Passion, Curiosity, and a Dash of Mischief
September 14, 2020 • Caitlin Mattingly
Kevin Magee is chief security officer for Microsoft Canada. He joins us with his story of early entrepreneurship, persistent curiosity, and a lifelong passion for learning.
He shares the career path that earned him his leadership position with Microsoft, as well as insights on his management style and recruiting methods. We’ll get his take on threat intelligence, and thoughts on where he thinks the cybersecurity industry may be headed.
This podcast was produced in partnership with the CyberWire.
For those of you who’d prefer to read, here’s the transcript:
This is Recorded Future, inside threat intelligence for cybersecurity.
Hello everyone, and welcome to episode 175 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.
Kevin Magee is Chief Security Officer for Microsoft Canada. He joins us with his story of early entrepreneurship, persistent curiosity, and a lifelong passion for learning.
He shares the career path that earned him his leadership position with Microsoft, as well as insights on his management style and recruiting methods. We’ll get his take on threat intelligence, and thoughts on where he thinks the cybersecurity industry may be headed. Stay with us.
I think I really grew up in a special time. The late ’70s and ’80s was really the time of the hacker and that’s when hacker was really a positive word back then. Back then, we hung out at the computer stores or the arcades and we found others that were interested in the same things we were, formed little clubs, little subcultures, that learned from each other. That’s what really the essence of hacking and hacker culture originally was.
It was really based on my interest in taking things apart, learning how they worked, improving them and sharing them. That’s the time that really imprinted on my personality. I was very interested in entrepreneurship, technology and a learning and teaching cycle, sharing what I’d learned in these areas. The skills I really developed in those early days, as a hacker taking apart technology and building them, really imprinted my personality for the rest of my life and career.
Where did you get started after school?
Well, at the end of school, late high school, I really started my first business with my best friend, Ted. We were probably about 16 and we would come to your house and we would set up your modem and hook you up to the internet. More importantly, we would teach you how to use it when it was done.
I was always amazed that people would spend $5,000 on a new state-of-the-art computer; they had no idea how to hook it up, but they also had no idea what to do with it once they had it hooked up. That was the important bit. I figured out really fast our value was in providing, not just the installation or the hardware or making it all work, but really opening a whole new world to them.
That was our competitive advantage with our small business. We weren’t really just appliance installers. We were your professor, your guide, your companion in the exploration of this whole new world. No one really realized that we had no idea what we were doing, either. We were just a little more curious, a little more courageous and really, we were able to learn on our feet.
We also learned some practical things about business. For instance, when you got to a house or business, there were never enough plugs to plug things in, so having a power bar handy for sale was handy. Also, printers notoriously didn’t come with cables, so you could get a great margin for a small business selling those printer cables on the spot as well, too. That’s really what got me into both the technology side and the entrepreneurial bug and launched my career after school into the front lines as a help desk technician at a hospital. That’s really where I got my start with my real first job.
How long did you spend there and where did you go next?
I started with a small company that serviced computers, and I spent a lot of time in the basements of hospitals fixing XTs and dot matrix printers and setting up state-of-the-art 386 systems for vice presidents and then transferring their systems to the managers, who transferred it to the individual and finding ways to automate those processes and just make things better. That was where the hacker mentality kicked in, but I also was seeing a lot of holes in our processes. Our technology architecture left these organizations really vulnerable.
That’s where I really got the security bug, trying to fix those problems. It was different back then. People really didn’t listen to us. I always felt like Cassandra, cursed to always tell the truth but have no one ever believe me. It’s amazing how far the industry has come, but that first job really fixed me in the technology industry.
I had gone to university and studied history, but pivoted to a technology industry. I found that diversity of skills, that hacker growth as a kid, combined with an education in the arts and an ability to research, communicate, and absorb huge amounts of information with my love of technology really set me up for a career in a number of different ways.
Yeah, I think that’s a really good point is how much of a leg up it can give you to have those communication skills to be able to be social and interact with people of all ages from all walks of life. It sounds like that’s a lesson that you learned pretty early on.
I find a lot of times we try to play the part of a security professional. We want to look very professional in our tie and sound like they do on TV and in the movies, but really, it’s about making the connection with the person you’re teaching or really understanding what motivates an attacker.
There’s a lot of skills that go well beyond technology that we’re just either ignoring or we’re almost mentoring out of the next generation of cybersecurity professionals. I want to see, when I’m hiring, a very diverse set of candidates from the arts, from any discipline. It’s a common set of skills, a passion, a bit of curiosity, maybe a dash of mischief. That’s what I’m looking for in the best candidates, not necessarily a computer science degree or experience with a certain firewall.
What was the pathway that then led you to where you are now at Microsoft?
I’ve had a chance in my career to apply my hacker mentality and do a lot of interesting things. I’ve never let those barriers that I didn’t have qualifications stand in my way. I had a startup in the ’90s, which failed miserably. My next startup I sold successfully. I’ve been able to do the entrepreneur side of the business and really learn a lot.
Then I went to the corporate world, where I’ve worked for major companies like Hewlett Packard and Palo Alto Networks in the early days, and had a chance to see large companies, small companies. I think it’s really been that diversity of people, of interesting new technologies, of being part of something new and exciting and building and creating something that’s really been the driver of my career.
I’ve really had the chance to work with some exciting and interesting people and get to know them at the earliest stages of my career, that has been the backbone of helping me evolve those skills, culminating in a love of security, a love of teaching, a love of learning and a real interest in the people side of the industry. I think that’s an area where we need to invest more time in developing and really encourage people to look at not just the technology side of the industry, but also those soft skills, those other areas of the industry, where they can add value with a diverse background, not necessarily a computer science degree.
What is your day-to-day like these days? What sorts of things are under your responsibility at Microsoft Canada?
Really, the day-to-day is all about people for me. It’s all about finding, mentoring, developing, building relationships with people. It’s not so much about technology anymore. It’s applying a growth mindset to problem solving. It’s asking why.
I actually spend a lot of time with nontechnical folks, general councils, CFOs, board members, and I’m listening, learning, educating, creating allies for the CISO and security team. That’s really where I spend a lot of my day is on the development of our industry and our people and an understanding. Once we have that, a lot of the technology problems just fall away really easily, so enabling those ally shifts, enabling those connections, is really where I try to prioritize my time.
What unique things do you contend with, being the chief security officer at a company that is also in the business of security?
Yes. We get a lot of questions about obviously our own technology and how to apply it and what the best practices are, that sort of thing. I also get an opportunity to talk to a wide range of people. Microsoft is in a lot of different businesses and we talk to a lot of different aspects of the company or organization.
Everyone is using one of our products pretty much within the organization, from the CEO to frontline workers. That gives me, I guess, a wider insight into the challenges they see from a business perspective, not just a technology perspective. When I worked at more focused technology companies in my past, we really just looked at the SOC or we really just looked at the security team and we didn’t really have that broader sense of what enterprise risks look like in the company. That’s been super eye opening.
I also get the chance to meet some really interesting folks and have discussions I would not normally be able to have, like general counsels as part of the compliance aspect of my portfolio. Those are areas where I’m not necessarily as strong and really get a chance to learn from the customer or from even a candidate that’s applying for a role, more about the industry, more about what those challenges are out there in the field that I can really cycle back to the company to make us better, to make our products better, to make our people better and to better serve our customers.
When I think about Microsoft, being here in the U.S., I automatically think about Microsoft here in the U.S. and Microsoft’s headquarters here in the U.S. Can you give us some insights as to what it is like being part of Microsoft in another nation? How do the interactions work back with the mothership, if you will, on a global scale?
Well, my first job was actually reporting to the mothership, as you say, and it was fantastic. I worked in emerging technologies. I got to manage technical teams that were breaking new ground in containers and blockchain and really cool things that the whole industry hadn’t figured out. Having those corporate ties and those corporate relationships at the center really has enabled me to succeed, working in Canada.
We’re a small, tight ship in Canada. We all know each other. There’s a sense of camaraderie and esprit de corps that is really exciting and just an energy that we’re all in this together. We have a shared mission and we really just want to do a good job and do our best.
I’ve had, again, the opportunity to do both, and I think it’s the best of both worlds, because no matter what challenge we have in Canada, there’s this whole global network of interesting, exciting peoples that I can bring to bear to help solve a problem, or develop one of my people, or put a second set of eyes on a challenge. It’s really the best of both worlds, in my opinion.
I want to get your take on threat intelligence and the part that you think that plays in an organization’s defenses.
The biggest challenge I see is we still continue to throw money, technology, and people at problems, and that’s really not acting with context in an informed way. If we’re going to really alter the balance between the attacker and defender in our favor, we need to act with purpose and with context. That’s where the threat with intel really plays in.
I think the purpose of it is to really enable organizations to proactively reduce risk and address threats. That’s what threat intel does. It’s not just for spies anymore. It’s not just for the security team. It’s really something that needs to be available to the entire organization.
Operational threat intelligence is what we normally think of in cybersecurity and that’s threat feeds and open source intelligence. Really, a shift to strategic intelligence and making that available to the board room so they have the context to make better informed decisions is something that I spend a lot of time working with boards and leaders to integrate threat intel into how they work and how they make decisions.
How much of a skill is it to manage that, to be able to dial it in so that it’s not overwhelming?
It’s difficult. I think one of the challenges that we still see, at the highest level of organizations, security and technology is a different thing, not part of the overall enterprise’s risk strategy. When I talk to boards, I’ll say, “Hey, if your CISO or your CIO came and said, ‘That security thing, don’t worry, we got this,’ how would you feel?” Well, you maybe would accept that, but if your CFO did that and said, “Hey, that money thing, don’t worry, we got this,” you would never accept that.
Applying the same criteria and risk to your analysis, to your financial assets, physical assets, to your data, is still a challenge that I see out there at the highest levels. I guess one of the reasons is, and I never really understood this till I sat on a board, I sat in an audit committee meeting surrounded by accountants, and they were talking about the current ratio. I finally had to raise my hand and ask the question, “Should it be higher or lower? It’s been 25 years since I took financial accounting, and I’m really not sure?”
That’s literally where the epiphany happened, where I thought most people in leadership positions or boards are used to being the smartest person in the room. They’re afraid to ask those questions that may make them look silly or uninformed in front of their peers. A lot of the times I spend, one on one, with executives or board members to get them over those hurdles, because they do have that fear of asking that question and making themselves look uninformed or dumb in front of their peers. It’s holding them back from doing their job as governors, and it’s easily solved by providing them with context, with education and answering their questions in a safe environment, either their home or their office.
How do you nurture that environment with your own team to make it so that people are comfortable asking the dumb question?
The number one question I get asked from CISOs or CIOs or board members is what’s the one thing I can do to make my organization more secure or better protected. I always surprise them with my answer. My answer is always create a culture and a tone from the top, where if I, as an employee, click on something or make a mistake or do something wrong, and I put my hand up, I’ll get help, not retribution or shame. If you can enable that environment where everyone’s part of solving the problem, I think that is the first big step you can make, and tone from the top really matters.
Going back to the first principles of security, the CIA triangle, a lot of boards or C-level executives will focus the business on user growth. They’ll not really think through what vulnerabilities that leaves them open to, if you’re creating a bonus structure that is based on user growth. Now you’re going to eliminate friction, which are things like multifactor authentication and all those things that make our system secure because your economic incentives are all aligned to a growth strategy.
Sometimes forming change in their minds, enabling people to raise their hand and ask that question, is really what matters. With my team, I do the same. We get together. We debrief on a lot of our challenges, and everyone has the full opportunity to not only say what they think, but to ask that tough question. Once you build that trust where they feel comfortable speaking out, speaking up or asking that question, that’s really where the magic happens.
What things go through your mind when you’re looking to attract new team members? What are the things that you’re looking for from new members of the team?
I really want people’s personalities to shine through, and for them to tell their stories. I think we’ve done a disservice to an entire generation by cranking out articles on the internet that make generic responses to interview questions. I think, traditionally, security professionals that are successful have always been a little quirky, have always been a little different. I think we’ve almost trained people to show up to interviews and to hide that or to minimize that.
I want to explore how you learn. I want to explore what you’re reading. I want to explore how you approach problems. I really want your personality to shine through in an interview if you’re right out of school. I’ve spent a lot of time working with students and startups on these challenges and how to break through to start your career.
Everyone tells me there’s a skill shortage or there’s not enough people available. There really are. It’s just that it’s really hard to identify them, or we’re boxing ourselves into a certain set of biases of what we’re looking for in the perfect cybersecurity professional. We’re not reaching beyond that. I find sometimes when I take a chance on someone who’s a little different, who doesn’t meet the mold, they turn out to be one of the best performers and the best problem solvers and really bring energy and excitement to the team.
How important are things like degrees and certifications to you?
They’re not as important as someone who has a history degree. I always like to joke that I studied history, went into business and then became a security professional, so I’m the Canadian version of Jack Ryan. I’ve had a very different career path, so I recognize that those are not necessarily the end all be all.
I think the industry is getting much better at that, looking at different degrees. It breaks my heart when I see people reach out on Twitter and say, “Hey, I just got shot down for a job because I have an arts degree,” but it lifts my spirit to see all the responses of our industry responding and saying, “Hey, don’t give up. I can make some introductions.” Thoughts and prayers to those situations. There are not enough.
I think we, as an industry, really have to start to think about what comes next. How do we build a self-sustainable way of finding, identifying, and growing talent, other than the way we’re doing it now, which is leaving folks up to their own to get the certs, or whatever they feel an employer would want.
I think that’s incumbent on us, as an industry, to really take it to the next level. There is no iron ring or set of standards in our industry. We’re still very young and evolving, but it’s time really to switch to industry building instead of just relying on individuals to figure this out on their own.
What advice do you have for folks who are interested in pursuing a career in cybersecurity? Maybe that person is close to coming out of school, or maybe it’s somebody who’s thinking about switching careers.
I have this discussion quite often with both of those individuals that are changing careers or new, and a lot of focuses for folks that are looking to the new careers are on becoming an industry expert. I think we do a good job of that, providing certifications or training. I want to see them become an industry insider.
The questions I ask them are who are you reading? I want to hear things like Brian Krebs. I want to hear things like what books you’re reading. Tell me about the last book you read is one of my favorite questions. What did you learn today that others could benefit from? Those are the types of questions that I’m asking and I’m really looking for. Do you really have a passion for this industry? Are you really part of the industry? Are you joining in the conversations? Are you joining in and networking with your potential peers? Are you showing me your skills, not just telling me?
Don’t tell me you’re a great communicator. Write some blog posts and then send them to me so I can evaluate that for myself. That’s what I think we really need to encourage folks that are looking to join the industry to do.
Where do you think we’re headed when you look towards the horizon? I’m thinking of the continued professionalization of cybersecurity, as it becomes more and more essential, less exotic, just a part of every business. What do you think the future holds for us?
Well, I hope we don’t ever lose the art and make it into a complete science would be my number one comment on that. It’s not like other industries and we try to graft our thought process and how we define our industry on other industries. We call people in technology architects or engineers. Maybe we need our own vocabulary to describe what we do.
I think we need to really step back and see where we want to take our industry. Those of us that have been in it a while and have been around have had the benefit of lots of great mentors and lots of folks that have helped us up the ladder. It’s incumbent on us to really do that for the next generation and help them up the ladder.
A lot of times, they feel they can’t reach out to someone with a big title like mine. One of the greatest joys of my day is spending some time with a student or someone who is passionate about our industry and helping guide them or introducing a new book that they should read to enable them in their career. I think there’s a lot of folks like me out there that would love to have those discussions, have those interactions and pay it forward because someone helped them get to where they are as well.
Our thanks to Microsoft’s Kevin Magee for joining us.
Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.
We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast production team includes Coordinating Producer Caitlin Mattingly. The show is produced by the CyberWire, with Executive Editor Peter Kilpe, and I’m Dave Bittner.
Thanks for listening.
Curating Your Personal Security Intelligence Feed
September 21, 2020 • Caitlin Mattingly
Our guest is Sal Aurigema, associate professor of computer information systems at the University of...
The Highest Security Intelligence in the Shortest Time
September 7, 2020 • Caitlin Mattingly
Craig Adams is the chief product and engineering officer at Recorded Future He joins us with...
The Diversity of Security Challenges in Higher Education
August 31, 2020 • Caitlin Mattingly
Security professionals at institutions of higher education face a broad spectrum of challenges,...