Cybersecurity and the Future of Trust: BlackBerry LIVE Interviews CISO John McClurg

CYBERSECURITY / 08.29.22 / Steve Kovsky, John McClurg

“Here comes the guns, gates, guards, and the geeks.”

That was the reaction private-sector companies first had when then-FBI Supervisory Special Agent John McClurg showed up for a meeting. The sentiment came from concerns that a visit from McClurg, who headed up the FBI’s initial Cyber-Counterintelligence program and helped establish the agency’s Computer Investigations and Infrastructure Threat Assessment Center, signaled that he was there to “impose standards and practices that are going to be painful, and slow us down.” This worry melted away each time he created a public-private partnership built on trust.

Today as BlackBerry CISO, McClurg still looks for opportunities to establish trust, both as a basis for protecting BlackBerry employees, customers, and partners, and for creating a framework to make critical infrastructure more secure in cyberspace.

In this excerpt from our recent video podcast, McClurg explains how deployment of zero trust approaches to access management can be especially effective, creating a virtual “locking of shields” between governments and the private sector, allowing for closer cooperation to better protect critically important infrastructure and services.

McClurg also explains why the name “zero trust” is unfortunate (they should have asked him first), although what it represents is an entirely new cybersecurity paradigm that offers numerous benefits to organizations of all sizes and industries. In addition, we discuss organizational risk tolerance, the way it changes over time, plus how to approach this challenge.

Click below to watch/listen to the latest podcast.

Be sure to watch the other podcast episodes in this series:

Part 1: Fending Off Nation-State Attacks
Part 2: Cybersecurity’s Great Equalizer Is Predictive AI

Video Transcript

Steve Kovsky:

I want to go back to linking shields because I see so many ways that we could take that metaphor. There is the importance of sharing data, of creating this linkage between public and private, between different industries to try to, you know, build upon each other, stand upon each other's shoulders. There's also the partnership aspect of having defenders with you to help you and provide additional shields.

How do you explain that metaphor, bring it back to what it means to cybersecurity?

John McClurg:

Well, you've hit on some very critical elements. Before I joined the private sector, I came up through law enforcement. The FBI had brought me in and eventually pulled me into their C-Tac, the computer centers that they built in the early days of the cyber battles that we were advancing. But it was also part of the mission to protect the critical infrastructures of America, which many of you may know already are principally owned by the private sector.

So, if you've got these critical national resources that are owned by the private sector, the need to figure out the collaboration formula was just inescapable. That was absolutely critical. And figuring out how to lock shields in terms of sharing critical threat information to building the levels of trust that is required between the private sector and elements of the government and law enforcement became a critical element of it because without that trust, you don't see the sharing.

And if you don't see the sharing or if you see the sharing done in all the well-intended but through mechanisms and means that are just too slow given the rate and pace at which the adversary morphs, then you've you still got a problem. That's why the predictive advantage of some of these new solutions cast in a new light what's involved in effective collaboration and information sharing. If your math models will predict before you even have to share information, it used to be you'd want to share and this is why you had to update your DAT files every day or every week because you had to constantly be sharing, and figure out how to effectively share all that information to make sure you're positioned as appropriate as possible.

Suddenly that challenge isn't what it used to be. It kind of goes away, but not completely. You encounter other forms of collaboration challenges still out there, but at least that one that consumed no small part of our time, energy and effort goes away. And you now have to turn to other dimensions of the collaboration.

It's interesting that the challenge of trust, even though we now introduce silicon systems talking to silicon systems – the carbon units – between us, that's where the challenge used to be is how do these carbon units figure out how to talk to each other in an efficient, effective and quick manner? Then we said, well, wait a minute now at the rate and pace which the adversary striking, we've got to have our silicon systems figuring out how to talk, then there’s the question doesn't do away with the trust issue. It pushed it down to another level. How do we extend to these extensions of ourselves? Are these partners, our silicon partners, how do we push that element of the trust formulation to that level and do it in a way that is continuous? Steve, that's one of the reasons of late, even though I took some heart and excitement in this, this new paradigm, we've seen talked about called Zero Trust.

I think that title is a little unfortunate. And if I had been allowed to sort of frame the title, I would have preferred something like “continuous trust.” That is, saying with the strength and power of our new AI partners, we have the ability to not only establish the trust that should be extended to an individual at a particular second in time in space but actually go with them in a frictionless way, in a manner that would continuously establish that that validated trust should continue and goes with them no matter where they go, no matter what they're doing, anywhere, anytime, anyplace, that it enables that.

And that's just an exciting aspect of this new world in which we're now battling.

Steve Kovsky:

Well, I think there's a very apt phrase from the last Cold War. I think we're in a new Cold War personally. And we know it from one of our leaders in the U.S. But I believe it's actually based on a Russian proverb. And it says, “Trust, but verify.”

John McClurg:

One of my neighbors wrote a book called The Speed of Trust, and one of the inherent benefits of trust is that it frees you up from the time, energy, and efforts you then have to spend on that verification. Truly held validated trust liberates you in that way, in the cost to energy and effort associated with that verification process, is something you can now claim as an advantage.

But the trick to this, though, is if the verification process can be enhanced to the point that it is almost simultaneously with the first pronouncement of trust – and then carries with it continuously without the friction that classically those verification processes imposed on the business process. That's why the partners I've dealt with, in the private sector in the business world quite often have seen me coming, “Oh, here comes the guns, gates, guards and the geeks!” because I had cyber too.

They're going to impose standards; practices upon us that are going to be painful. They're going to slow us down. We need to move with speed. And they lamented what they were having to accept with greater frequency – the legitimacy of our claims to their time and energy and effort. But they resented it somewhat, but began to accept it, as they saw what they're asking us to do in many cases, now, is that – that's going to keep us in the game. It's not a distasteful cost of doing business. It's really a very important validator enabler of getting us into the game. We can’t even bid, in some of these customers, unless we can show that we have certain protective measures in place.

And if we don't partner with our security team to help make sure that that is in place, we don't even get to pick a bid for the revenue that's in the offing there.

Steve Kovsky:

Well, it's these technologies; they remove some of the risk from trust. And that is the downside of trust is it does involve risk. If you can lower that risk and if you can find a partner who you have trusted for decades that you expect to be around and trustworthy for future decades, having that track record is also important.

John McClurg:

Risk doesn't come packaged and fixed in its form. It's always morphing. Nor is our tolerance for risk a static thing. As we mature as organizations and depending on what silo or sector of the business world we may sit in, we find our tolerance for risk fluctuating. In one sector, we may say, no, this is so critical, and our risk tolerance is just not what it would be if we were in a less critical area. The complexity of the world and the relationships we have might be such that it allows us greater flexibility, so I think being attuned to the way in which these other variables can flex and change is important.

And again, I feel like I may be harping on the strength and the resilience that an AI-supported solution gives you is another one of those variables. Well, let your risk tolerance fluctuate as it will; the strength and prowess that you get from a basic investment in an AI-supported math model is strong enough to go with you if you have a low-risk tolerance or if you have a high-risk tolerance – the same solution, it doesn't discriminate. It'll give you the same prowess and strength as your risk tolerance may fluctuate on you.

And that's a relief because otherwise, it does require us as CISOs to constantly be adjusting and modifying, because we know we don't have the money to protect against every possibility we try and say, well, we'll look at the probabilities. And some of us, if we're in a really dire strait, we'll say, I don't have the resources in the money to do battle with anything other than what I can say is in actuality, I can only deal with actualities, and maybe hope to aspire to one day dealing with the probabilities and almost never really with every single possibility.

Steve Kovsky:

John, every conversation with you is a mind-expanding experience for me. I thank you for all of the ideas that you've just put into my head.

John McClurg:

You're welcome.

About John McClurg

Sr. Vice President and CISO at BlackBerry.

John McClurg serves as Sr. Vice President and CISO at BlackBerry. McClurg engages the industry around the globe on the risk challenges today and how BlackBerry uniquely mitigates them with the application of machine learning and other AI supported solutions. He champions a move from a historically reactive security posture, to one focused on proactively predicting and mitigating future risks.

Before BlackBerry, McClurg served as the Ambassador-At-Large of Cylance and as Dell's CSO, where his responsibilities included the strategic focus and tactical operations of Dell’s internal global security service. He was also charged with the advocacy of business resilience and security prowess, the seamless integration of Dell’s security offerings, and with improving the effectiveness and efficiency of security initiatives.

Before Dell, McClurg served as the VP of Global Security at Honeywell International; Lucent/Bell Laboratories; and in the U.S. Intel Community, as a twice-decorated member of the FBI, where he held an assignment with the U.S. Dept of Energy (DOE) as a Branch Chief charged with establishing a Cyber-Counterintelligence program within the DOE’s newly created Office of Counterintelligence.

Prior to that, McClurg served as an FBI Supervisory Special Agent, assisting in the establishment of the FBI’s new Computer Investigations and Infrastructure Threat Assessment Center, or what is today known as the National Infrastructure Protection Center within the Dept of Homeland Security.

McClurg also served on assignment as a Deputy Branch Chief with the CIA, helping to establish the new Counterespionage Group, and was responsible for the management of complex counterespionage investigations. He additionally served as a Special Agent for the FBI in the Los Angeles Field Office, where he implemented plans to protect critical U.S. technologies targeted for unlawful acquisition by foreign powers and served on one of the nation’s first Joint Terrorism Task Forces.

About Steve Kovsky

Steve Kovsky is former Editorial Director at BlackBerry.

Back