It’s been a chilling year in data security for companies and their customers alike. Hackers have been slipping through corporate computer defenses like they’re Swiss cheese. From Home Depot, Anthem and JP Morgan Chase to the now infamous breech at Sony Pictures Entertainment, which touched off a national security response from the White House and FBI investigation aimed at North Korea as the source of the attack. Corporate data security is now a customer trust, economic and national security issue—even the federal government is not immune. Read More...
According to the Identity Theft Resource Center, data security breaches in the U.S. alone reached a record high last year, spanning some 675 million records. It seems not a day goes by without another announced breach, loss of customer or business data and finger pointing at who is responsible.
Alumnus Malcolm Harkins MBA 92 has been on the front lines of the cybersecurity battle for more than two decades, building systems and fighting off attacks from all sources, from hackers and malware to employee fraud and worms infecting the Internet.
At the end of May, Harkins left Intel after 23 years. He most recently served as Intel’s vice president and chief security and privacy officer, the first in the position at Intel. In that role he was responsible for managing the risk, controls, privacy, security, and related compliance activities for Intel as well as all of its products and services.
Harkins has managed IT benchmarking efforts and Sarbanes Oxley systems compliance efforts. He acted as the profit and loss manager for the Flash Product Group at Intel; was general manager of Enterprise Capabilities, responsible for the delivery and support of Intel’s Finance and HR systems; and worked in an Intel business venture focusing on e-commerce hosting.
In June, Harkins took on a new opportunity as global chief information security officer of cybersecurity software firm Cylance Inc., an industry move covered by the Wall Street Journal. At Cylance, Harkins is responsible for information risk and security as well as public policy and outreach activities to improve understanding of security best practices for managing and mitigating cyber risks.
Harkins has taught at the CIO institute at the UCLA Anderson School of Management, and at the CISO institute at UC Berkley’s Haas School of Business, and was an adjunct faculty member at Susquehanna University in 2009. In 2010, he received the Excellence in the Field of Security award at the RSA conference. Harkins was recognized by Computerworld magazine as one of the top 100 Information Technology Leaders for 2012.
In February 2016, the Graduate School of Management's Alumni Association honored Harkins with the 2016 Outstanding Service Award, recognizing his support and involvement with the School, including serving on the Dean's Advisory Council.
He is the author of Managing Risk and Information Security, Protect to Enable (2012), a guide to help security professionals address risk in new ways in today’s dynamic environment.
This past year has certainly been a wake-up call for information security executives and managers of data across every industry. Share your thoughts on this new cybersecurity landscape.
The proliferation of technology and use of information assets has grown exponentially in the past few decades. Intel built wireless capability into Centrino 10 years ago, the iPhone launched seven years ago and now we have wearable devices and the Internet of Things. If you think about this rate of change and how quickly it came upon us, if the internet were a movie, we would still be in the opening credits given the speed of innovation.
As technology and information proliferate, there is a new world of opportunity for value – and attack surfaces.
Traditional brick and mortar companies are becoming tech companies. A week after last Thanksgiving I was in San Antonio, Texas, speaking about cyber risk to 150 general counsels of all types of companies. When I asked them how many viewed their companies as tech companies only 20 or so raised their hand. I told them: “You are all wrong, your company cannot operate without being a tech company. Where are you going?”
Those from the constructions industry had raised their hands. They got it based on a discussion I shared from a year earlier with a different construction firm. I told them about Cement being mixed with sensors poured into roads and bridges, which helps the municipality to get data on traffic, health of the bridge and condition of the road. There is back-end data analytics feed to the people who manage. That’s tremendous value.
The world is reinventing itself with technologies. At the same time the number of threat actors and agents has grown and continues to grow. The volume of bad guys is growing as they find it cheaper and easier to steal or harm others in the virtual realm.
Tell us about your new position at Cylance and what the opportunity means for you.
In my new role I am responsible for all aspects of information risk and security at Cylance, as well as public policy and outreach activities to improve the understanding of security best practices for managing and mitigating cyber risks. I will also be responsible for building strong relationships with our customers, understanding their ongoing security needs and help infuse those needs into our products and service offerings.
In terms of what it means to me … that’s pretty simple. It means the ability to dramatically affect the risk curve that has been shaping the use of IT for years. I not only have the opportunity to practice a profession that provides me a sense of purpose, but I can also infuse that passion with the Cylance team to deliver breakthrough prevention of malware for the first time.
A focus on preventing malware with a control with such high efficacy is the biggest dial that can be turned to lower the risks to people, data and business in the information risk and security space. That’s the opportunity. And doing it in a way that also lowers cost and improves the user experience. That’s what I call “protect to enable,” the subtitle of my book.
What can companies and governments do to bolster the lines of defense of their networks and data?
Obviously, there’s no such thing as hack-proof network. In my book from a few years ago, I shared the irrefutable laws of the tech industry to explain this. Regardless of the technology and controls, there are always potential vulnerabilities.
First: “Information wants to be free,” which means human error. People post, share and talk—this happens even with the right tech controls.
Second: Code wants to be wrong – there is never 100% error-free code. That’s a potential for bad guys to find an issue, an opening and exploit it.
Third: Background processes such as service updates can have privilege access to the core of your computing, and can be vulnerable to a bad guy attaching malicious code to it with a ripple impact into the integrity of the system.
Fourth: Phishing, email links, things that users want to click on that turn out to be malicious.
So there are many ways that pathogens can be introduces in the system, a network. Putting the right controls in place, and keeping them up to date is essential while minimizing risk. The efficiency of control deteriorates with time. The reality is that risk is dynamic, and information use is dynamic. There is a tendency to put controls in place and forget them.
Companies need to invest in and think about control environments that need to be more dynamic. A static control environment can be very vulnerable. For example: If the door is shut and locked, all good. But if I am a bad guy, I can kick in the door, or pick the lock, or take the time to sit and get through the door undetected. If that’s it, the bad guy will figure out how to get through it.
You need to understand risk and not bury your head in the sand. It becomes a true risk management issue, identifying where key assets are and how risk flows through your systems and environment.
People are failing to understand the risk. Falling prey to those irrefutable laws.
You always have to be thinking about attacks that are on multiple fronts, and you have to have tech in place to sift through the events happening on your network.
We need progress, not perfection. We will never get perfection. When incidents and events occur, make sure we have the right controls, manage the risk, prevent as much harm as possible to your organization or your customer, predict your response and have the right people in place. Manage and think of it like an investment portfolio: how much should I invest in detecting and response and prevention?
We need progress, not perfection. We will never get perfection. When incidence and events occur, make sure we have the right controls, manage the risk, prevent as much harm as possible to your organization or your customer, predict your response and have the right people in place. Manage and think of it like an investment portfolio: how much should I invest in detecting and response and prevention?
What role does, and should in your opinion, government play in private sector corporate data security? What legislation or regulations should be passed to help the current situation?
On the one hand—from the macro perspective—cybersecurity is a world issue requiring international cooperation by governments and the private sector. Take that down a level, I think within each nation, you need to foster a strong private-public partnership. Private industry has more of the deployments and management of information.
The worst thing that can happen is regulation that stifles innovation because we need continued innovation to solve security problems. We need to make sure that we continue to encourage innovation with new solutions to manage risk. Any legislation needs to remove barriers to sharing information, which would help all of us to better manage and mitigate risk.
Law enforcement agencies must actively protect against, prevent and investigate cybercrime and protect the nation state. There is no perfect balance point with information sharing between government and the private sector. Michael Daniels, the Special Assistant to the President and Cybersecurity Coordinator, recently posted on this topic and about the importance of cybersecurity.
During your tenure at Intel, what are examples of areas where Intel made strides in privacy in its own operations and practices? Is Intel sharing these best practices with customers, other industries?
Intel has done a tremendous amount to make strides not only in the security of its operations but also in the privacy within the enterprise. The team I created and managed while at Intel is world class. We published routinely on a variety of security and privacy topics including our use of security business intelligence that was used to improve our time to detect and time to contain issues on the network. That deployment that has been talked about extensively has approximately seven billion events daily and has peaked at 25 billion events that are analyzed. By improving Intel’s time to understand potential issues it can make better decisions on actions to take when something is spotted that should be worried about.
Risk is the potential for harm and no one can ever fully escape harm. Though we also must put in place the best mechanisms to prevent harm and then back those up with controls that can minimize damage that can assist in detecting and in response. These also include the incident management mechanisms that the information security team must manage during events to mitigate potential significant material impact on the company, for example, the Slammer malware worm in 2003 or the headlines of today that were mentioned earlier.
We also need to mitigate insider risk. Intel had an employee several years ago who stole intellectual property. Now he is in jail. We learned that our controls worked because it was spotted and we were able to mitigate it. We did find that our detection capability could have spotted the breech sooner and mitigated faster, and we put in place those security intelligence efforts.
I also spoke at many public forms, sharing our lessons learned. I will continue to do that in my new role. I clearly believe it is a responsibility to help share knowledge so that we can all learn from each other on what works. Especially in prevention of issues which is a key control category that proactively mitigates risk while detect and respond controls primarily mitigate damage.
Talk about your student experience at the Graduate School of Management. How did it prepared you for your career? How has your career progressed over the years?
The Graduate School of Management was one of the best and most memorable times in my life. The School was great, the faculty was strong and my fellow students had a good bond. We worked hard and played hard.
One thing I realized later as I matured is there were several factors that drove my career. The first set of “levers” were skills, passion and organizational needs. And when these were all brought together who I was, what I could offer, and what the job needed allowed me to hit my career “sweet spots.”
At the School, I grew my skills and more importantly learned how to gain more of them. The experience also helped me to refine and explore my passions as well as have the confidence to find others. Last but not least, the business skills I learned allowed me to figure out organization needs which gave me an edge to be in front of emerging demands.
The second set of “levers” I realized were based on 3 other things … luck, timing and execution. Execution is the only true controllable variable in your career and it is based on your skills and passions. Timing is something you can get good at because you can anticipate organizational or market needs. Luck it works for you or against you, but if you have the confidence and fortitude even when luck works against you, you can emerge stronger. I learned at the School that in the areas where I struggled most I grew the most. I learned the same thing at Intel. So I often like to say strength comes thru struggle. It’s how we learn and grow.
“At the GSM I grew my skills and more importantly learned how to gain more of then. The GSM also helped me to refine and explore my passions as well as have the confidence to find others. Last but not least the business skills I learned allowed me to figure out organization needs which gave me an edge to be in front of emerging demands.”
What advice would you give to prospective/current graduate business students in terms of preparing themselves for a corporate world where there’s a big data revolution and data analytics is and will continue to be critical in nearly every level of management, including strategy, marketing, finance, etc.?
Information, systems, technology, and more specifically, big data and data analytics are driving a new industrial revolution. We are just at the beginning. Industrials are being upended and changing daily. Market models are evolving and creativity for new innovations spanning every industrial segment and every aspect of our lives is being unleashed.
MBA students today need to understand the information and technology ecosystem. They need to understand how it can and will transform the fields they go in to in some cases overnight. They also need to understand how these transformations creates opportunity as well as risk. They will need to use their business skills to chase the opportunities while at the same time navigating the evolving risk landscape that is occurring.
Malcom Harkins MBA 92 is a member of the Graduate School of Management’s Dean’s Advisory Council, top business leaders who serve as key advisors to the dean, sharing ideas and making recommendations on growth and development of the School, curriculum issues and student organizations and projects. He and his wife, Kim, recently established the Harkins Entrepreneurship Academy Fellows Award to support registrants to attend free of charge an entrepreneurship academy at the UC Davis Child Family Institute for Innovation and Entrepreneurship.