With little time to react, staying ahead of threats is top-of-mind for C-level execs

Tyson Macaulay joined network security vendor Fortinet in November 2015 as Chief Security Strategist and VP of Security Services. In the newly created role, Macaulay is charged with advising the company’s C-Level enterprise customers and helping them take a holistic approach to managing their data security environments.

In this email Q&A, we catch up with Macauley to learn about trends in the challenges his customers are facing, why he says he “would put IoT security up there with ‘keeping children and lunatics away from firearms,’” how he plans to help customer extend their event horizon, and what he has at the top of his to-do list for the next three months.

You’ve been at Fortinet for a few months now. Can you give us an idea of what a typical day looks like?

In my role a typical day does not really exist but most of my time is committed to being a trusted advisor to C-Level enterprise customers, helping them take a holistic approach to managing their data security environments in a threat landscape that is rapidly changing and evolving. Fortinet’s enterprise business is growing and I play a critical role in helping our customers future-proof their cyber security strategies to ensure they stay ahead of threats and protect their business. This is not easy and a consultative approach is important. I do this through a variety of methods: calls, presentations, travel to customer sites, email, solutions content development, etc. I also spend a lot of time with various teams within Fortinet to help them understand the outside world better so that we can build stronger relationships with our customers and partners.

Before joining Fortinet, you held positions as CTO of Telecommunications Security at Intel and Security Liaison Officer at Bell Canada. What attracted you to this opportunity?

The security market is a crowded space, there are a lot of confusing marketing messages, and there is urgency to change the trajectory of cybersecurity. Fortinet is a company that I believe is well positioned to deliver what the industry needs. Customers and partners want technology that will not just prevent possible attacks, but help defend their reputations, their valuable customer data, or their competitive edge. Working alongside security industry veterans such as Ken Xie and Michael Xie and our global customer and partner ecosystem is a great opportunity. Fortinet is driving the future of this industry with our security fabric platform.

What’s at the top of your to-do list for the next 3 months?

Development and presentation of key use-cases and security reference models for a couple major industry verticals (telecom, finance), and for the IoT generally. These models will be living documents, evolving as time passes and products advance. Clients and especially executives need context to understand a technical solution or product; I am trying to create that context to encourage better overall security and drive product adoption, but not just any product. Customers need to make smart decisions. A wrong security decision is costly and can dramatically affect the reputation of a business. In light of all of the evidence it’s clear some new ideas are needed. But enterprises today are still relying on the same old strategies. Complexity is the enemy of security, enterprises can have up to 20 different solutions across their network.

What are your customers telling you about the challenges they’re facing? What is keeping them up at night?

The security threats facing organizations today are constantly changing and evolving. Staying ahead of these threats is top-of-mind for C-level executives across industries. The biggest problem that customers are facing is that their event horizon is limited to about 3 to 6 months. They don’t know what is coming from a solution or threat perspective, yet they are trying to plan and budget 1 or 2 years out – 3 to 5 years in the case of telecoms. Imagine driving at high speed, at night, and your headlights stop being useful 50″ ahead: not much time to react. Stressful!

I am trying to extend their event horizon – not in a point product-centric manner but end-to-end, in an Enterprise Risk Management framework. In the course of this process, we also have to recognize that the vendor ecosystem is diverse, competitive and customers have a wide range of existing investments.

Are you seeing any trends emerging in the security needs of your clients?

There are trends in “interest” and trends in “needs” – we try and address both.

“Need” trends are: Data center/cloud and virtualization security, predictive analytics and threat management, “sandboxing,” security in the face of more and more encryption, 4G wireless security.

“Interest” trends are: Internet of Things security, 5G wireless security, software defined networking and network function virtualization. “Interest” trends reflect their event horizon – the limit of their awareness, if not planning – and a place we want to help guide them towards.

Much ado has been made about the security talent shortage. How is that impacting your clients, if at all?

Customers are being forced to accept more risk, due to the security skills shortage. With risk you can: treat it, transfer it, or accept it. If you can’t find the right people to do your security, even if you can afford all the security products available – then you have to accept the risk or actively constrain your business. Of course, no one will shrink their own business – they will (usually) accept the odds and keep going. The problem lies in that the odds are often over grossly estimated – in favor of a good outcome versus an impact. I would say that many managers will estimate a risk at 1000:1 when it can well be 10:1. Often they have already been hit, they just don’t know it.

I see from your LinkedIn profile that you’ve served on ISO technical committees for Internet of Things security standards. Among “next big bad things,” where does IoT fall?

IoT security, if we do it badly, can be far worse than anything we have seen before because our physical property and personal safety are also at stake; not just privacy and wealth.

I would put IoT security up there with “keeping children and lunatics away from firearms.”

Switching gears now back to your career path. What are some of the key things you learned along the way that led you to where you are now?

• Appreciation for the highest sorts of assurance requirements (national security/military) at EWA and Bell.
• Carrier-grade (fixed line and wireless) network requirements and security from Bell.
• Hardware-based security, network function virtualization (NFV) and software defined network (SDN) from Intel.

What’s your signal that it’s time to move on? Do you take a job with a specific goal or achievement in mind?

Career path and product roadmap(s) are critical to me. I enjoy working with people and find collaborative opportunities, meaningful relationships and friends everywhere; but I need to believe the job will allow me to grow and learn in the medium to long term, in ways that inspire me. Similarly, I am driven by solving hard problems and finding new and novel solutions to tough challenges: my passion involves gearing products and services towards the event horizon – addressing the problems of today and planning to address the problems of 2 or 4 years from now.

Do you have any advice for aspiring security professionals?

Ha! Too much to write here. I have mentored half a dozen younger people over the years and even developed a body of knowledge with the Professional Engineers Ontario to try and shape skills training and university curriculums. I did a talk at a college (Algonquin) last week about security and what to think about if you wanted to get in to the industry: I said that, broadly, there are four areas that people seem to group – but not evenly.

We need more people in all areas.

Hardware security – Hardware security is underutilized today, and we can accomplish a lot more in this area. This is everything from hardware accelerations, where Fortinet is very strong, to hardware based identity management and trusted platform modules.

Platform security – network security, virtualization security (becoming the same thing as network security) and operating system/hypervisor security. We need people who understand networking security and virtualization together. Virtualization is not for the data center anymore.

Software security – how to code in a secure manner and create stable and secure applications – for mobile devices, for data center and cloud, and for the Internet of Things endpoints (constrained and embedded devices).

Risk management – people who can see all of the other three domains above as an entire, interdependent system and imagine the threats, vulnerabilities and risks. This type of security person has to be an especially good communicator – more so than the other domains.