Name: Grant BourzikasCompany: McAfeeJob title: CISO & VP of McAfee Labs OperationsTime in current role: 11 monthsLocation: Plano, TexasAs CISO & VP of McAfee Labs Operations, Bourzikas is responsible for the company\u2019s cybersecurity and physical security strategy, including security architecture and solutions delivery, security governance, risk and vulnerability, and security operations and intelligence programs. He also oversees the company\u2019s threat intelligence team and analytics for customers. Prior to joining McAfee in early 2017, Bourzikas served in several other positions leading cybersecurity strategy, architecture, engineering and operations. Here, he shares his career path and offers advice for aspiring security leaders.What was your first job?\u00a0After college, I got a job at one of the top 5 public accounting firms, leading cybersecurity technical attack and penetrations, risk assessments, and strategy development and consulting teams.How did you get involved in cybersecurity?\u00a0Cybersecurity always interested me. While I studied for my accounting degree, I was building websites and one of them was defaced. This piqued my interest in cybersecurity, and I began reading everything I possibly could about cybersecurity, networking, operating systems, along with learning C++, J2EE, SQL, and Python. Because of this interest and the talent shortage in cybersecurity, the public accounting firm asked that I join the national cybersecurity practice.Tell us about your career path.\u00a0My college degree was in accounting, so naturally that\u2019s where I my career path began. Fortunately, my detour with my first job and joining the firm\u2019s cybersecurity strategy and assessment consulting team set me on a new path. It was the perfect storm, really. Cybersecurity was something that always interested me, and I enjoyed reading up on it in my spare time. Since then, nearly my entire career has been spent in cybersecurity strategy, architecture, engineering and operations \u2014 for both tech, non-tech, and now a cybersecurity company \u2014 spanning gaming, finance, and utilities.Several years ago, I also took a brief hiatus from cybersecurity and ran the back and middle office operations for a brokerage. It was a fascinating time because it taught me a lot about process discipline within business operations, which is now being applied into our own security operations center.What do you feel is the most important aspect of your job?\u00a0I see that I can make the biggest impact in education, awareness, and leadership \u2014 training the next generation of cybersecurity talent, building awareness across all staff, and communicating effectively with management and the board. Today, developing a security culture is one of the most important functions at any organization, and it must be embedded at every level and in every process. It requires constant awareness building and universal buy-in. I believe we have been extremely successful at creating this culture at McAfee.Something that is also quite unique to my role as CISO of a cybersecurity company, is that as I am McAfee\u2019s \u2018Customer:Zero\u2019, it\u2019s important to pass on my own learnings and knowledge directly to our customers who are facing the same challenges. Sometimes this can be through one-on-one meetings with other CISOs, but my team and I also often go into companies to help them build the infrastructures and teams they need to be as successful as we have been.What metrics or KPIs do you use to measure security effectiveness?\u00a0We have a vast set of metrics we utilize when it comes to measuring security effectiveness. We have risks and maturity models for each business unit, key cybersecurity health metrics like time to detect and time to respond, threat landscape and defense indicators, and project-level outcome-based metrics.Is the security skills shortage affecting your organization? What roles or skills are you finding the most difficult to fill?\u00a0The shortage is real, and it is likely larger than the estimated two million because the young people just entering the market are really not yet qualified for the critical tasks and types of thinking that cyber defense requires. It actually takes an additional three to five years to develop most staff into top-flight cybercrime fighters. So, the challenge isn\u2019t just about the number of people.\u00a0It\u2019s about the quality. The most difficult positions to find are diverse management and leaders. One of the challenges in the industry is that it is a male-dominated industry which doesn\u2019t create the diversity of thought, experience, or skillset that is needed.\u00a0 The hardest roles to obtain are strong security architects.Cybersecurity is constantly changing \u2013 how do you keep learning?\u00a0I have always read voraciously \u2013 a lot of security-specific resources, certainly, but also a lot of business resources, so I understand the implication of the cybersecurity challenge. I also read a variety of national and local newspapers, magazines, and blogs. But today, I actually get the most valuable information from Twitter because it lets me see in real time what people are thinking about and reacting to across the widest range of topics.What is the best current trend in cybersecurity? The worst?\u00a0The most encouraging trend is around the use of analytics to understand how attacks are occurring. We are starting to use machine learning, deep learning, and AI to look at large datasets to gain deeper and broader insight into the different threat landscapes \u2013 especially how technology is being used both for us and against us. These technologies have had traction in universities and businesses as areas of research and product development, and I\u2019m very happy to see them starting to help protect us against cybercriminals.On the downside, ransomware is particularly troublesome because it enables cybercrime to become profitable, which just encourages more attacks. Other attacks still flying under the radar are the new types of threats, like Spectre and Meltdown, that enable hackers to do things no one should ever be able to do \u2013 that is, gain privileged access to systems and kernels \u2013 which means they have the potential to have a major impact on every business around the world. We\u2019re also seeing successful old-style network-based attacks, like WannaCry, which was able to spread ransomware broadly. \u00a0This makes it very important to understand the past and how these old-style attacks were executed to ensure we continue to protect against them.What's the best career advice you ever received?\u00a0\u201cDon't aim for success if you want it; just do what you love and believe in, and it will come naturally.\u201d \u2013 David FrostWhat advice would you give to aspiring security leaders?\u00a0Recognize that diversity of thinking is essential for your success. As you build your teams, look for people who think differently than you and from each other. It\u2019s too easy to develop blinders when it comes to approaches to cyber defense, so you want your group to be made up of people with very different mindsets. At the same time, build teams from the ground up that work together effectively \u2014 they must all embrace and respect this diversity of thought. The other important bit of advice is to recognize that success depends on your ability to collaborate. You must be able to coordinate effectively with all the other leaders in your organization. You must understand how they see the world and what their risks are. You won\u2019t be successful if you don\u2019t do this.What has been your greatest career achievement?\u00a0I\u2019m very proud about the way the widespread adoption of the One McAfee product by our employees enables our entire organization to understand the customer viewpoint and how our solutions, services, and content are being delivered. Our world-class SOC is also a significant achievement, creating a model that other organizations are eager to understand and follow. It gives our employees a sense of ownership, larger comradery with our customers, and allows them to see that we are practicing what we preach.Looking back with 20:20 hindsight, what would you have done differently?\u00a0I wouldn\u2019t change anything because all those experiences have made me into the person I am today. Without them, I might not be in the same position today. My belief is that you must learn and adapt as a person, couple, or even family to be successful. Simply wanting to change the past will not help you as a person.BEYOND THE BASICSEducation: I hold a bachelor\u2019s degree in Accounting from the University of Missouri, and I\u2019m a Certified Public Accountant. Currently enrolled in a Master of Science degree in Data Science. I also have my CISSP and have formerly held my MCSE, CCSP, CCNA, CCNP.Must-attend conferences: RSA, Black Hat, DEFCON, and MPOWER.Favorite quote: \u201cDon't aim for success if you want it; just do what you love and believe in, and it will come naturally.\u201d \u2013 David FrostWhat are you reading now? The Success Equation by Michael, J. Mauboussin.Most people don't know that I \u2026 Played college baseball.Ask me to do anything but \u2026 Skydive.In my spare time, I like to \u2026 I didn\u2019t have a lot of spare time in 2017 because I joined McAfee in April and moved my family to Dallas from St. Louis. I\u2019m an avid golfer, fitness junkie, and enjoy reading anything about data science.This interview is part of CSO\u2019s regular Spotlight series, which focuses on the career paths of security leaders. If you know someone (or are someone) with a story worth telling, please contact firstname.lastname@example.org.