CISO's role has failed and, and they went on to talk about it's too complex and we got too many of this and too many of that and too many of this, all these things and I'm like, that stuff annoys me.
I'm like, quit whining. Um, you know what, if you want a C suite job, you want a C suite title, you want a C suite pay grade. Well, guess what? Suck it up and do the damn job. And that means deal with the complexities, deal with the liabilities, deal with the responsibilities, and deliver an outcome, right? And, and so now some of that, when you start clicking down, and you go, has there been failures in the, the CISO role, or as I define it, Chief Security and Trust Officer, because I define it wider than, than the typical CISO role that nests under the CIO.
Um, you know, for me, if you go back to basics, What is failure? It's a social concept, meaning that you did not meet desired or intended outcome, right? That, that's the definition of failure. So, you look at it and you go, okay, well, if a SISO has failed, what outcomes didn't they deliver on, right? Or what intended objectives?
And sometimes... Sometimes it is the CISO and their team that didn't meet objectives. Other times, it is the organization itself, CEO, CFO, general counsel, that the board, the organizational inertia that agreed for you to hit a set of objectives, but frankly didn't fund you or allow you to actually do it.
Right? So you have two things that could potentially drive the failure. And sometimes when you have a combination of both, a company that will, I'll be really blunt, give lip service to saying security is important and all this stuff, but frankly, doesn't give a crap. And, you know, the CEO will get up or CIO will get up during Cybersecurity Awareness Month and do the rah rah.
Cyber security stuff and then go back to their office and then go, why is this, why are we doing this crap? And that's a little risk and, and you security team, you don't know what you're doing, you're getting in the way. I mean, you know, that happens, right? But there's also cases where again, truly the security team and, or the leader has failed to define the right objectives.
And has failed to achieve it within the construct of, of the budget and time they were given. And, and that's clearly in my mind, a failure of the CISO.
[00:09:14] Sean Martin: Yeah. And I know we want to talk about the, the, the three angles, uh, the individual, the The organization, which you kind of alluded to a bit there and also the, the industry.
Cause I've seen a couple of the comments and one from Rick McElroy, where, what does he say? I think we haven't achieved the success we all wanted, but I don't know. It's a complete fair is what he, what he started off with there. Um, and, and what you described and. That point from Rick makes me think we didn't know in the early days what success was.
So we were just kind of going and doing and setting a bar, sharing that bar with others, sharing learnings with others. And I think we've reached a point now where we're, the role is mature. Um. But do we have a clear, common understanding of what success looks like so that we can then say, no, we didn't achieve it, or is that still all over the place?
What do you think?
[00:10:17] Malcolm Harkins: I think it's still all over the place. So I've asked this question a lot of peers for years. I mean, I've been in this area for now, 22 years here in another few weeks. And, and I, I've asked repeatedly over and over again, what is your design goal for your security program? What is your design goal?
And people go, they go, well, I, you know, well, I want to achieve SOC 2 compliance. Or, I want to achieve NIST CSF 3. 7 out of 5. Or, I want to achieve, you know, a hygiene level of patching 99 percent of the systems, 99 percent of the time in our allotted SOA. Right. And I go, yeah, exactly. And I'm like, those are measures of motion, not measures of progress.
And in some of those compliance standards, while I adhere to them, like them in some ways, hate them in other ways, they are not a design goal to achieve an outcome, right? If we were building a building in California, we would have to meet a Earthquake seismic rate, for the earth to shake, for the building not to collapse, that's a design goal, right?
If I want to drive a car and go from 0 to 60 in 2. 7 seconds, that's a design goal. Or braking in a certain time period, that's a design goal. Crash test ratings for car, design goal. My design goal when I landed to run security... And business continuity in the Intel IT organization, 22 years ago, I looked, I'm a former finance guy, cash is king, spending money on security.
Didn't add to Intel's net income, right? I, I had one primary goal and then a couple of secondary goals. The primary goal was no material or significant event. That was job one. And doing that at the least total cost of controls, with the least amount of friction and impediments on business velocity. Right?
So you look at it and you go, 22 years ago, that was my goal. And I knew that as a former finance person and look at where the SEC is now going. Well, we got to talk about materiality. I'm like, look, it's always been about materiality, but you ask most CISOs what their design goal is, and they are not either able or willing to say, my design goal is no materially significant events.
That would impact my shareholders, my stakeholders, or my customers. That's should be number one design goal. Second design goal, which again, when I got silenced, we were a security company, right, we're supposed to be protecting those who can't protect themselves. Well, guess what? That means I had to go above and beyond that design goal.
You know what my second design goal was? Only a nation state actor should ever be able to get in and they have to work for it. The equivalent of saying I've got a safe. And how long will my contents last at 1200 degrees Fahrenheit? Guess what? Those are the type of design goals that we should be setting.
Then we can actually figure out if we succeeded or failed. Now, a different company might go, material events are fine. Okay, well, what type of events are okay? And what type of threat actor is okay to get in? And how, how easy should we make it for them? Those are the design goals and standards we should be setting.
And without doing that... You know, it becomes really hard to judge. Did you succeed or fail in any situation? Yet I know I can go back and say where I succeeded and where I failed because I know what my design goals are.
[00:14:29] Sean Martin: No, I don't know that I've heard it lately, but it certainly was a mantra. I think maybe I heard it a couple of weeks ago, but it's certainly been a mantra for years.
That it's not if, but when, right? No such thing as a hundred percent security.
[00:14:46] Malcolm Harkins: But that's, that's true of everything. You can't eliminate risk. You can't eliminate it physically, you can't eliminate it logically, you can't eliminate it in the financial markets, right? So there's no risk free world, but what you can do is become really close to eliminating the potential of material impact.
If you've designed your control environment appropriately.
[00:15:14] Sean Martin: So I have a feeling we're going to go a place I love because around risk management, cause what, what you're describing there is. Setting a goal, painting a, painting a path to achieve that goal and mitigating risk and dancing around ambiguity to, to get there. Right.
[00:15:35] Malcolm Harkins: Exactly. I'm like, what it, you know, there's, you look at it and you go, there's three dynamics, what risk at what cost at what potential impediment to business velocity, and you go, okay, well, I don't want to impede the business that much, but I will, if it means I'm going to mitigate a material impact.
And then the question just becomes, how much money are you capable of spending? And, you know, this becomes a challenge with a lot of people, particularly the past 20 months or so, right? There's been studies that said, CISA's budgets have been growing, unchecked. I get more money, more people, more this, more that.
And guess what? The past 20 months... That went away. Growth of the security spending in many organizations flattened or went down. I talked to a lot of peers. They didn't know how to deal with a budget cut. I always did because I'm like, am I, you know, will this create a material event? No. Well, guess what? I can accept that risk.
Why? Because the design goal says no material significant events. Anything less than that is an operational issue, and we'll deal with it when and if it comes.
[00:16:48] Sean Martin: So that begs a question for me. Um, and, uh, I kind of pull back to a couple of conversations. We had one with Steve Katz and, uh, one with Roland Cloutier, where this idea of not just one CISO, but many CISOs specialized in different things, right?
I think I actually wrote another post on this point as well. So, what I'm wondering is if... We're being asked to do something that we, being the CISO, asked to do something that we're not good at. Should, should that goal be defined for us with enough detail that we know what we need to achieve? Cause, cause it seems to me that if we set it ourselves, we kind of have a picture, we work up to that goal in my mind, right?
Based on what we think we can do.
[00:17:46] Malcolm Harkins: Yeah, but when you start doing that, I think that the goal, and again, I know what my goals are, I know, you know, but again, somebody could define a slightly different goal, but I think you have to have a goal that's a, of the nature of what I talked about, right? You might say, Hey, as long as the script kitty doesn't get in, that's good enough.
Okay. Well, that's your design goal. Great. Um, you know, but, but calibrate on those things with the organization, right? CEO, CFO, general counsel, and board. It's a bi directional goal setting process, right? But I think, and I know from my own truth of how I approach the role, you don't have multiple general counsels.
You don't have multiple CFOs in a company. You don't have multiple CEOs in a company. So, if we have to have multiple CISOs so that we can specialize, then guess what? We're not a C suite role. And that means me, as an individual, doesn't have the capacity to sit at that level. Okay, that's fine. Some people don't have it.
Great.
[00:19:00] Sean Martin: We see the inflated roles all the time, right? Is this a result of that? I mean, we, we see VPs of, of marketing and VPs of engineering and VPs of sales that are fresh out of high school and running, running a startup, but they have the title.
[00:19:24] Malcolm Harkins: Yeah, there is title inflation in some companies. Nice. And in some organizations, but it doesn't necessarily have to be startups. I've seen title inflation and. You know, frankly, public companies that have gotten bought. I mean, look at my background at Intel. Intel had a hundred and some thousand people when I was there.
You know, how many VPs and above there were 300 when Intel acquired McAfee, there was what, 8, 000 employees. You know, how many VPs and above there were like 500, you go, okay. You know, different companies will have a different level of what I'll say, title inflation.
[00:20:04] Sean Martin: So help, help us understand then. Let's. Make the large assumption that some goals are defined. You may question them, how they're, how they're articulated and whatnot. And maybe we touch on that as well, but let's assume something is there. Where, where does it break down then? Is it, is it actually in architecting or designing, or do we get swept up with, uh, with vendor talk and, and we, we try to put all stuff together that we're told we should buy or, or where do things break down?
[00:20:45] Malcolm Harkins: Well, for me, it breaks down when, so let's just, you know, take a, you know, any one of the, the recent breaches in the news. That doesn't mean they failed. I've had, you know, systems that get popped and, you know, issues and even I wrote a paper on materiality earlier this year where I disclosed and explained how Intel was the first company that disclosed a cyber incident because it was potentially material under existing Sarbanes Oxley law in 2010.
Right. So I look at it and I go, I think we failed. When we haven't had the right dialogues, when we have succumbed to the pressure to water down, whitewash, or somehow dilute the portrait of risk, you know, I, I also did a thing on integrity, um, back, uh, a couple of times, a couple of years ago, and even polled a number of CISOs, 76 percent of us said that we've been pressured to water down or dilute the portrait of risk to executives.
When we do that, we've failed, right? So for me, the CISO has failed when they are lacking integrity in what they're doing and how they're doing it. You can have breaches and maintain integrity of the role and not fail. But if you, if you, if you don't hold your integrity intact, you will absolutely fail, fail your customers, fail yourself.
[00:22:37] Sean Martin: Is that a, is that a clear line or is there, I mean, to me, when you start talking ethics and integrity, it's pretty, pretty straight, but who the heck knows? That's why I'm asking. Is it a clear line or are there gray areas?
[00:22:55] Malcolm Harkins: I think there are, the reality is there are gray areas. There are times where I've stuck a stake in the ground on a risk issue, and I will not budge.
I've done it every organization, every CIO reported to, every CEO, you know, both in every company. But along the path, you might learn that your data or your logic is missing components. That when you're saying no to, uh, a business unit GM and they're like, well, I disagree with you as low risk. No, this is high risk.
Okay. Well, risk is in the eye of the beholder. Well, if I'm the risk arbitrator and I'm the person, um, that's supposed to be the most expert in determining the risk, then my. Perspectives should, by and large, be taken and overrule other perspectives. Having said that, there are times where when you're walking that path, you learn something new from others.
Which is why Risk Calibration, Risk Dialogue. And that doesn't mean you're necessarily watering down the portrait of risk, but if your data and logic are there and you say that it's a critical risk that needs to be addressed and has material impact, and you understand the attack path to that exposure, and the company disagrees with you, I think your obligation is to walk all the way up, including to the board, if it's a potential material issue.
Now, you might get overruled, okay, I can disagree and commit for some things. There's other things I will not disagree and commit on. And I'll put my badge on the table and say, you're wrong. And I'm not going to go along with this. And I'm willing to risk my job and risk my career. No different than a CFO saying, you know, through the accounting and all this stuff, we can't account for things this way.
Right. And the CEO or business unit GM says. Well, but I want to. Well, who's supposed to be in charge of financial integrity? The CFO. Who's supposed to be in charge of the integrity of our cybersecurity state? That's why I, again, former finance person, I operate the role that way because I've grew up in finance.
[00:25:34] Sean Martin: I love it. Anytime we can pull on another, another scenario or role or example, things just work that way because that's the way it's supposed to work. I often pull on GC.
[00:25:49] Malcolm Harkins: Yeah, the general counsel can't say, well, the CEO said it was legal. So therefore it's legal. When you're the person who's supposed to be.
Through your whole legal organization, guiding... A company to be legal doesn't mean that illegal things sometimes don't get, you know, happen because a rogue person does something and stuff like that, but your job is to ensure legal compliance and that the company's operating in, in a, um, an appropriate way legally.
CFO, same thing. Financial integrity. CISO, same thing. Around, not that you're eliminating the potential of a cybersecurity incident. That you, one, have a design goal. Two, the integrity of not only your risk state as it sits today. And your characterization of an incident that occurred is accurate, but your forward looking view of risk has a level of objectivity with data and logic to back it.
No different than a financial forecast.
[00:26:58] Sean Martin: Yeah, exactly. So, and I guess when there are questions for both the CFO or GC, they can point to Sarbanes Oxley or they could point to case law or something to say, yeah, but, um, do, do we have. That same ability as a CISO. I mean, we can point to other breaches, but
[00:27:23] Malcolm Harkins: I, I've always assumed that ability.
Other people are waiting and asking for permission. And if you're waiting and ask for permission, I think you're setting yourself up for failure. I just look at it literally from the day I landed in the role. I took it as if I was the CEO, CFO equivalent for everything related to information risk. Now, through that process, was I wrong a lot?
You bet. Did I learn a lot? You bet. Will I continue to be wrong and learn? Yes. If, you know, but, but that's also where, you know, failure can come in. If I'm, if I'm not willing to sometimes experience failure, and a mistake of my opinion or my logic or my data, You know, and I've done that multiple times, but I've then learned from that, recalibrated and, and moved on.
But where somebody couldn't give me logic or data to show that I was wrong, why would I ever budge?
[00:28:34] Sean Martin: Well, let me ask you this and Malcolm, 'cause I mean, I, I often put a, put my program management hat on where it's a different kind of risk, but I was responsible many years ago for bringing products to market. You're bringing a bunch of people together, a bunch of technology together and, and a bunch of requirements together to, to pull something off and in there is risk.
Right. Technology doesn't work the way it goes supposed to, or the operating system doesn't provide a feature or, uh, yeah, somebody built something wrong or, or that there's a security vulnerability in the, in the release that you don't want to let it fly. Lots of stuff. But as you're approaching a point where you understand that those risks might be there.
There's a lot of ambiguity and now, so for the CISO role, we. I think we, we have ambiguity, right? And, and we're marching toward our design goal as you're, as you describe it. How are we communicating it correctly? Do we understand it enough? Do we know where the holes are, um, to say, this is where the ambiguity sits.
These are, this is where I I'm making the decision based on less information that I'm comfortable with, but based on my peers, based on. Uh, examples from other, other organizations that we've seen get popped, whatever I'm to your point, putting my stake in the ground because I, my gut says, and, and experience says that this is, this hole that I see is probably going to get filled with X, Y, and Z, which will then.
Lead me to them or material impact. Yeah, well, I think a lot there, but
[00:30:20] Malcolm Harkins: thoughts on that. Well, I think there's a couple of things. One, let's, let's, you know, accept it. Let's also talk about accepting risk and acceptable risk because they're two different things, right? Accepting risk is a business process.
It's not a control. And when you accept risk, you're also implicitly accepting the responsibility to respond to it. Should it ever manifest itself? And a lot of risk decision makers don't really think that way. Right. They go, we accepted that risk and they move on as if because they accepted it, it's no longer something that could occur.
Right. And, and that's, that's something that we've got to change in how we do risk acceptance and then how we, um, when we make a risk decision, that's not permanent. There's a temporal aspect to risk, right? So we accept it today, but there's a temporal nature to it. So the, the, we should be revisiting some of those accepted risks.
Over time. And when we don't, that's also where we fail, right? Because assumptions change, the world changed. So put that on the side now on, on this ambiguity around the risk. I think there's a lot of ways you can reduce the ambiguity. Right? You go, okay, um, take log4j, right? What, two years ago or whatever?
Big brouhaha log4j, oh my god, patch everything, sysa says this. SEC says if you don't do it, there's going to be liabilities. Everybody's like, oh my god, pull themselves through not holds. I, I talk to a lot of peers. They're like... We don't know where it is. We don't know how many instances we have. I don't know the context of log4j in our environment.
Spin around and around in circles for a week, you know, 10 days. And they finally say, screw it, patch it all. Why? Because they didn't know where the instances of log4j were in an attack path. That would lead to an exploitable event that would cause an exposure that would cause an oh shit moment and a material impact.
Well, guess what? You can do that. You can do attack path mapping. You can understand the context of your environment in real time. And know with precision where you have those exposures, and then be able to discuss them with people. And if they go, Yep, we agree with it. We're okay with it. Then you go, okay, great.
We have an exposure to a potential materially impacting event. Now, if I'm a public company, guess what? I have to update my risk statements in the public filings. And if anything goes bump along that path, I've also got to now disclose it as a cyber incident. Okay, you can do that. I was doing that manually back at Intel years ago and even at silence, you know, to some extent manually, but there's automation now that does that, you know, the other, the other aspect of this.
Still becomes a little bit of the subjectivity, but again, you go, how do you reduce that? Well, go back to Sarbanes Oxley, go back to financial materiality. There's line items in the balance sheet. There's line items there. Materiality by nature, materiality by impact. Walk back from the financials, walk back from business processes and, and things that, that could affect.
The business or your customer. Once you understand that, then it's just, again, it's hard work, but it's not that hard to figure out. I was having this dialogue, um, earlier, uh, um, late last week, actually, around artificial intelligence. Right. And, and, you know, people are going, wow, yeah, do I really need to have.
You know, protection on the AI models and ML models. And I said, well, despite the fact that public models, a lot of them are already poisoned, they're just, you know, um, in some cases have malicious code in them. You know, the tools that you're using for ML ops are compromised with remote code execution. So therefore those tools then would allow an attacker to own the model and do all these things.
And they know all that and you give them all that data, but yeah, but it's. It's too early. I'm like, okay, let me give you an example. Uh, you're using artificial intelligence in your pharmaceutical company and you're using it to figure out drug interactions to re, you know, reduce health risk. And you say, it's okay not to protect it.
Okay. You know, or you're using artificial intelligence. I was, I was reading a couple of weeks ago, McKinsey had published a, um, a study. And in fact, I posted one the other day, they talked about, um, AI changing the travel industry. Two to 4 trillion worth of economic benefit. Okay. If I can create that much benefit through the use of AI.
Therefore, I can create that much damage and maybe more. So therefore, if I'm claiming a benefit in the technology that's a material benefit to the organization, if I'm a public company, I now have the obligation to protect that capability. Um, McKinsey did another one, Freeport McManoran. You know, a billion and a half dollars of shareholder value by using AI in the mining operations.
Okay. Billion and a half dollars. That sounds pretty material to me, right? So, to me, it's not that hard. You just gotta look at the financial flow, and then go, well, what could be material by nature, or material by impact? Map it out, and where systems and data could do that, that's where you make your stand.
[00:36:23] Sean Martin: Uh, so many things in my head, because I mean, continuing to walk it back, you might say, well, it's only a handful of systems that really interact or generate this material value, right. And certain sets of data, certain apps. But then you look at a real network and you're like, yeah, this is just a big mess.
It's all connected. You can't, you can't
[00:36:46] Malcolm Harkins: separate it. It is, but this is where you have to have, well, I'll say peanut butter spread of general controls and hygiene. Right? But, again, I'll give you an Intel example, and I've spoken about this for years. I still, at a macro level, because we started doing this in late 2001.
What are the macro business processes that if we're offline or had some major issue would have a material impact to the business? Book, order, pay, build, ship, close, and communicate. Macro business processes. If I can't book an order, I miss revenue. Material impact. I can't ship a product, I miss revenue.
Material impact. If I can't pay employees or suppliers, guess what? Material impact. But, but there's a temporal nature to this. Right? Every business has a cadence of their quarter. Intel is an example. It's dated. It might be different. The last two weeks of the quarter, biggest shipping window, biggest revenue window.
Well, guess what? If, if shipment is offline the first two weeks of the quarter, who gives a crap? Yeah, fix it. But it doesn't have the same level of materiality because guess what? I can expedite the shipments and still hit my revenue number, right? Building a product. If I'm in the early part of the design cycle, right, and I'm designing something, that, the, the time to revenue is several months out or year out, right?
If I'm in tape out, revenue's closer, but if I'm at assembly test, that last mile of making a semiconductor before it gets shipped to Dell or somebody, that has the biggest impact on them, the biggest impact on me. Payroll. Okay. Payroll's offline. November 7th. It's offline. Who gives a crap? Payroll cycles, November 1st and November 15th.
Doesn't matter if it's offline, right? Like I said, it's work, but that's what we should be doing. And that's when we fail is when we haven't done that level of understanding of our business.
[00:39:08] Sean Martin: So I, I think everybody's sitting in the roles thinking, yep, this is. That part of the job sucks. Uh, I don't do it or I don't do it well, or I don't do it often enough. They're all probably sitting there thinking something like that. Um, or, or maybe they're narcissists and they said, well, I don't get support from the company.
So let's, in the last few minutes we have, cause I think we touched on the industry and the individual quite a bit at this point, let's talk about the company culture, and I think you referred to it as the inertia of the. The organization, um, where, where do things kind of fall down with respect to getting support from the business or do things fail for the role there?
[00:39:56] Malcolm Harkins: It's some, so sometimes it actually is the CISO because the CISO hasn't done that connecting of the dots, the daisy chain of end points and systems and data as a network and all that stuff to the thing that matters to the business. Well, if you haven't done that work, of course, the business isn't going to support you, particularly when you've asked for more and more and more and more and more, and then continue to do that.
And then you continue to have all these issues. But
[00:40:24] Sean Martin: I'm going to guess that there are some people that say, I don't get the opportunity to do that. I'm, I'm told to buy a risk management tool and a bunch of controls and some, and some protection. Maybe outsource my, my response and then present every quarter, how well we're doing patching and, and keeping stuff from, from going awry.
I don't get the chance to do that fancy work you're talking about Malcolm. The company doesn't support me. Is that a, is that a viable? There are in many.
[00:41:04] Malcolm Harkins: Circumstances, and I've talked to a lot of peers on this, where they've done all the work. They know what the risks are. They've had the discussions. They know they're underfunded in some areas and the business still says, nope, we can't do it. Well, okay, you haven't failed. You just have to then document that the CEO, the CFO, the general counsel, the board are okay with a material risk.
Now, if you don't document that, then I think you failed, but, but, you know, sometimes the reality is businesses have challenges, right? I was at Intel where I had to do budget cuts and lay off people. Why? Because we missed revenue, right? Intel's gone through layoffs even recently. You know, it, you know, so every company, every organization has budget fluctuations.
Your job is to deal with those budget fluctuations. Now, again, there are times where I know, and I've, I've seen it, where CIO, a CTO, you know, another C suite executive does not give a crap about security or privacy. They give lip service to it. Well, frankly, if you can't go around them, through them, over them, or somehow remove them as a path in your decision making, then I think you need to look for another job.
But don't again, water down the integrity of what you're doing. Now, again, in other situations, it's just, you know, the business environment. I don't even, you said you've talked, you you've had responsibility of being product to market. I'm a former finance guy, supporting general managers and stuff like that.
I don't know any business leader with a budget who's ever gotten all the funding, all the resources and all the timeline they needed to achieve their objective. Right? You're head of sales. Okay. You have a target to hit a sales goal. You have, uh, uh, sales, cost of sales that you can hit and, and, and stuff.
And you're told to hit it and you get creative, right? It's no different from any, this is the thing that drives me nuts about what I'll say, the whining from some security practitioners. They go, well, I didn't get the budget. Well, okay. Nobody ever gets the entire budget they want.
[00:43:38] Sean Martin: Exactly. Yep. Yeah, you sell with fewer leads and then you want and uh, less marketing collateral than you need.
[00:43:47] Malcolm Harkins: But that's the job. Nobody ever... Why does the CISO get to have everything they want? That's just not a reality in any organization.
[00:43:59] Sean Martin: Special. Special, Arkham. Arkham is special.
Ah, boy. All right, um... Yeah, we're at, we're at 44 minutes here. I clearly, we can, we can keep going for ages. I, I want to save the liability piece. I'm going to pull together a conversation for that. So I'm going to invite you to join me for that with a few other folks. I think it's going to be interesting, especially knowing that you have a particular view that may not be popular with some of the others.
That could be a, that could be a fun conversation. Yeah. But, um, any, any quick thoughts on that while
[00:44:39] Malcolm Harkins: we're, while we're here? Yeah. Well, I, I think, you know, you can hear from my tone and my perspective and how I view the role similar to being a CFO. If you haven't done the role with integrity, you haven't reported actual events.
In a way that is honest and true, you haven't done your forecasting of risk, honest and true, and you've swept stuff under the rug or manipulated the portrait of risk because of pressure. You deserve to be liable. Plain and simple in my mind. Um, you know, but it, you know, go back to the success thing and failure thing.
You know, Winston Churchill had a really fantastic quote. Success is not final. Um, failure is not fatal. Sometimes it is. Um, but it's the courage to continue that counts. Right? We're on a journey, but no finish line.
[00:45:41] Sean Martin: I was going to ask that because I mean, is it okay to fail? And I'm just thinking when, when the handcuffs come, no, it's not okay.
But, but I mean, we often say. You wanna fail, fail fast, learn from your, your mistakes, and move on to your point, right? The courage to keep going, but when, when the penalties are are severe, you don't wanna fail. I wouldn't wanna fail anyway. Am I, am I not wrong? Am I wrong for not wanting to be a ciso? No.
[00:46:16] Malcolm Harkins: No.
Well, but, but, but again, it goes back to, you know, the CFO and other c-suite executives for financial integrity issues could be put in jail too. This is a financial integrity issue. It has been for almost 20 years, right? I'm glad enforcement actions are starting to take place. That will then hopefully drive a level of real accountability and real up leveling of the CISO role into a C suite vote, uh, role for people that are capable and want to do it.
And if they're not, don't, don't take the role. But, you know, again, it just becomes one of those items of, you know, I think the challenge we've had with, with some of the charges, it's a shame that other executives have not been charged. That's, that's, I think the failure of some of the regulators to charge other executives.
As well.
[00:47:20] Sean Martin: Yep. Well, I'm excited to have that conversation with you. Um, and a few other folks. So I'm going to, I'm going to get on that. I think it's going to be an interesting, interesting chat. Um, so loads of fun there anyway. Um, Malcolm, always good. My mind's a little bent from, uh, from all the fun stuff you just shared.
Uh, I'm not a CISO, if you can figure that out. Um, I'm, I'm intrigued by the role. Um. I love risk management, so I can completely appreciate that. And even without a finish line, I can totally appreciate getting from current state to better state and better state and better state kind of making progress.
Not with all the budget, cause you never get it to your point. Um, And I, I can, uh, I can appreciate what, what folks have to go through as they try to walk that line that, uh, that maybe they didn't, didn't have the opportunity to define their goals in the right way, or don't have the means to achieve those goals in the best way possible.
But to your point, if you, if you can keep your. Keep your head on you, yourself, and keep things straight and, uh, and, uh, and keep your morals at the center of everything, then, uh, I think we're in better shape. I don't know if that, uh, it'd be interesting to see if this impacts. Folks wanting to have the role I have imagined I have an inkling that it might right.
I don't know. We'll see We'll see. All right. Well We're not run out of failure in this role. We're continuing to learn we make mistakes I guess that's probably the better way to say it's right make a mistake and learn Um, set those design goals. I think that's a big takeaway for me. Take, take that time, connect those dots.
And, uh, I think everything flows from there. So thanks Malcolm. I don't know, any, any final thoughts from you before we wrap?
[00:49:29] Malcolm Harkins: You know, it's been, it's been great to have this, this discussion. Um, you know, and again, it, it's a tough role. And no different than any other executive role. And, you know, the complexity and the challenges of it are going to continue to grow.
And the only way in which we'll, we'll mature ourselves and mature the role itself and codify it more in the industry is to have dialogues like this. And, and again, learn from each other's perspectives, learn from each other's mistakes and, and, you know, recognize that having a mistake. Or a failure really only becomes what I'll say, a catastrophic failure if you're not learning from it.
[00:50:15] Sean Martin: Yeah, repeat the failure over and over. Um, all right, Malcolm. Well, we'll leave it here. Uh, lots for folks to chew on, certainly myself. And, uh, I'll include a link for those listening. I'll include a link to Malcolm's post. So go there, comment, uh, on your own, what you think about, uh. Occam's position on the, on the other LinkedIn post that inspired him to, uh, to share and, uh, which then drove this conversation.
I think you mentioned another, another, uh, post you did too. So we'll, we'll include that here as well. And, uh, yeah, I mean, I mean, this is a topic that I'm sure lots of people have thoughts on, so I'd be. Surprised if we don't get some feedback somewhere socially on this. Uh, anyway, so thanks everybody for listening.
Be sure to stay tuned, uh, share it, uh, with your friends and enemies and, uh, subscribe so you can hear this. And the next one we're going to have with Malcolm and a few other folks. So thanks again, Malcolm. Thanks everybody. Catch you on the next one. Thanks Sean.