McAfee CEO Chris Young Contemplates The Future Of Cyber Security

Chris Young began his career in cyber security before the term was coined. Back in the 1990s, when Young was in his 20s, his first security company, Cyveillance, which he co-founded, considered itself to be in the “info stack” space.

After multiple leadership roles in cyber security, for the past three years, Young has been the Chief Executive Officer of McAfee, a $2.5 billion revenue device-to-cloud cybersecurity company with 97 million enterprise endpoints and 525 million consumer endpoints. McAfee operates in 189 countries, serving 80% of Fortune 100 firms, more than two-thirds of the Global 2000.

In this interview, Young explains how the cybersecurity industry faces a duel challenge of keeping up with the transformations that happen within core technologies while simultaneously tracking the innovative nature of cyber attackers. Staying current requires consistent research, collaboration within the industry, acquisitions, and partnerships. Young describes some of the best practices he sees within the cybersecurity space, including red teaming and risk prioritization. We also discuss the future of advanced forms of analytics and AI within cybersecurity, Chris’s career path, his advice to individuals on how best to protect their information, and a variety of other topics.   

Peter High:  Chris Young, you are the Chief Executive Officer of McAfee, LLC, an organization that you joined via Intel Corporation [Intel]. You joined Intel in late 2014 as the Senior Vice President and General Manager of Intel Security Group, which included McAfee. The company had been acquired in 2010 by Intel and then spun back out during your tenure. What was the rationale for the spin?

Chris Chris Young: Part of the reason for Intel to spin McAfee out was to allow the company to focus on the core mission of cybersecurity. After I joined Intel several years ago, we started on a number of discussions and spent a lot of time working through the strategy as it related to cybersecurity. This process, which I conducted with our CEO at the time, ultimately led us to the conclusion that the best way to tackle the cybersecurity problem was to make McAfee a separate company again. That was the driving force behind spinning McAfee out of Intel in 2017.

Peter High:  Now you operate an independent entity in an extremely hot space due to the great need for security services by companies and individuals. How do you differentiate yourself in a sea of so many technology firms that are focused on cybersecurity?

Chris Chris Young: There are several ways in which the market and our customers look at us differently than other similar firms.

  1. Security is a business that is about trust, and we have spent many years building trust in the McAfee brand and company. Whether we consider the markets for our enterprise customers, government customers, or millions of individual consumers, our differentiation comes from the trust that we have built up through the expertise and value that have been able to deliver over the years.
  2. The size and scale of what we do set us apart. We differentiate ourselves through the amount of information we are able to collect as a result of the different devices that we cover and the vast number of people we protect across the globe. The consumers, enterprises, and governments around the world give us a unique perspective on the broader threat landscape. We can translate that into defenses that are helping customers of all kinds to protect themselves more effectively against the cyber threat.
  3. We have innovated to cover other elements of cybersecurity that are newer and in their growth trajectory. For example, we have expanded to become more of a cloud security company over the last several years. That is helping us provide greater cybersecurity, visibility, and control in all aspects of our customers’ cloud transformation journey.

Peter High:  It is an unfortunate fact that the bad actors are innovative and are constantly developing new means of penetrating enterprises in their attempts to steal valuable information. How do you stay current and determine new areas to move into covering? How do you think about growth into adjacent areas relative to expanding your offerings through acquisition versus through internal means?

Chris Young: Staying current requires a lot of diligence in this industry, as it is fast-moving. We have a dual challenge to manage which is unique to almost any other sector of technology. First, we have to keep up with the changes and transformations that happen in the core underlying technologies that companies and consumers rely on, whether it is mobile or cloud or advanced analytics. All of those trends impact us. The second challenge we face is the innovative nature of the cyber attackers themselves. We spend a lot of energy maintaining currency in that particular aspect, which we do in a couple of ways. We have people who are strictly focused on the cyber threat landscape, people who are producing content that goes into our products, and people who conduct advanced research on customers’ environments just for McAfee. Ultimately, it takes a community of people inside and outside of McAfee who we stay highly connected with to keep us in the flow of the cyber threat landscape.

It is constantly evolving, so we constantly try to stay involved in as many ways as possible whether it is through technology, people, or how we interact with others in the industry. We work in a variety of industry groups. A good example is Cyber Threat Alliance, a collaborative group we helped co-found several years ago made up of cybersecurity companies that are competitive in many regards. Through this type of organization, we conduct joint research programs and share threat intelligence.

Regarding how to drive innovation and tackle adjacency, we are constantly building new capabilities. In some cases, we have chosen to acquire and in others, we have chosen to partner. For example, we acquired Skyhigh Networks in 2018 to get us going in cloud. It led our foray into the cloud access security broker space, which is primarily about protecting data, stopping threats, setting policy, and having visibility into SaaS applications. Since we bought the company, we have been expanding to cover applications and data that are custom in nature running on infrastructure and platform as a service environment. This involves providing visibility and control for cloud across a variety of different use cases. We are increasingly expanding in this area.

In addition, we have doubled down on our commitment to cloud. All of our traditionally available products are now consumable as cloud services. One of the biggest announcements we made at the end of 2018 was that of our MVISION launch. MVISION is our cloud family of product offering. All of our products today, including the traditional offerings of endpoint security, data loss prevention, security information and event management [SIEM], intrusion prevention system [IPS], are either consumable as SaaS offers that we provide or as services that can be spun up on cloud environments such as Amazon Web Services [AWS]. We have made a big commitment to making security capabilities available via the cloud as well as providing visibility and security for cloud environments for our customers. We are expanding into areas of coverage for security that are top of mind for our customers.

Peter High:  You work with a great number of Chief Information Security Officers, Chief Information Officers, and other executives. You have a consumer portfolio as well. While you offer solutions, companies decide how they are used, how they are organized, and what complementary practices are put in place. These aspects play a role in determining whether the products will be successful in keeping information secure. What are some best practices you see in terms of how to best manage security within the enterprise?

Chris Young: The best practices that we see in the industry fall into a couple of categories. The first that is utilized by many organizations today is red teaming. Companies attack themselves as an opportunity to learn how adversaries will come at them, and then they adapt their defenses in accordance with the weaknesses they discover. This process puts into practice vulnerability management, risk assessment, and other foundational capabilities. If you consider sports as an example, it is important to have the fundamental skills in place. However, it is even more important to feel good about how you put them together and perform in a simulation of the game. Red teaming is a practice situation utilizing all of the fundamentals. We understand our vulnerabilities and our systems. We have tools in place and people working in a security operations team. Then we test whether all those different pieces can come together when we effectively simulate an attack. Some of the best teams in cybersecurity are employing red teaming to their benefit. A CSO recently told me that one of the strategies that has strengthened our craft has been the fact that we pay great attention to attacking ourselves.

Secondly, it is critical to understand areas of risk to any organization and prioritize ruthlessly in accordance. It is impossible for a large organization to cover everything. The ability to understand which areas are the most important and position one’s self to protect them is necessary. In some situations, attackers will come directly at an organization or there may be a malware hit. Some forms of attack simply spread without discriminating about the location or subject of the target. The goal is to ensure that even if there are machines that get compromised in an organization, the attacker is not able to leverage them into more critical assets in the pursuit of their goal.

Effectively red-teaming oneself and truly understanding risk in order to place defenses around the right areas are two of the best practices that I see. Lastly, I will note the importance of understanding the expansion of one’s own environment. Cloud is the biggest area. A lot of customers today are still not there. They do not have the right level of visibility and control across the different aspects of their applications and data that are increasingly either leveraged into the cloud as SaaS or placed into the cloud because there is a lift and shift going on in their IT infrastructure.

Peter High:  A lot has been written about the benefit of humans, analytics, machine learning, and artificial intelligence [AI] working together. Given the vast expansion of the threat landscape as well as the innovation of the bad actors, having algorithms working with humans to play both a shrewd offense and defense becomes that much more important. What role do you see artificial intelligence playing?

Chris Young: Human-machine teaming is an incredibly important growth area for the industry. It is something that we believe in heavily at McAfee. Our CTO, Steve Grobman, discusses human-machine teaming as a way to leverage advanced forms of analytics, AI, and more. There are still questions or scenarios that require humans, but machines and large-scale analytics on large data sets are ways in which you can give humans reach and depth that they could not get on their own. Putting the two capabilities together is quite powerful. Advanced forms of analytics and AI will increasingly be foundational to everything we do in cybersecurity. They are becoming foundational to most aspects of technology. The way in which content gets delivered and the way in which we interact with our devices are increasingly assisted by AI or forms of AI. Cybersecurity is going to be no different than that.

Peter High: How did you get into security? Although you are still relatively young as a 40-something-year-old CEO, you have already been a founder, a CEO, and a GM in multiple businesses. You founded your first business 22 years ago which was also in the security space. How did you find yourself attracted to security?

Chris Young: I find that it is important to have a sense of where you are going in a career, but sometimes life takes you in different directions. When we started in the industry over 22 years ago, we set out on a different mission. We were more focused on how we were going to uniquely deliver content. In those days, the conductivity speeds that were available to us to access content on the internet were different. As we focused on delivering content, we would talk to a number of potential customers that were starting to say to us, “One of the challenges we have is with the security of our content. We do not know where it is or what people are doing with it. We could certainly use someone to help us organize and understand that visibility into our content.” That is how the idea for my company Cyveillance, which I founded with three other people in the ‘90s, was born. I have been in and around cyber security ever since then, though we did not call it cybersecurity that far back. It was more often known as “info stack” or “information security.” Cyber came into the common lexicon for our industry many years after that.

Peter High: McAfee serves both enterprises and individuals. As somebody who has such depth of experience in this space and now runs a company of such consequence, how do you manage your own cybersecurity in ways that you might advise others to emulate?

Chris Young: Consumer security is extremely important, and it is evolving as fast, if not faster, than enterprise security. Perhaps more so than enterprises, consumers are oriented around letting third-parties use their data. So much of what I believe the consumer has to be worried about in today’s world is the information that others have that is increasingly out there in different repositories. It is one of the reasons why we have been on a mission to expand our ability to help the consumer protect their privacy and protect their data. We have added password management. We acquired a company a year ago called TunnelBear, which is a cloud-based VPN provider. We do that in addition to all the malware tools that we provide to customers to help them protect their digital lives. Increasingly, the consumer has to think about the world almost similar to a small business. Now, consumers have home networks and many different devices that are connected. One of the newer products in our portfolio is called our Secure Home Platform, with which we protect all of the devices in the home. The consumer has a broad range of concerns: they have to worry about devices, information, and multiple people if they have a family. The consumer security challenge is becoming more complex, similar to the rest of cybersecurity.

First, from a personal perspective, I try to be judicious with where I put my information. Secondly, I try to make sure that I am using good security tools in the home to protect the different devices against malware and some of the attacks that consumers can become victim to, such as ransomware. Third, practicing good password hygiene is important. If I were to tell the consumer anything, it is that good password hygiene is your most effective defense against the threat that you want to worry about. The big problem that most consumers get hit with is somehow their accounts get compromised because someone either found their password from another site that was compromised or there was malware in a machine. The consumer types something in and the attacker gets the password. My advice is to use two-factor authentication where you can, use different passwords at different sites, and use complex passwords. As a consumer, that is the most important action you can take. Next in importance is making sure that you have good security tools, whether it is McAfee or another software running on the machines in your home.

Peter High: As you look forward two or three years, how do you see the company evolving? What are some of the trends that are currently on your strategic roadmap?

Chris Young: We are evolving to become more focused on the insight that we can deliver to the customer. You talked about the evolution of artificial intelligence in security. The challenge that a lot of organizations have is getting pinpointed at identifying attacks that are coming in their direction. How do I understand what the adversary is doing? How do I see where I have points of weakness in my cybersecurity infrastructure? Increasingly, one of the focuses that we are trying to deliver to our customers is strong insight.

We have roughly one billion sensors around the world when adding up the consumer devices and the enterprise in government coverage points that we have in our cybersecurity architecture. We are bringing a lot of data and information together in ways that can help our customers better understand the attacks that are happening broadly and how those different attacks may relate to their environment. Either helping them see patterns that might be happening earlier or get faster at how they go after an attack after the fact is an area of focus for us. It makes the tools and the technology that we deliver to our customers, whether it is in traditional infrastructure or the cloud, all the more valuable to the customer.

originally posted on by Peter High