CSO Spotlight: Grant Bourzikas, McAfee

As CISO & VP of McAfee Labs Operations, Bourzikas is responsible for the company’s cybersecurity and physical security strategy, including security architecture and solutions delivery, security governance, risk and vulnerability, and security operations and intelligence programs. He also oversees the company’s threat intelligence team and analytics for customers. Prior to joining McAfee in early 2017, Bourzikas served in several other positions leading cybersecurity strategy, architecture, engineering and operations. Here, he shares his career path and offers advice for aspiring security leaders.

What was your first job? After college, I got a job at one of the top 5 public accounting firms, leading cybersecurity technical attack and penetrations, risk assessments, and strategy development and consulting teams.

How did you get involved in cybersecurity? Cybersecurity always interested me. While I studied for my accounting degree, I was building websites and one of them was defaced. This piqued my interest in cybersecurity, and I began reading everything I possibly could about cybersecurity, networking, operating systems, along with learning C++, J2EE, SQL, and Python. Because of this interest and the talent shortage in cybersecurity, the public accounting firm asked that I join the national cybersecurity practice.

Tell us about your career path. My college degree was in accounting, so naturally that’s where I my career path began. Fortunately, my detour with my first job and joining the firm’s cybersecurity strategy and assessment consulting team set me on a new path. It was the perfect storm, really. Cybersecurity was something that always interested me, and I enjoyed reading up on it in my spare time. Since then, nearly my entire career has been spent in cybersecurity strategy, architecture, engineering and operations — for both tech, non-tech, and now a cybersecurity company — spanning gaming, finance, and utilities.

Several years ago, I also took a brief hiatus from cybersecurity and ran the back and middle office operations for a brokerage. It was a fascinating time because it taught me a lot about process discipline within business operations, which is now being applied into our own security operations center.

What do you feel is the most important aspect of your job? I see that I can make the biggest impact in education, awareness, and leadership — training the next generation of cybersecurity talent, building awareness across all staff, and communicating effectively with management and the board. Today, developing a security culture is one of the most important functions at any organization, and it must be embedded at every level and in every process. It requires constant awareness building and universal buy-in. I believe we have been extremely successful at creating this culture at McAfee.

Something that is also quite unique to my role as CISO of a cybersecurity company, is that as I am McAfee’s ‘Customer:Zero’, it’s important to pass on my own learnings and knowledge directly to our customers who are facing the same challenges. Sometimes this can be through one-on-one meetings with other CISOs, but my team and I also often go into companies to help them build the infrastructures and teams they need to be as successful as we have been.

What metrics or KPIs do you use to measure security effectiveness? We have a vast set of metrics we utilize when it comes to measuring security effectiveness. We have risks and maturity models for each business unit, key cybersecurity health metrics like time to detect and time to respond, threat landscape and defense indicators, and project-level outcome-based metrics.

Is the security skills shortage affecting your organization? What roles or skills are you finding the most difficult to fill? The shortage is real, and it is likely larger than the estimated two million because the young people just entering the market are really not yet qualified for the critical tasks and types of thinking that cyber defense requires. It actually takes an additional three to five years to develop most staff into top-flight cybercrime fighters. So, the challenge isn’t just about the number of people. 

It’s about the quality. The most difficult positions to find are diverse management and leaders. One of the challenges in the industry is that it is a male-dominated industry which doesn’t create the diversity of thought, experience, or skillset that is needed.  The hardest roles to obtain are strong security architects.

Cybersecurity is constantly changing – how do you keep learning? I have always read voraciously – a lot of security-specific resources, certainly, but also a lot of business resources, so I understand the implication of the cybersecurity challenge. I also read a variety of national and local newspapers, magazines, and blogs. But today, I actually get the most valuable information from Twitter because it lets me see in real time what people are thinking about and reacting to across the widest range of topics.

What is the best current trend in cybersecurity? The worst? The most encouraging trend is around the use of analytics to understand how attacks are occurring. We are starting to use machine learning, deep learning, and AI to look at large datasets to gain deeper and broader insight into the different threat landscapes – especially how technology is being used both for us and against us. These technologies have had traction in universities and businesses as areas of research and product development, and I’m very happy to see them starting to help protect us against cybercriminals.

On the downside, ransomware is particularly troublesome because it enables cybercrime to become profitable, which just encourages more attacks. Other attacks still flying under the radar are the new types of threats, like Spectre and Meltdown, that enable hackers to do things no one should ever be able to do – that is, gain privileged access to systems and kernels – which means they have the potential to have a major impact on every business around the world. We’re also seeing successful old-style network-based attacks, like WannaCry, which was able to spread ransomware broadly.  This makes it very important to understand the past and how these old-style attacks were executed to ensure we continue to protect against them.

What’s the best career advice you ever received? “Don’t aim for success if you want it; just do what you love and believe in, and it will come naturally.” – David Frost

What advice would you give to aspiring security leaders? Recognize that diversity of thinking is essential for your success. As you build your teams, look for people who think differently than you and from each other. It’s too easy to develop blinders when it comes to approaches to cyber defense, so you want your group to be made up of people with very different mindsets. At the same time, build teams from the ground up that work together effectively — they must all embrace and respect this diversity of thought. The other important bit of advice is to recognize that success depends on your ability to collaborate. You must be able to coordinate effectively with all the other leaders in your organization. You must understand how they see the world and what their risks are. You won’t be successful if you don’t do this.

What has been your greatest career achievement? I’m very proud about the way the widespread adoption of the One McAfee product by our employees enables our entire organization to understand the customer viewpoint and how our solutions, services, and content are being delivered. Our world-class SOC is also a significant achievement, creating a model that other organizations are eager to understand and follow. It gives our employees a sense of ownership, larger comradery with our customers, and allows them to see that we are practicing what we preach.

Looking back with 20:20 hindsight, what would you have done differently? I wouldn’t change anything because all those experiences have made me into the person I am today. Without them, I might not be in the same position today. My belief is that you must learn and adapt as a person, couple, or even family to be successful. Simply wanting to change the past will not help you as a person.

This interview is part of CSO’s regular Spotlight series, which focuses on the career paths of security leaders. If you know someone (or are someone) with a story worth telling, please contact kate_hoy@idg.com.