Thanks, everyone, for joining us on the Security Influencers Channel. We're hosting a series of brief and highly informative interviews with influential security leaders and in 2015, we're talking about the implications of rapid software development and continuous security. Today, I'm pleased to have with us Stuart McClure. Stuart is an acclaimed security visionary. He's the lead author of "Hacking Exposed: Network Security Secrets & Solutions" which is on my bookshelf, by the way. He's currently the CEO and President of Cylance, Inc. Prior to Cylance, he was an EVP, global CTO and General Manager at McAfee.
In this interview, we discuss what Cylance does and what led Stuart to create the company after seeing the frustration of so many breeches. Stuart knew all the while what the weaknesses and gaps are in those technologies and those people and those processes where. And he knew that he could build technology to help eliminate those gaps. Stuart tells me what looks different about malicious software and how we can protect ourselves against it. Stuart also shares his views on the cyber-warfare that is constantly going on in the world especially in the wake of the Sony and North Korea hack.
If you would like to be notified when future episodes in The Security Influencers Channel become available click here to download and subscribe to the podcast in iTunes.
The following is a brief excerpt of our interview.
Jeff Williams: You coined a term in the Operation Cleaver report that I liked. You said, "We're experiencing security anaphylaxis." Tell us what you meant by that. What's going on with that syndrome?
Stuart McClure: Well, what I mean is first of all, this problem of malaise is endemic. We tend to not respond unless it's a fire in our face and that's kind of an unfortunate part. What stems from that, as well, is this idea that, "Well, if I start looking for these attackers in my environment, I might just find them. And if I find them, I might just have to react and respond. And if I have to react and respond, I might have to answer the question of 'Why didn't I see them in the first place?'"
So it's almost the system attacking the system. It's this anaphylaxis. It's the immune response gone wrong.
So security anaphylaxis to me is this bury the head in the sand, "I don't want to hear about it, I don't want to know about it because if I do, I've got to respond and if I've got to respond, I've got to admit that we're inadequate. If we got to admit that we're inadequate, I'm not seen as a strong security professional." That's the sad reality.
Jeff Williams: Interesting. So again, it all really comes back to your corporate culture and whether you have that culture that really wants to know about security and wants to dig into these incidents. Or the kind of culture that's just like "You know what? I can't worry about that. I'm going to stick my head in the sand and see what happens."
Stuart McClure: That's right, exactly. The senior executives have to start to wake up. This is a wake-up call for every senior, every C level, CEO, CIO, COO, CFO.
Jeff Williams: All the way to the board, right? It really has to come from the board.
Stuart McClure: It does. I am often asked to go and present to boards all around the country. I will tell you that they're starting to at least want to hear it. It's a board-level issue that they want to hear about.
The problem that I have found is that almost every board presentation that I've done in partnership with all of the C levels that have promoted me into that role, they don't want to present the real picture. They want to present the rosy picture. Because they don't want to be seen as inadequate security professionals. They want to be seen as on the job and they're in it and they've been able to prevent all of these attacks and they've been able to thwart all of this stuff.
What they're not telling the board the real deal. The real deal is they can't possibly prevent all of these attacks with the amount of people and the amount of technology and the lack of process that they have. But they don't want to admit that.
Jeff Williams: What can we do to help boards see that security people shouldn't be really measured on security, they should be measured on the visibility into security that exists? The actual situation on the ground.
Stuart McClure: I couldn't have said it better than that. That's exactly what needs to happen. Culturally we need to empower the board to recognize the fact that security people are not responsible for security. They're responsible for the visibility and the disclosure of security flaws and vulnerabilities. That they should be rewarded and measured based on that. Not measured based on whether or not they got hacked.
That's the problem. That's a huge cultural shift that's got to occur in our industry as a whole. I can't tell you how difficult that is going to be, but I think it has to start with something that I...I'll tell this story real quick.
When I first went over to Kaiser Permanente, my colleague and I went in and basically told the board, "You cannot secure this place. It's impossible. If you're asking and looking for us to secure this environment, you've got the wrong guys."
If you start every conversation with that, you might just start to shift and get a little bit of a Christmas light bulb to go off on somebody's head to think, "You know what, here are the best people in the world about security. There are very few people that know how to secure environments better than these two people that just walked in my door. They're telling me it's impossible to secure this environment. Okay, if that's true, then how should we measure security?" You should measure us by the visibility that we give you into a lack of security in the environment.
Jeff Williams: Yeah, I think that's right.
Stuart McClure: I see the responsibility to go about it and address it and fix it.
Jeff Williams: I believe that visibility is really important. That's what we made the mission at OWASP is to make application security visible so that market forces can help and your corporate culture can help and IT can help. If everyone sees what security really is, then I believe people will make the right decisions.
Stuart McClure: That's absolutely right. That's one of the powerful parts is OWASP and that's what I love about it. It really does disclose the underbelly of the web application world and this like invisible world. Users should see a browser with pretty images. They don't realize what goes on behind the scenes once they get that URL link and all of the potential vulnerabilities in the application layers all the way through to the back end.
For what OWASP has done, I would love to see in a broader sense, in our industry as a whole, is just being able to expose the flaws and the weaknesses and the gaps and the ways into the environment without reprisal. With honor.
To hear the rest of my interview with Stuart, click here.