In this essay, entitled “The Rise of the Cyber Industrial Complex and Expense in Depth,”  ICIT Fellow Malcolm Harkins discusses how the lack of progress toward managing cyber risk, despite thousands of new security vendors and thousands of new capabilities sold that purport to control for these risks, is a result of a  “cyber industrial complex” that has a lack of  a proper economic incentive to solve the problem.  Mr. Harkins explores the idea that it is the hidden hand of the industry itself which has contributed to this cycle – first by not being accountable for the controls that failed, then by pursuing a public policy agenda meant to influence legislation in the industry’s favor. He also explains how  industry has taken the notion of defense in depth to manage risk and turned it into a cycle of expense in depth that generates economic waste by pervasively focusing on a reaction to risk and adding layers to mitigate failed controls, rather than having a control bias to either prevent or stop the cycle of risk as early as possible.

To do better at controlling risks today and tomorrow, Mr. Harkins proposes several courses of actions including leveraging emerging technologies, coupled with the right risk profile and control assessment frameworks to enable better risk mitigation.  In the essay, he also discusses learning from the history of attribution, disengaging from the blame game, types of security controls and which control frameworks add value.

About the Author: Malcolm Harkins, Chief Security and Trust Officer, Board Member, Advisor, Author, Keynote speaker

Malcolm Harkins is currently an independent board member and advisor to organizations.  He is also an executive coach to CISOs and others in a wide variety of information risk roles.

Previously Malcolm was the Chief Security and Trust Officer at Cylance Inc.  In this role he reported to the CEO and was responsible for enabling business growth through trusted infrastructure, systems, and business processes.  He had direct organizational responsibility for information risk and security, as well as security and privacy policy.  Malcolm was also responsible for peer outreach activities to drive improvement across the world in the understanding of cyber risks as well as best practices to manage and mitigate those risks.

Malcolm was also previously Vice President and Chief Security and Privacy Officer (CSPO) at Intel Corporation.  In that role Malcolm was responsible for managing the risk, controls, privacy, security, and other related compliance activities for all of Intel’s information assets, products, and services.

Before becoming Intel’s first CSPO he was the Chief Information Security Officer (CISO) reporting into the Chief Information Officer.  Malcolm also held roles in Finance, Procurement, and various business operations.  He has managed IT benchmarking and Sarbanes-Oxley compliance initiatives.  Harkins acted as the profit and loss manager for the Flash Product Group at Intel; was the general manager of Enterprise Capabilities, responsible for the delivery and support of Intel’s Finance and HR systems; and worked in an Intel business venture focusing on e-commerce hosting.

Malcolm previously taught at the CIO institute at the UCLA Anderson School of Management and was an adjunct faculty member at Susquehanna University in 2009.  In 2010, he received the RSA Conference Excellence in the Field of Security Practices Award.  He was recognized by Computerworld as one of the Premier 100 Information Technology Leaders for 2012.  (ISC)2 recognized Malcolm in 2012 with the Information Security Leadership Award.  In September 2013, Malcolm was recognized as one of the Top 10 Breakaway Leaders at the Global CISO Executive Summit.  In November 2015, he received the Security Advisor Alliance Excellence in Innovation Award.  He is a Fellow with the Institute for Critical Infrastructure Technology, a non-partisan think-tank providing on cybersecurity to the House, Senate, and a variety of federal agencies.

Malcolm is a sought-after speaker for industry events. He has authored many white papers and in December 2012 published his first book, Managing Risk and Information Security: Protect to Enable®.  He also was a contributing author to Introduction to IT Privacy, published in 2014 by the International Association of Privacy Professionals.  The 2nd edition of Malcolm’s book, Managing Risk and Information Security: Protect to Enable®, was recently published in August of 2016.  Malcolm has also testified before the United States Senate Committee on Commerce, Science, and Transportation on the “Promises and Perils of Emerging Technology for Cybersecurity”.  He also testified at the Federal Trade Commission hearings on data security in December 2018.

Malcolm received his bachelor’s degree in economics from the University of California at Irvine and an MBA in finance and accounting from the University of California at Davis.