Fresh off his stint as the Chief Security Officer (CISO) of the Central Intelligence Agency (CIA), William MacMillan joined Salesforce earlier this year as the Senior Vice President of Information Security.
To close out Cybersecurity Awareness Month, MacMillan sat down with us to share thoughts and observations from the digital front lines — working with Salesforce customers to secure their data. He explained why cybersecurity is now a C-suite issue, and that every business needs to learn how to see around corners to stay ahead of cyber threats.
Q. How do you explain the paradigm shift of cybersecurity from an IT problem to C-suite priority?
Cybersecurity is not a tech risk. It’s a business risk. Leaders around the industry used to say, “I have technical people who will deal with all that for me.” Today, nobody gets to abstract themselves out of this conversation.
I see this light bulb going off for companies — cybersecurity needs to be actively managed by the leadership team just like any other business risk.
At Salesforce, trust is our No.1 value, which means everybody is incorporating cyber risk and cyber conversations into whatever they’re doing. Security isn’t just handled in specialized pockets, it’s woven into everything we do.
In the physical world, we look both ways before crossing the street. And at every company, from senior leadership through the entire workforce, nobody should get a pass on cyber risk – everyone needs to take the necessary steps to cross to safety.William MacMillan
Q. How can companies be more proactive about cybersecurity?
You shouldn’t ever abandon compliance, but companies need to evolve from meeting baseline compliance requirements to engaging in more risk management-driven work.
On a broader level, as cybersecurity practitioners, our most sacred duty is to present the risk information to the business decision makers so they can contextualize the risk data in a way that helps them act. In practice, this means looking at specific risks in context with your products, market, and growth – and conducting a cost-benefit analysis. The same cybersecurity risk at a startup sneaker company will be prioritized differently than at a big healthcare company, but you need to have the information to be able to take action.
If you’re constantly measuring your risks and doing threat modeling, then you can develop strategies to buy down that risk as inexpensively as you possibly can through your systems and people.
Q. What’s an example of evolving your security from compliance-driven to risk management-driven?
Let’s say you have a compliance-driven requirement to put antivirus on every computer in your company. It may be tempting to install a free antivirus product and be done with it – after all, the compliance obligation has been met.
But a risk management-driven security program would look at all of those computers and decide which ones are most likely to be compromised – then spend money on a security product that goes above and beyond those baseline requirements for those specific computers.
One way to think of this is that compliance can be binary – you’ve met the requirement or you haven’t – but security work is never done. A risk focused security approach is always acting on new data to buy down additional risks for the organization.
If you want to have a trust-first culture, you need to put sophisticated security systems in place and consistently engage your people to support a culture of security and trust.William Macmillan
Q. You mentioned threat modeling. What does that mean?
“Threat modeling” is getting clear on what threats are actually a problem for your organization, and then matching those up against the real vulnerabilities and weaknesses that you can see.
The art and science of cyber threat analysis is having a golden moment right now because it comes back to identifying operable risk data put into context. It’s looking at what is actually threatening your organization.
As a startup sneaker manufacturer selling fast fashion, you may not care deeply about nation states stealing your intellectual property. But should you spend for risk concerns? Absolutely. Because anywhere where there are human beings interacting with digital workflows, and dealing with things like billing and shipping, fraud can become a problem, right?
Q. You previously worked as the Chief Information Security Officer at the CIA. What have you learned throughout your career about how to create a culture of trust?
If you want to have a trust-first culture, you need to put sophisticated security systems in place and consistently engage your people to support a culture of security and trust.
At Salesforce, we like to educate our workforce about real-world examples that we see, whether it’s flagging an example of an email with phishing links or sharing a peek into deeper-dive stuff like finding malware on an old server.
The reality is that sophisticated threat actors are going to find a human somewhere in the workflow that is a softer spot to attack than the technology ecosystem, so you need to stay on top of educating your teammates.
And at the highest level, having senior leaders reinforce the importance of trust, and taking time to speak with employees about these issues can’t be underestimated. We open every Salesforce all-hands meeting with a mention of trust as our No. 1 value, and our strong culture of security awareness begins on day one for all of our employees.
Q. Your vision for better cybersecurity runs deep, but if you could tell enterprises to do just one thing, what would it be?
One of the most important, and simplest, cybersecurity best practices is enabling multi-factor authentication (MFA) to secure access to user accounts. MFA asks the user to take an extra step in the login process every time they log in, but provides an extra layer of protection from intruders that is very difficult to get around.
We lovingly call this “cyber hygiene” because it’s a best practice that’s as easy (and important) as washing your hands. These best practices are part of a defense in depth strategy — a strategy that ensures there are multiple layers of security so that if one layer fails, another will be there to protect everything.