Secret CSO: Arve Kjoelen, McAfee

What's the best career advice you ever received? “Work to understand your company’s business side as well as you understand the security side.”


Name: Arve Kjoelen

Organisation: McAfee

Job title: Chief Information Security Officer (CISO)

Date started current role: July 2019

Location: Plano, TX

Arve Kjoelen is Vice President and Chief Information Security Officer at McAfee, providing strategic and day-to-day leadership to McAfee’s security teams. Kjoelen has 25 years of information security experience in the financial and technology industries, and well as in consulting. Prior to joining McAfee, Kjoelen was the Chief Security Officer of a Denver-based technology firm. His interests include cyber ecosystem modelling, attack modelling, and controls optimisation. Kjoelen holds both a bachelor’s and master’s degree in Electrical Engineering.

What was your first job? I started out my career working at Ross and Baruzzini, a company that provided special systems and security systems for airports. I got to survey security at some of the bigger airports around the country and was able to get experience working in both physical security and cybersecurity.

How did you get involved in cybersecurity? In college, I worked in our computer lab. Sometimes for fun, we would connect to computers in different labs around campus and we could tell if students were working late and if anyone else was in the labs with them at the time. Being college students, we thought it was a fun prank to play audio files on their computers to give them a little scare. I realised it was too easy to control these computers remotely. That realisation and interest around computer security is really what piqued my interest and has lasted to this day for me.

What was your education? Do you hold any certifications? What are they? I hold a Master’s degree in electrical engineering from Southern Illinois University, Edwardsville.

Explain your career path. Did you take any detours? If so, discuss. I spent about half of my career working in consulting roles at organisations like E&Y and Deloitte, and the other half working in industry roles for companies like Wells Fargo, CyberGRX, and now McAfee.

Was there anyone who has inspired or mentored you in your career? I continue learning from some great leaders here at McAfee. In the past, I have been fortunate enough to work with Patrick Gorman, who is now at Booz Allen Hamilton. Pat is someone who has pushed me to continue to grow, apply structure, and overcome roadblocks.

What do you feel is the most important aspect of your job? I’m a big believer in the importance of making time to connect with people, both in and out of the organisation. There is incredible value that comes out of spending enough time with others to have everyone sync up and get on the same page, so that you can then all work independently but still be working effectively towards a common goal. Not only is this conducive to productivity, but it’s also good for team morale which I think has a direct impact on performance.

This year especially has been especially challenging as most, if not all, of our employees are remote. We’ve found things like socially distanced meet-ups outdoors and the use of videoconferencing tools help ensure we’re still feeling like one team and connected.

I also think that fostering an environment where continued education is encouraged is really important. Especially in cybersecurity, where the landscape is constantly changing, those of us who run security organisations owe our teams the opportunity to not only stay up to date, but participate in these changes.

What metrics or KPIs do you use to measure security effectiveness? I’ll use a handful of different metrics for measurement. If I’m measuring effectiveness then I’ll use operational metrics, SOC metrics (mean time to detect and respond), and vulnerability metrics (mean time to closure). For the broader picture, it is essential to measure status and progress on enterprise risks.  This is also the right type of metric to discuss with the board.  Finally, to achieve more precision around our risk judgments, we are connecting the broad risk picture with the attack anatomy of specific threat scenarios.  This work has made our detailed threat work traceable to specific risks and increased our confidence in our risk modelling.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? Like most companies in cybersecurity, we have felt the skills shortage, but have remained focused on finding the best candidates with the breadth and depth of knowledge that is important to businesses across our industry.  Cloud in particular is a hot area for a lot of companies right now.

Cybersecurity is constantly changing – how do you keep learning? The shifts that are taking place in cybersecurity are so large, it’s can be difficult to keep up. There is a constant flow of new ideas and technologies around cloud, automation and virtualisation; to keep up with it, you have to spend time outside of work reading and participating in trainings. Large amounts of information is available from public sources and reports, as well as from cloud providers and from security companies.  To keep learning we have to be self-aware and know where our weak spots are.

What conferences are on your must-attend list? I’m a big fan of the RSA Conference that takes place every year. That conference is a showcase for innovation, and if you use your time effectively at the conference, you can really come away with a good picture of what’s going on in cybersecurity and where the industry is headed.

What is the best current trend in cybersecurity? The worst? From my perspective, the best trend in cybersecurity right now is the drive towards integration of threats, detections and response. From a product perspective that includes a couple of areas where McAfee plays well: The EDR / XDR market, and the Threat Management market. This For the last 10 years, the industry has focused on building the biggest and best data set, but what’s really important is this push towards making the technology now tell us what to do with the data. It carries a lot of promise for me.

The worst is our continued inability to share some of our most important work with each other. Although ISACs and security community groups provide a level of sharing better than in the past, we have not cracked the code on how to share the details of our integrations and processes in a way that creates a rising tide that helps lift all of us.

What's the best career advice you ever received? Work to understand your company’s business side as well as you understand the security side.

What advice would you give to aspiring security leaders? Be aware of your limitations and trust your instincts. Surround yourself with people who can compensate for your own weaknesses.

What has been your greatest career achievement? I’m really proud of what the security team has achieved here at McAfee. The achievement of building a mature risk management organisation and a world-class security operations function is no easy feat. The team has worked incredibly hard to optimise our tools and processes and ensure we continue to improve.

Looking back with 20:20 hindsight, what would you have done differently? Looking back I think the biggest thing I’d say is around connections. Our team has a great culture and dynamic, and we’ve definitely stayed in touch while remote with things like virtual happy hours and lunches. I do think, however, there’s always room for more creativity in how you connect with people so that we aren’t just adding another meeting to everyone’s calendars.

What is your favourite quote? I talked about this a little bit earlier, but I think quotes and messages around ‘trusting your gut’ are really important and ring true in both my own experience and advice I give to others.

What are you reading now? I’m a have a big interest in history, particularly WWII. Right now, I’m reading a book by Andrew Roberts called Churchill: Walking with Destiny, which I’d recommend to anyone interested in the topic. I’d also recommend the documentary series called Greatest Events of WWII in Colour, which is available on Netflix.

In my spare time, I like to… I enjoy reading, and I also run on a pretty frequent basis. It helps get me out of the house especially during a time where we’re not doing that too frequently.

Most people don't know that I… Some fun facts about me are that I grew up and Norway and really enjoy playing the piano, which I have been doing since I was a child.

Ask me to do anything but… I know this is silly – but I’m really not a fan of peanut butter, so anything with that on it I’ll pass on.