“Be the change you wish to see in the world.” — Gandhi
Today, we announced a new organization that I am excited to lead at Cylance®: the Office of Security and Trust. This role is a natural evolution from my role at Cylance as the Global CISO, and in many ways a further maturation of the role I had at Intel, when I served as Chief Security and Privacy Officer.
I believe that if computing is to continue to improve the world we live in, rather than endangering it, computing must be trustworthy. And, as technology becomes embedded further into the fabric of our lives, exploits that take advantage of technology vulnerabilities may increasingly impact the well-being of almost everyone in society.
Unfortunately, the privacy and security breaches we continue to see in the headlines every day have shown this is already starting to occur. These incidents have weakened the public’s trust in technology and shattered their trust in the organizations they relied on to protect them from harm.
The Two Factors Inherent in Trust
These trends make it particularly important that we apply the right principles and values to shape the way we design, develop, and implement IT. Technology should not only enable value, but it must also prevent harm and ensure trust. To have trust though, it is crucial to be transparent about what you believe and why you believe it.
In sum, trust is a function of two factors:
• Competence – Competencies are not only skills. You must have skills and knowledge, but you must also do something with them to demonstrate competence.
• Character – You must demonstrate that you have integrity, values, and principles.
At Cylance, we strive to cultivate a work environment where security, privacy, and trust are an integral part of company culture. They are foundational elements to the design, development, and delivery of our products and services. This includes our internal infrastructure, business processes, and applications. We believe that as the world’s digital opportunities grow, so too does our obligation to do the right thing in the right way.
As security professionals, we cannot limit our focus to just protecting businesses from risk. We must take it to the next level and evaluate risk with three independent yet interdependent lenses: risks to the business, risks to the customers, and the potential risks to society. We can’t limit ourselves to merely focusing on typical IT systems and infrastructure. We need to have a wide yet integrated view of physical risk, logical risk, including privacy, as well as security across the organization.
In my view, the CISO should evolve towards being the champion of trust, leading this very strategic discussion within the context of their organizations. This is also something that boards should start thinking about sooner rather than later.
Trust and Security Should Report to the CEO
Perhaps it is time for other organizations to do what we have done here at Cylance: place trust and security where it belongs, reporting to the CEO. In addition, IT and applications should report directly to this new organization. Perhaps part of the broader issues we experience with respect to security and privacy are due to structural factors. After all, most CIOs are evaluated on tangible, measurable metrics like cost, systems availability, and the rollout of new functionality. CISOs predominantly report to the CIO, who is not measured on security or trust as these are intangible, though very real, attributes.
In some cases, security and trust simply doesn’t get delivered. And even if CIOs are measured on these factors, they may not have the right risk and control skills, or the mindset to be the appropriate champions of what is right, and therefore, may not be the best decision makers when it comes to cultivating trust.
In addition, some professions, such as certified public accountants and doctors, have ethical standards that may require them in some cases to break ranks with their organizations—for example, if they see signs of illegal activities or financial manipulation. The public expects doctors to be personally accountable for decisions that affect the lives of their patients, rather than simply deflecting responsibility for health decisions onto someone else within the organization. If CPAs or doctors fail to meet these professional and ethical standards, they may lose their ability to practice.
Though there are many professional certifications for IT, security, and privacy professionals, there’s currently no equivalent to these medical or legal qualifications and public expectations. IT, security, and privacy managers are not automatically barred from practicing their trade if they fail to meet certain professional standards, or if they are found to be responsible for a security breach. However, we should all assume a similar level of personal accountability for our decisions—especially since our actions may have broader implications on our customers and society at large.
Regrettably, not everyone will act with this level of responsibility. IT managers may not be measured on the levels of security and trust within their organization, so they may not prioritize these items. Some security and privacy managers may also see their role as simply managing a risk register: they identify the risks, and perform the analysis and associated cost estimates, but then they take the register to other executives who then make the overarching decisions. By doing so, they abdicate responsibility and deflect accountability onto someone else. The resulting effect of this is a lack of corresponding security and trust within the organization, due to the lack of internal accountability should the system suffer a security breach.
Distributing Responsibility Across the C-Suite and the Board
As the senior security and trust professionals within the organization, we need to share responsibility for these risk decisions equally with other corporate executives and the board. People are often told that they need to “think like an owner”; that is not enough. We need to act like an owner, too.
Ultimately, we need to think about our responsibility to all the people we work for—including customers and anyone else in society impacted by our actions—as well as our responsibility to the executives to whom we report. For instance, if you don’t think your manager is right, you need to think hard about the possible consequences of not speaking out, and decide where your responsibility ultimately lies. Done right, this newfound accountability will spur the right discussions and decisions within organizations.
This shift in accountability should eventually lead to structural changes, too. At a minimum, there should be a separation of duty, so those responsible for security and trust are at a peer level to the CIO and other executives responsible for implementing the larger infrastructure and technology used by the business.
In her recent book, “Giving Voice to Values,” author and educator Mary Gentile discusses the ethical dilemmas that many people face in businesses today. Her assumption, as she astutely observes in her book, is that “in many if not most of the managerial and financial misbehaviors we have seen in the past, there were enough people who recognized the lapses in ethics and judgment to have stopped them. The problem was that they did not believe it was possible to do so.”
Gentile focuses on providing techniques to help people voice their concerns and take action at “those times and situations when we believe we know what is right and want to do it, but we experience external pressures—from our boss, our colleagues, our customers—to do otherwise. As a result, we are not sure how to raise our concerns.”
Bolstering Trust and Security: New Vice President John McClurg
I am very excited about our announcement today that John McClurg is joining Cylance as a vice president in the Office of Security and Trust. In a world where cyber and physical interdependencies are growing ever more complex, John’s expertise at advancing cyber and physical security as one combined effort will be a significant asset, not only within our organization, but also to the industry.
John will be engaging with the industry on the risk challenges of today, with a focus on how Cylance uniquely mitigates them with the application of machine learning via our endpoint protection product CylancePROTECT®. He will also focus on the collective move from a historically reactive security posture, to one focused on proactively predicting and mitigating future risks. John has a long and proven track record demonstrating that he understands the mission and meaning. He also has the voice and values to be our Ambassador-at-Large.
As my role at Cylance evolves and John comes on board, I am reminded of an excerpt from a speech by Teddy Roosevelt; the sentiments seem as relevant today as when he made the speech back in 1910:
“It is not the critic who counts; not the man who points out how the strong man stumbles, or where the doer of deeds could have done them better. The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood; who strives valiantly; who errs, who comes short again and again, because there is no effort without error and shortcoming; but who does actually strive to do the deeds; who knows great enthusiasms, the great devotions; who spends himself in a worthy cause; who at the best knows in the end the triumph of high achievement, and who at the worst, if he fails, at least fails while daring greatly, so that his place shall never be with those cold and timid souls who neither know victory nor defeat.”
As security professionals, we need to be in the arena, and so do our teams. Our mission, as security and privacy professionals, and ultimately as trust professionals, is a worthy cause. If our efforts to prevent harm to our organizations, our customers, and to society are done right, we can be the change we wish to see in the world, which helps to ensure that tomorrow is better than today.
Cylance Chief Security and Trust Officer