Matthew McCormack: How do we help create a pipeline of future cyber leaders, but then also that pyramid? How do we get millions more people into the discipline and just convince them that you don't have to be a com sci or an engineer to do this, right? All you have to be is inquisitive, right? What I want is I want somebody who looks at something and says, "Well, that's interesting. That doesn't make sense." "Let me figure out why," that's the person who would make a good security person. If you are somebody that looks at something and says, "I don't understand why it looks like that, but I'm going to go figure out why," then you're right for this field.
Narrator: Hello and welcome to Security Visionaries hosted by Jason Clark, CISO at Netskope. You just heard from today's guest, Matthew McCormack, senior vice president and chief information security officer at GSK. What happens in a world where the bad guys outnumber the good guys? If you're a modern day CISO, this thought keeps you up at night. Cyber criminals are multiplying at an astounding rate and CISOs are racing to build out teams that can help them stay ahead. A key part of the fight is developing the next generation of security leaders, but how do we, as an industry fill the ranks of tomorrow's cybersecurity forces? Luckily, that's just what today's guest is here to help us figure out. So before we dive into Matthews gameplan, here's a brief word from our sponsor.
Ad roll: The security visionaries podcast is powered by the team at Netskope. Netskope is the sassy leader offering everything you need to provide a fast, data-centric and cloud smart user experience at the speed of business today. Learn more at netskope.com.
Narrator: Without further ado, please enjoy episode four, Security Visionaries with Matthew McCormick, senior vice president and chief information security officer of GSK, and your host, Jason Clark.
Jason Clark: Welcome to security visionaries. I'm your host Jason Clark, CMO and chief strategy officer and chief security officer at Netskope. I'm joined today by my friend and special guests, Matt McCormack. Matt, how are you?
Matthew McCormack: Good. Jason, how are you?
Jason Clark: I am super fantastic, man. Really good to kick off this podcast series with you here. You are our second guest. I was with Emily Heath two weeks ago and that went really, really well. So, as we get started, what was your first job insecurity?
Matthew McCormack: So my first job insecurity, actually ironically, was in the Navy, right? When I was ROTC in college in my senior year of college, they did a physical on me before I joined the Navy and told me that I was red-green colorblind. And if you are familiar with boats at all, red and green are important colors out at sea. It tells you which way the ship is going. And so they basically told me I couldn't fly a plane or drive a ship and so they turned me into a cryptologist which in the '90s cryptology morphed into the early network security. So really wound up in this because of the Navy and because I was colorblind.
Jason Clark: That's an interesting story, right? I think my mind was similar to yours from joining the army, not because of colorblindness, right? But I was flying planes thinking I wanted to be a pilot, and while I was flying, the pilots all around me were professional airline pilots, I had left the Navy, and they said, "Listen, you don't want to be a professional airline pilot. Basically, I'm just driving a bus. Pick a different career." And I'm like, "Oh, wow, okay. You just crushed my dreams."
Matthew McCormack: That's some good advice though.
Jason Clark: It was great advice and I dumped into security. That was it. I was an analyst, right? So it changed my life.
Matthew McCormack: The world has changed, right? Now people are getting into security originally, right? Security originalists, where we all happened into it years ago.
Jason Clark: It was good. I think, Matt, I must say, we've known each other probably 15 years, right? I'd say we've helped be the foundation for this industry, right? We've started from this thing from zero together. It's been pretty cool to see.
Matthew McCormack: I know my first CISO role actually, I was the first CISO at the organization at Defense Intelligence Agency. There hadn't been one before. The idea that we're literally creating some of those first organizations and as scary as it sounds almost 20 years ago, but yes. I remember our first interactions, you were with Websense and Blue Coats back then and I was at the IRS and then everybody was doing their first web proxying and web filtering. 20+ years ago, network security was just packet filtering firewalls, right? And that was it. And then, VPNs and then all the web content filtering popped in and now here we are today.
Jason Clark: Just honestly, we were figuring it out, right? We were just having to invent, as we went and said, "Okay, let's see if this works," right? Which is a lot I think of contributes to a lot of the ways that we still need to do things today, right? And so tell us a little bit about your role at GSK.
Matthew McCormack: As the Chief Information Security Officer, I have all the traditional roles of a CISO, right? Whether it's the cybersecurity network defense, but I also have the GRC function, that governance, risk and compliance which was a global regulated pharmaceutical. There are a significant amount of regulations. And one of the interesting pieces when you're global is it's not just US regulations, right? It's regulations for every company or every country that you manufacture and sell in. And we are in a significant amount of countries. And so when you look at the governance, risk and compliance, its significance, right? As opposed to a previous role with a US tech company, where you're really only generally concerned about a limited amount of countries.
Matthew McCormack: Being with a pharmaceutical that manufactures and sells in almost every country, having to be aware of and pay attention to all these different compliance rules is different, right? Actually it's quite eye opening because you get to see the manner in which different countries approach the privacy of their citizens and how data is kept and maintained. And there's a wide variety, right? I say, as an American, we generally treat the privacy of our citizens toward the bottom of how many other countries do. A lot of countries are very protective of their citizens data. So it was a quite eye opening starting this role several years ago.
Jason Clark: How do you keep up with it at all? That is a lot, right? That's a lot of changing. It looks like it's changing faster than ever it has to me. So how do you stay on top of it?
Matthew McCormack: Well, I mean, for me, look, you have to have a team of people that know how to do it and know how to do it well but also global. You're not going to have a team of people sitting in one spot that's able to manage this global program. When you look at GRC, you have individual people. I'll have several people that are the only person on my team in that country, right? And their job is to maintain that relationship with the local governments and to keep us abreast of all the changes, but there's a lot of significant when you look at China security law, China privacy law, but there's also a lot of privacy discussions going on in India about changing laws over there.
Matthew McCormack: And so when you look at some of these larger countries, any changes in privacy laws can have impact on us globally, right? Because to comply with some of these laws, you may have to make some corporate level changes.
Jason Clark: So when you were at the DIA, you and I were talking a bunch about making this transition away from government and being a CISO in the enterprise. Maybe talk a little bit about how that transition was for you, what's different and also your advice to anybody making that change right now. Because there's definitely people I had seen that had tried and they'd come in a little too hard and it doesn't fit me. What was that like for you and what would you recommend for others?
Matthew McCormack: A router is a router and a person is a person, right? Those things aren't fundamentally different being federal and being commercial. I will say some of the differences, and I don't think anybody would be shocked by any of these, speed, right? The speed with which you can get things done. I know that there's been some changes to allow some more flexibility in the government, but really, the budgeting and the procurement process of the government was not necessarily built around doing things quickly, right? It's basically built around doing things fairly inequitably and not necessarily around being done with speed.
Matthew McCormack: And so for me, one of the bigger changes, and for me, it was 2012 when I went commercial, was my ability to buy and procure what I needed to do, but then also the speed with which in general, not always, but the speed with which I could hire, right? The ability to identify talents and grab that talent very quickly, commercially, was a big difference. Now, on the flipside is, I would say, generally, employees, when you're dealing with employees and some of the actions employees take and as CISOs, we're always having to keep an eye on what we allow employees to do and what we don't allow them to do.
Matthew McCormack: The attitude within the federal space, the government space, people were more comfortable with a command and control-type attitude. So if we say you can't do X, on your computer, people generally said, "Okay, we can't do X," right? Whereas commercially, it's more of a negotiation, right? Especially if you're with a global company, you're going to have unions, worker commissions in Europe. You're going to have different national laws that allow people to do things. There are certain countries that allow some minimal personal use of corporate by law, which you didn't have federally. You could say, "You cannot use your federal computer to do personal work." Boom, end of story, it's done.
Matthew McCormack: But when you have some of these countries that actually have laws that allow that to go on, we have to manage that. So from a personal point of view, some of the rules and requirements on what must be done and what can't be done, sometimes that was a little bit easier on the federal side because it makes the point it, but to make these decisions by edict was a little bit simpler.
Jason Clark: For you, it seems like there's a lot of similarities, right? And then there's some clear differences to me. It just seems very wide, right? Because other than the Army, I have not worked in the federal space.
Matthew McCormack: And the federal space is not all the same, right? So I've been military. I've done intelligence and also spent a number of years with the IRS, so essentially financial. And there's a wide swath of differences between those different areas within the federal space. It's not all ubiquitous. It doesn't all look the exact same, but I will say one of the questions you'd ask, "What advice would I have for somebody transitioning from federal to commercial?" and some of it would be around. Some of the comfort level they had around, as a CISO you make a decision, everybody will go do it. When you're moving into the commercial space is understanding that everything isn't a negotiation or is a negotiation, right?
Matthew McCormack: If there's something that you need to do from a security point of view you're going to have to sit down and make sure you've checked with your privacy officers, with your employment attorneys, within HR, within these different areas. You won't be able to get things done just because you said to do it, right? And understanding that it doesn't mean that you're not a smart person and people don't believe you, it just means that that is the process. Whereas I think federally, we were able to do more of the, "Because I said so." And when you come out into the commercial space, people will not blindly accept what you tell them.
Jason Clark: So just a little bit transition here, what do you believe is the fastest growing risk in cybersecurity, the catch, that people do not realize that CISOs or most security teams or executives do not realize is the fastest growing risk? What's sneaking up on everybody?
Matthew McCormack: I think a lot of people, they're aware now because of some of the stuff, but not understanding the full range and impact is third party. And third party, there's multiple pieces to third party. As companies have grown, they've moved away from all employees, obviously, to very heavy support from contractors or third parties to provide bodies to help you but then also software. And the rise in ransomware, which has affected so many different companies and some very large companies, and specifically when a service provider, somebody that is providing bodies to your company to help you complete a task and traditionally, you're allowing those bodies some manner of access into your company similar to a bad employee, when one of those service providers gets hit with ransomware, really step one is you killing all access for all employees of that company who are accessing your network, killing all remote accesses until the company has determined what the outcome of the ransomware was.
Matthew McCormack: And you realize the impact when all of a sudden 1,500 people can't show up to work on Monday because their company's got hit with ransomware. And you realize the depth of dependency you have on that service provider. And then the second piece to that is the software, right? Everybody knows SolarWinds there's in the press all these things. The idea that you're actually buying and deploying already compromised systems into your own network and it's not like these companies are going to provide us with the source code, so that we can go do our due diligence source code analysis, right? They're not going to do that.
Matthew McCormack: And so because of that, we're really dependent on the product security internal capabilities of these vendors. And so when I say third party, third party around service providers and bodies and then third party around compromised software. You just realize that dependency. At GSK, obviously, a pharmaceutical company, we specialize in making medicines and vaccines and things like that. You don't think about what impact your IT management software could have like SolarWinds, right? You bring SolarWinds in. SolarWinds gets hacked. You have to rip it out, and then all of a sudden, that can shut down a whole company.
Matthew McCormack: And so really understanding that impact of all these third parties and how you try to develop a response plan for what you do when something like this does happen.
Jason Clark: I think you just hit, I think, what is probably, I agree, the biggest. I think the two biggest is really the third party risk, but I'd say it's the fastest growing because of SaaS, right? It is the thing that the business is just lining up with or without IT. And mostly actually without IT in most organizations, they're just going, right? HR, marketing, etcetera and then also the growth of data, right? Data, you are the MC, right? And data is 3x'ing from 57 zettabytes to 107 zettabytes over the next four years. We don't see storage companies stocks, 3x'ing going through the roof, right? Because it's all moving to cloud or mobile. I think it's definitely those two, but double clicking on the third party risk which is at the fastest rate by count, it's definitely SaaS, right? Most companies have over a thousand. What are you seeing organizations do to get involved in that, the CISOs getting over with the business and helping them enabling that versus historically, we've always said, "Hey, no, we have one CRM. Don't go do anything else"?
Matthew McCormack: Anything dot-dot as a service is sometimes code for, "We're going to go around IT," right? And sometimes, look, I understand the reason people do this sometimes because when you go through the process, it takes longer in general, it's more expensive in general, but there's reasons for that, right? Especially in a regulated industry, you have to make sure you're complying. I am seeing a huge trend, especially in direct-to-consumer, right? People wanting to be able to sell directly to you, Jason, which sounds great on the surface and they can go out and find a vendor who will say, "Hey, I'll spin up a portal for you and you can sell your product directly to Jason." "Okay, great, and yes, that that'll drive sales, but do we have a PCI letter, right? Do we have the compliance set up? Are we storing credit cards? Are we storing personal data?" some of these different things.
Matthew McCormack: And so what we're having to do is trying to be proactive and reaching out. As we find some of these capabilities internally, not necessarily just the old days, take out the hammer, smash it and shut it down, but say, "Okay, you know what? If there is a requirement for direct to consumer and you've already built that portal, let's figure out if we can make it legitimate, right? Let's get all the PCI portion done for your direct-to-consumer portal and then let's make sure that other folks within the company going forward are using the one that you just built and not going out and building their own."
Matthew McCormack: So in the past, we probably would have said, "No, this is in violation. We don't do direct to consumer, blah, blah, blah," but now we're having to say, "Look, if you're doing it, statistically there's other people in the company who are either doing it or are going to want to do it, so let's figure out how we get this done." And I'll tell you, a good example and I'm not plugging anybody is when COVID hit here in the US, if you have children, all of a sudden, they popped on Zoom, and Zoom, within GSK, Zoom was not one of the approved collaboration tools. And there was tremendous pressure to allow us to start using that specific tool on our devices when we had not gone through the security due diligence on it. We didn't have a licensing and a privacy agreement with it, all of these things and a lot of pushback from our side on deploying a freeware tool into the environment, but yet, so many people were used to it because they'd all help their children with school and they gotten very comfortable with Zoom and they understood it.
Matthew McCormack: And so sometimes, you know saying no to something while it may make sense from a security point of view, security's in the gray. It's not black and white anymore. Security, you got to live in the gray. And so finding a way while we were not able to necessarily deploy it as quickly as a lot of people would have liked, in the end, we did allow ourselves to add that to the approved collaboration tools and then provide some level of support.
Jason Clark: That's a great example. To that, I get surprised, I'm almost so many companies a day, right? Definitely probably five CISOs a week and obviously many people trying to sell to my security program and listen to vendors, but how many people except the Zoom bots, the bots that come on and say, "Hey," that thing that's just hidden there, translating the whole conversation? Every time I say to the people that are hosting the call, and sometimes it's big companies, I'm just like, "Hey, do you realize that I just looked that company up and they're only 18 employees and they don't have a single person with a security title and their company and we're trusting this whole conversation to be sitting there in the cloud? You know that's probably a compromise, right?"
Jason Clark: And people are like, 'Oh, no, I hadn't thought about that." And sometimes it is security teams and I'm like, "Okay, this is, this is interesting, right?
Matthew McCormack: And I think that one in particular when there was a lot of initial push toward allowing use, allowing that app to be deployed onto our devices, laying out the reason like, "Look, we're not just being jerks to be jerks here, right? We're not just saying no for no reason. We had to lay out the reasons, right? That conversation is kept on commercial servers of another company. If you're discussing patient data or medical device or anything like that, we have no expectation of privacy. That data could be harvested, mined and sold to whoever because we don't have a privacy agreement."
Matthew McCormack: We, within security, have to do a better job sometimes of explaining the reasons. People have gotten smarter about technology and don't just blindly accept, "Well, the security guy said that's bad, so we're not going to do it." They want this. It's just families and kids, right? As my children get older, I need to start explain to them why a little bit more. It's not just a, "No, you can't do that." It's like, "You can't do that because XYZ," or, "Look, when you start driving, you need to start ... This is why you have to go around that corner slow because you can't see this thing over here and there's a blind curve." Same thing, right?
Matthew McCormack: When people are used to a technology, being told that they can't use it in this environment, they want to know why. And I think that's a legitimate question, right? It doesn't mean that they're questioning whether we know what we're doing as security professionals. It just means that there's a level of knowledge that they have, and because of that, they have some questions. And so we need to do a better job from the security side of being that explainer in chief.
Jason Clark: Well, there's two parts there, that's really important. So there's one which is translating this to real risks that I want to double click on. And then the second one we'll come to is, and you've made the statement that was published, it was that in the end where all CISOs are salesman which is true. And so I want to hit both of those around there's risk changing, it's happening fast. I actually say that we're in this upside down world of security where everything we protected is now out and now our security controls have to follow those users and those data everywhere they go and we still have to protect the old, right?
Jason Clark: So it's like enable the new, protect the old, but in this new model, one of the things that you talked about the past is frameworks, but are the frameworks really there and up to date to truly understand what my risk is in this new world versus let's say more threat modeling and actually thinking about the risk per each stage and what my control is and moving that to real time? How do you feel we are as an industry in that thinking and what suggestions do you have?
Matthew McCormack: Are the frameworks there? Yes. Are they as up to date as we need them? No. Right? I think we've all been very reliant on the goodness frameworks for a number of years. As you talked about at the beginning, as the world is turning dot-dot as a service and things like that, those frameworks have struggled to keep pace, right? But it doesn't mean that they're not still good foundational. But I think for us, your ability to grade how well you're doing and if you're actually delivering on the commitment you're making to your board, you have to have some kind of framework, right?
Matthew McCormack: We got our ICF, our internal control framework, and as most people, we use NIST as a baseline, but then we customize and there's reasons to do that. If you look at your internal audit capability, you want your framework matching up with theirs, so that if they're identifying an issue, it maps into yours. And if you're looking at your privacy organization, if you're looking at some of these different, your overall compliance team, not just your security compliance, but the folks that are responsible for us, your HIPAA, your Sarbanes-Oxley, all these other national compliance standards and GDPR, right? There's so many compliance and frameworks out there.
Matthew McCormack: You could fall down a black hole of perpetually trying to make the perfect framework. And I think for us, we decided NIST is our framework and we will do a small amount of customization because of our unique industry and draw the line there. I do you think you will forever be updating because when you're in 130 countries, there's always new frameworks and new standards, and new things like that that you'll just never be able to catch up on. We do try to review our framework annually, make changes, but I do think frameworks are great, frameworks are important. Threat modeling is very important as well and trying to go through ...
Matthew McCormack: If you got 130 factories, not all 130 factories are at the same level of importance. Maybe one makes your highest selling and highest revenue-producing product. Maybe another one is just packaging the cardboard that you need to put that product in. Both are important, but which one is the most critical, right? Can you get cardboard from somebody else? Most likely. Can somebody else make that specific medicine for you? Less likely. So your threat modeling, you have to go through and we are in a constant state of that, not just for our manufacturing facilities, but also our data stores and our data repositories, right? Where do we allow them to be replicated? Who owns them? Are they in the cloud? Are they not in the cloud?
Matthew McCormack: Maybe it makes economic sense to put something in the cloud and make it some sort of SaaS model. However, the risk of taking that data outside of your environment and putting it into the cloud outweighs the economics. We are in a constant state of threat modeling and risk return, right? For us, is the risk of doing that worth the return and I'll tell you, that is why and it's a topic, is within any good security organization, something everybody deals with, but from hiring, don't always go look for computer science people for your security organization, right? If you're doing this type of threat modeling, you better find yourself an accountant, right? You better find yourself somebody that understands money.
Matthew McCormack: And when you're looking at your insurance policy, your cyber insurance policies, computer science people are not the best people to be evaluating your insurance risk levels. And so when you look at your security organization, when you're doing threat modeling, don't just blindly accept that you're going to have people internally that know how to do that. Either you're going to have some really boutique specialist people and we're lucky to have a couple of really smart people to help us with that or go out and get it. Because if you try to do some of that threat modeling with people that are not specialists in that, your priorities for that year are going to be pretty messed up.
Jason Clark: Honestly, we hit sales, right? We said, "Oh, well, you need to be salesman," right? Well, I don't think no computer science majors aren't necessarily going to be your best salesman either, right? So I think depending on your domain and depending on what you're trying to grow helps nurture that talent gap that we have. What I'd say is I've had tremendous success actually getting kids out of high school. So with a Security Advisor Alliance, I go to high schools and middle schools and we're teaching them, "Hey, this is cyber." And they're all like, "Oh, I thought it was like rocket science. I didn't realize it was that easy. I didn't realize I had to be a guy in the basement with no lights on and just sliding pizzas under the door," right?
Jason Clark: And you'll see groups of girls almost always beating the guys in a capture the flag event. And they're like, "Oh, wow, I didn't even know this was an option for me, right? I'm good at this." And so I've been recruiting out of high school and it's not more like ... College isn't for everybody right away, right? I went into the Army instead of going to college at first. I actually didn't get my degree until I was 25. And the only reason I got my degree was they said, "Hey, we want to make you a CISO, but we can't unless you have your degree." And so what's your view on the places that you go and have you been grabbing kids out of high school at all, and also just in general, what's your view on things that other security and IT leaders can do for this talent gap?
Matthew McCormack: 100% right. So yeah, I speak it at high schools and it blows my mind. I just actually ... A goddaughter of mine, I did an interview with her because her high school has a cybersecurity program and she actually was doing a program where she has to code, but then she also has to pull down some products and look at them and evaluate the risk. And it blew my mind that they were doing that in their junior year of high school. I was really wowed, but then also like, "Thank God," right? Because to your point, the amount, whoever you talk to, whether it's three, five or seven, right? The million, 3, 5, 7 million people gap that we have in the cyberspace, expecting that we're going to be able to wait for these people to graduate university before they can enter the field is crazy, right?
Matthew McCormack: There's just too much demand. And also depending on that discipline, like I said, I'm with you. You don't fundamentally need that university degree. I taught you for years at a local community college and they had an associate's degree in cybersecurity where it was several years ago, but they were literally teaching these people how to use, I'm going to date myself, NetWitness and ArcSight and some of these tools, right? They were teaching them how to use them. And when I was still in the government at that point, I was hiring those people left and right because you can literally put them right in your sock.
Matthew McCormack: And so I think the idea that there's so many pieces to cybersecurity and then I'm not saying you want us operating on you, but it's become very much like medicine, right? The same way not all doctors are doctors, right? Some doctor is good at joints, some doctor is good at dermatology. You have all these different specialists who are good at their different things. Security has become that, right? You have your pen testers, you have your training specialists. If you're in a company the size of ours, you need program and project managers who can manage these multimillion dollar projects.
Matthew McCormack: So when I look at my team of 300-400 people, you have all different backgrounds, all different color stripes and I will say some of the best security people are psychology people. And when I talk at colleges, I routinely have people saying, "Oh, I'm studying psychology or sociology, but I'm really interested in cybersecurity." "Great because big portion of cybersecurity is what the user does." And people that understand how to influence users, when you're trying to get users to not click on a phishing, I can't just send an email saying, "Don't be dumb and click this link," I'm going to have to figure out how to influence people and those are psychology background people. And so there's all different types.
Jason Clark: I know a couple of CISOs that got a degree in psychology, right? Some really good CISOs and they actually started as psychologists and then made the transition. They don't talk about that too much, but that's one of the secrets to their success. In a way, I think it's all about being different, right? Being unique. Don't just follow the main road that everybody else has done. What can you bring to the table that nobody else has?
マシュー・マコーマック: そして、それは実際には私のペットのおしっこの一人です、そして明らかに、私は大学の学長ではなく、学長のふりをしません。 私のペットのおしゃべりの1つは、サイバーセキュリティプログラムをエンジニアまたはコムサイエンススクールに導入している大学です。 それは100%間違った場所ですよね? サイバーセキュリティはコンピュータサイエンスの分野ではなく、エンジニアリングの分野でもありません。 はい、私はエンジニアです。 はい、私はそのように育ちました。 そして、それは私がCISOになった方法に影響を与えましたか? ええ、絶対に、私にはエンジニアではない100人の仲間がいますよね? それはビジネスですよね? サイバーセキュリティはビジネスリスクの規律です。 そして、ビジネススクールを見ると、「ねえ、あなたはリスクのクラス、保険のクラス、金融のクラス、クラスと心理学、クラスと組織行動のクラスを持つことになります」と私がMBAを取得したとき、ビジネススクールで受けたクラスは、工学部で受けたクラスよりも、私が日常的に行うことに無限に関連しています。 ですから、大学がコンピュータサイエンスやセキュリティプログラムをコムサイエンスやエンジニアリングスクールに設置しているのを見ると、私は死にます。 100%間違った場所。
ジェイソン・クラーク:同意します。 私にとってMBAは、自分の組織、自分自身、自分の機能に対する見方に大きな影響を与えました。 正直なところ、学士号を取得することは私にとって重要ではありませんでしたよね? 私が好きなチェックボックスを手に入れたこと以外は、私の人生は本当に変わりませんでしたが、MBAを取得することで私の考え方が変わりました。 それは重要でした。 さかのぼると、キャリアをシフトダウンしてマネージャーレベルの仕事をしなければならない場合、何らかの理由でどのドメインになりたいか、さまざまな機能について何かおっしゃいましたか? そのレベルで運用したいセキュリティのお気に入りのドメインは何ですか?
マシュー・マコーマック:トレーニングですよね? 私にとって、それは絶対に最も重要な分野の1つだと思うからですよね? 100%、それはまだユーザーの90%だからですよね? それは個人が何を暴露しますか? 私たちは誰かが何かをするのを防ぐためのツールに何百万、何百万も費やし、それから私は私の予算の割合を見ます、それはトレーニングであり、それはごくわずかですが、それはまさにその通りです。 また、セキュリティトレーニング業界には、よりインタラクティブで最新のものを手に入れようとする傾向があり、見出しから引き裂かれています。 それはまだ本当に難しいです。 しかし、サイバーセキュリティの分野でまだ残っている分野の1つであり、異なる次世代の考え方に対してまだオープンなのはトレーニングですよね? それがあなたが人々と対話する方法だからです。
ジェイソン・クラーク:それはその場です。 そして、あなたはそれを測定することができます。 変化の違いを測定できますよね? 私はその答えが大好きです、マット、私はあなたにたくさんのインタビューをしていると言うので、私はいつもこの質問をします。 ご存知のように、私はキャリアの中で50人以上のCISOを採用してきましたよね? 私は過去に30人働いていて、ここ Netskopeで10人を獲得しましたが、CISOに代わってCIOの面接もたくさん行っていますよね? 3人のCIOから、友情の観点から、現在異なる企業にいる面接プロセスに参加するように求められています。 ですから、私はこの時点で何百人ものCISOにインタビューし、毎回この質問をしました、あなたはトレーニングに答えた最初のCISOです。
マシュー・マコーマック: おそらく私がひどいコーダーだからです。 それがおそらく理由です。 あなたは私にあなたのために何かをコーディングすることを決して望まないでしょう。
ジェイソン・クラーク:それは一般的に[聞こえない00:37:07]か、「ああ、私はビジネスの近くにいたい」かのどちらかであり、最も一般的には、「私は建築家になりたい」です。 私は技術で遊びたい」、または私はSOCが大好きです。 私は戦いを戦うのが大好きですよね?」 しかし、たまに「IRが大好き」と言う人がいて、「ああ、何か問題があります。 あなたの人生があります。 あなたは休暇を取らず、毎週金曜日の夜に働くことでクールです。 かっこいいですね」 それは本当にユニークなことです、マット。 それは重要だと思うし、聞いている人は誰でもそう思う。 それは実際に考えるべきことです。 あなたはトレーニングでそんなに多くのことをすることができます。 そこには多くの機会があり、特に技術の発明について考えています。 そして、私はあなたと私が実際にこの分野で何かをしたいと思っている会社を指導していることを知っています。 ですから、それについて話すのにもう少し時間を費やす必要があります。
ジェイソン・クラーク:それでは、もう少しここで、あなたにいくつかの簡単な質問がありますよね? キャリアで何か違うことができるとしたら、または最後のCISOの役割に戻るとしたら、何が違うでしょうか?
マシュー・マコーマック:正直なところ、後知恵は素晴らしいと思いますよね? 私は SaaS ことを期待していたと思います...こんなに早く来るとは思いませんでした。 サービスとしてのドットドットのインフラストラクチャを準備するために、もう少し時間があると思いました。 思ったより早く来ました。
ジェイソン・クラーク:それはよくあることですよね? 実際面白いのは、ご存知のように、Netskopeがそのスペースにあるということですよね? そして、私たちは人々のためにレポートを実行します。 私たちが入ってくると、人々は100 SaaS ほど持っていると思いますが、私たちが彼らに示すとき、彼らは1,000または2000を持っており、トラフィック数と SaaS トラフィックがWebトラフィックの半分以上であることを示します。 そして、あなたはただこれを手に入れます、「ああ、すごい」。 そして、次の文は「それは速く起こった」と言っていますよね? それはスポットです。 そのため、サードパーティのリスクが最も急速に成長しているリスクであるとおっしゃいました。 そして、それはあなたが言ったように、SolarWindsの例のように、SaaSまたは技術が組み込まれていることによって推進されていると思います。 それで、別のクイックヒットですよね? あなたにとって引退はどのように見えますか?
マシュー・マコーマック:私にはわかりません。 私はその近くにいるとは思わないよね? 私はあまりにも長い間政府にいました。 私は働き続けなければなりませんでした。 私にとって、CISOの日常業務以外の仕事を本当に楽しんでいることは、多くのCISOを指導し、大学で講義をし、高校に行くことです。 私はただのアドボカシーだと思います、そして私にとって、それは周りのアドボカシーではありません、「これがネットワークを保護する方法です。 これがあなたの子供のプレイステーションが危険にさらされている理由です。」 人々に規律に入ることを奨励することに関する擁護。 ねえ、ジェイソン、UMAを振り返ると、文字通り盲目ですが、愚かな盲目の運が、私たちが祝福されたと思うものに陥ったのですよね?
マシュー・マコーマック:97年に私がこれを始めたときに、サイバーセキュリティが現在の業界に変わるとあなたが私に言ったとしたら、私はあなたを信じなかったでしょう。 それは愚かな盲目的な運の単なる側面です。 しかし今、私たちは明らかにより多くのCISOを獲得する必要がありますよね? 何百万もの企業が存在するため、CISOは何百万も存在しません。 将来のサイバーリーダーのパイプラインだけでなく、そのピラミッドの作成をどのように支援しますか? さらに何百万人もの人々をこの分野に参加させ、これを行うためにコムサイエンスやエンジニアである必要はないことを彼らに納得させるにはどうすればよいですか? あなたがしなければならないのは好奇心旺盛ですよね?
マシュー・マコーマック:私が欲しいのは、何かを見て、「まあ、それは面白い。 それは意味がありません。 その理由を私に理解させてください。」 それは良い警備員を作る人です。 あなたが何かを見て、「なぜそのように見えるのか理解できないが、理由を理解して行くつもりだ」と言う人なら、あなたはこの分野に合っていますよね? では、どうすればより多くの人を参加させることができますか? 私が運用を終えたとき、週末に電話の電源を切ってそのようなことをする準備ができたとき、私は若い人たちに規律に入るように説得または教育するために多くの時間を費やすだろうと想像します。
ジェイソン・クラーク:大好きです。 実際、明らかに、あなたはすでに始めています、あなたは今それをしていますよね? あなたはただそれをもっとやるつもりです。 あなたはその空間と私たちがどのようにそれに陥ったかについて話したと思います。 正直なところ、2000年にセキュリティを離れることを考えましたよね? ILOVEYOUウイルスが発生するたびに、私は「私たちはすでにこれを解決した」と思っていました。 私は「AVです。 スパムフィルターがありますよね?」 私は文字通り少し退屈し始めていました、そして私は私のCCIEを手に入れ始めました。 私は書面に合格しました。 私は言った、「ああ、声は未来ですよね? ボイスオーバーIPは私のキャリアかもしれません。」 私は文字通り、セキュリティに行き止まりがあり、その後、全世界が変わるのではないかと心配していましたよね?
マシュー・マコーマック: さて、COVID後の今を見てください、企業が2か月の間にリモートから98%にリモートに移行するとき、そしてここで私たちは、それが聞こえるのと同じくらいクレイジーですが、私たちは2年間のCOVIDとリモート雇用を推進することになります。 それは明らかに世界を根本的に変えました。 オンラインコラボレーションツールを提供する企業の市場価値を見てください。 天井を通して。 では、オフィスに人がいないときはどうしますか? そして、それは「彼らの取引をどのように保護するか」だけではありません。 今、あなたは彼らの訓練に戻ります。 彼らがオフィスに来ていないとき、どのように彼らを訓練しますか? どうやって彼らにやらせますか...オフィスにいないときに外出するときにラップトップを提出するのはより複雑です。
マシュー・マコーマック: 突然、セキュリティが別のカーブを曲がり、業界はあなたのポイントにシフトしました。 ええ、私たちはそれを解決しました。 AVを手に入れました。 次は何ですか?」 神様、毎年、私たちの業界がシフトしなければ、そうですか? モバイルはそれをシフトしました。 クラウドはそれをシフトしました。 今、遠隔地の雇用はそれを変えました。 そして、2年後に別の変化があります。 それが私たちがセキュリティにとどまっている理由の1つだと思いますが、それは毎年何か違うものです。
ジェイソン・クラーク:最後の3つの質問ですが、それらはクイックヒットであり、15、20秒の答えですよね? 3つの質問。 それで、最初のものは、あなたの履歴書にない才能やスキルは何ですか?
マシュー・マコーマック:それは私の履歴書にはありません。 あなたは私が持っていることを意味しますが、私は履歴書を貼っていませんか?
ジェイソン・クラーク:あなたが持っているということは、趣味かもしれませんよね?
マシュー・マコーマック:ええ、だから私は大好きです 私は構築するのが大好きですよね? 擁壁かどうか。 COVIDが発生したとき、私は子供たちのためにツリーハウスを建てましたが、電気と水も流すことができませんでしたが、それ以外はおそらく本質的に小さな家です。
ジェイソン・クラーク:それはかなりクールです。 さて、2つ目は、ネットワークとセキュリティに携わっていなかったら、やっていたことをしていなかったら、他にどのような業界にいますか?
マシュー・マコーマック: 実際、学校では、工場の設計とオペレーションズリサーチと統計を行うインダストリアルエンジニアリングでした。 それは構造化されていないものを取り、私たちのORを通してそれをクリーンアップしているので、それを愛しています。 プーフ、これはあなたのものです...私は工場に行って、機械を近代化し、すべてのものを動かす方法を見るのが大好きです。 それは私にとって魅力的でしたが、海軍は「プーフ、あなたはより良い暗号学者になるだろう」と言いました、そしてここに私はいます、しかし私は本当に工場の設計と統計を大いに楽しむか、または大いに楽しんでいました。
ジェイソン・クラーク:あなたはあなたがあなたの子供とどのように見分けることができるか知っているように聞こえますよね? あなたはそれらを見始めることができます、そしてあなたはすでに才能とスキルを見ることができます。 だから私には4歳の子供がいます、彼はビルダーですよね? 彼は、4つのレゴセットでこれらの巨大なレゴセットを自分で構築するのに夢中になっている唯一の人であり、それに焦点を合わせて庭で物事を構築します。
マシュー・マコーマック:私も同じ方法で手に入れました。 幼い頃に、両親が私に言ったのとまったく同じ特徴のいくつかを見ることができるのは面白いです。 そうです、それも面白いです。 私は13歳から知っていましたが、彼がエンジニアになることは若い頃から知っていました。 私は知っていました。
ジェイソン・クラーク:同じですよね? 機械的、実践的、ある種のエンジニアも。 私のもう一人は、科学者のようなものです。 彼は化学物質と物を混ぜ合わせたいと思っていますよね? そして最後の簡単な質問は、誰かがあなたを呼び出し、初めてCISOである場合のトップアドバイスです。
マシュー・マコーマック:そして、これは私があなたと同じように与えるアドバイスです、私は現在CISOの役割を担っている多くの人々を育てるのを助けたという事実に誇りを持っています。 ですから、私がいつも彼らに与える作品の1つは、「あなたは賢いのであなたの仕事をしている。 あなたが会議のためにその部屋に座っている人々は、彼らが賢いので彼らの仕事をしています。 あなたは部屋で最も賢い人ではありません。 部屋の他の人からアドバイスを受けてください。 そして、セキュリティは協調的な規律ですよね? CTOとCIO、CFO、ジェネラルカウンセル、およびこれらすべての異なる分野と協力する必要があります。
マシュー・マコーマック:それで、彼らの言語を話すことを学びましょうよね? 弁護士を話すことを学ぶ。 ビジネスケースを書くことを学ぶのは、イニシアチブに数百万ドルを要求する場合、CFOは彼のリターンが何であるかを知りたいと思うからです。 あなたが交流しようとしているすべての仲間は、彼らも本当に賢いので、彼らの仕事をしていることを理解してください。 ですから、あなたが多くの賢い人の一人であり、あなただけが賢い人ではないことを知ってそれに入ってください。」
ジェイソン・クラーク:大好きです。 それは良いアドバイスだと思います。 かつて、CISOとして26歳で初めての取締役会に足を踏み入れ、緊張しました。 私は震えていました。 そして、この会社の会長は、「息子よ、こっちに来てください」と言い、「聞いてください、あなたはここの専門家ですよね? 彼らは賢い人です、はい、しかし彼らはボードにいます、しかし彼らはあなたがサイバーを知っているようにサイバーを知りません。 あなたは専門家です。 自分のものを所有していますよね?」 それから彼は振り返って言った、「そして私はあなたのためにもう一つものを手に入れました。」 そして彼は「これがジョニーブルーの2つのショットです」と言いました。 そして彼は言った、「彼はあなたの友達になるでしょう。 私たちは戻ってくるつもりです。 15分で始まります。」 私は「わかりました、それはうまくいきました」と思っていました。 ちなみに、これまでの人生でそれを持ったことはありません。
マシュー・マコーマック:そして、私たちは皆、物語を持っていると思います。 そして、私が見つけたのは、私が新しいサイバーイニシアチブを提唱しようとしていたIRSと26,000人のビジネスユニットの責任者にいたときから、彼は「ねえ」と言いました。 「息子」、それは通常いくつかのアドバイスが続くでしょう? あなたが現在知らないことを教えてくれます。 だから私は間違いなくそれを聞いています。 誰かが始めるときはいつでも、それだけです。 私が年をとった今、それはそれほど起こりません。 しかし、誰かが「息子」で何かを導くときはいつでも、私は後に続くものが私が聞くべきものであることを知っていました。
ジェイソン・クラーク:その通りです。 子供の頃からずっとですよね? まあ、とにかく、私たちは時間がありませんが、マット、これはおかしくて素晴らしかったです。 本当にありがとう。 これは楽しかったです。 そこにいるすべての人にとって、たくさんの素晴らしい洞察があり、彼らはあなたをさらによく知るようになったと思います。 これをもう一度やりましょう、そして間違いなく戻ってきて、私たちが一緒に業界のためにできることについてもっと話しましょう。
マシュー・マコーマック:いいですね。 ありがとう、ジェイソン。 本当に感謝しています。 とても楽しかったです。
広告ロール:セキュリティビジョナリーポッドキャストは、Netskopeのチームによって提供されています。 デジタルトランスフォーメーションの旅を可能にする適切なクラウドセキュリティプラットフォームをお探しですか? この Netskope Security Cloud は、ユーザーを任意のデバイスから任意のアプリケーションに直接安全かつ迅速に接続するのに役立ちます。 詳しくは Netskope.comをご覧ください。
ナレーター: セキュリティ ビジョナリーのお話を伺い、ありがとうございます。 ショーを評価してレビューし、それを楽しむかもしれないあなたが知っている誰かと共有するために少し時間を取ってください。 隔週でリリースされるエピソードをお楽しみに、次のエピソードでお会いしましょう。
){kind=icon}
