Interview with Max Shier, VP and CISO at Optiv, cyber advisory and solutions company based in Denver, CO.
Nice to meet you, Max. Could you tell us a little about yourself and Optiv?
My background is primarily in the federal space. I’m a retired Air Force veteran with nine years of active duty and 14 years in the reserves. I was military police—totally opposite of what I’m doing now—and then transitioned over to cybersecurity towards the latter half of my military career. When I came off active duty, I started my career doing industrial security, which runs the gamut of security clearances and physical security programs. Then I moved into government service, providing cybersecurity oversight for defense contractors, before becoming the cybersecurity director for Lockheed Martin. In the last year, I came to Optiv, where as the CISO, I own all of the cybersecurity responsibilities, oversight and compliance.
What makes Optiv different than other cybersecurity companies?
Optiv as a company is one of the only pureplay cybersecurity providers in the country. We run the gamut of services and capabilities, from providing just security education all the way up through managed services where we can completely handle your entire security program. You have a lot of providers out there that are either just selling software, doing advisory and consulting or they’re doing managed services. It’s rare that you’ll find somebody that does all three, but that’s us. I think it’s an interesting dynamic. If you’re looking at just resellers, you’ll be able to purchase the license, but you have to go to somebody else to implement it. If you want someone to manage the license, you’ll have to go to a third provider to do that. I think that’s where we step in. We are a single provider that can sell you the software, help you implement it, offer you advisory and services, and then manage it for you if you so choose. Through our partnership program, there are a lot of companies out there looking to do that for them because they don’t have the capabilities.
What are some of the biggest challenges you face when it comes to serving your customers and developing your products and services?
The most interesting thing we run into is that companies are all over the place with their implementation and maturity levels. That may be a blessing and a curse at the same time. A blessing for us because we get to see a lot of diversity among companies, and we can help them get where they need to be. Some of the challenges the individual companies have are similar across industry verticals. For example, companies in the gas and oil industry have a lot of old legacy equipment that’s out in the field where you may not be able to implement the most stringent security policies. Then you have the software companies that have a high maturity level and they’re forward leaning when it comes to their security needs. That dichotomy is what makes this job interesting but also hard. Challenges are specific to each company because there is no one-size-fits-all situation. Cybersecurity really needs to be tailored to what your company does, the assets you have, and your overall infrastructure.
How is the cybersecurity industry evolving?
With AI becoming so prevalent and pervasive, it is changing the threat landscape, but it is also hyper-accelerating the security landscape, too. Dealing with AI is almost like fighting fire with fire. You have a lot of generative AI tools out there that are allowing bad actors to create exploits through phishing emails and doing it more efficiently and more believably. At the same time, there are a slew of tools coming out that are implementing AI to better automate the security response and the SOC. The more efficient and more automated we are, the better it is for security. Having AI and machine learning is making cybersecurity better. And I’m happy to see that we’re using AI for good versus just looking at it in a negative way.
What are some of the most common misconceptions your customers have when it comes to cybersecurity?
Tool sprawl is one. One of the services we provide is technology rationalization, having advisory specialists go in and review what you have and if your tools make sense for the tech or security stack that you have. Second is the AI piece. There are a lot of questions around AI, and you need to have a long-term strategy to approach it, because you aren’t going to be able to implement everything at once. We can guide you through that implementation, whether it is just helping with a written policy or building a foundation for moving forward. After all, generative AI is just a tool like anything else. And lastly, privacy laws. Protecting data becomes more complex every time a new privacy law is passed. How do you meet all the requirements of those laws? The relationship between your organization, legal and procurements of contracts is extremely important. Unless you are a specialist in the space, navigating privacy laws is very difficult.
How does working with defense contractors expands the capabilities of Optiv?
It opens doors for us and offers more opportunities to leverage our expertise to help the government and other defense contractors, especially with the increase of requirements for Cybersecurity Maturity Model Certification (CMMC). That’s supposed to be ratified in 2024. In addition, the government itself has levied requirements for agencies to become compliant with a zero-trust architecture. That’s a hard transition. There are a lot of defense contractors out there who work in the cybersecurity space, but again, they are single-threaded, falling into one of the three categories. They’re either advisory and consulting, a reseller or a managed service provider. None is all three. We have the unique capabilities to help government entities to implement these changes.
What do you anticipate being the biggest challenges for the cybersecurity industry in the coming months and years?
I see a couple of trends. In response to tool sprawl, I see a move toward platform consolidation. It’s hard to automate with disparate tools, so I think we’re going to see the consolidation of tools and platforms with specific vendors to continue integrations with other products within an ecosystem. We need to reduce the complexity, increase the simplicity and make ourselves more efficient. Then, the implementation of AI is obviously something that is very specific to this market, as it will increase security capabilities but will also substantially increase risk and threats.
By Sue Poremba
Twingly offers a Dark Web API that provides access to over 16 million posts, articles, and documents each month from the Tor network, pastebins, Telegram, as well as various marketplaces, forums, networks, and free speech platforms. Additionally, Twingly offers a News API with over 3 million daily news articles from 170,000 active global news sources.