Secret CSO: David MacKinnon, N-able

What is the best current trend in cybersecurity? “Attacks are more sophisticated than ever, so to stay ahead of the curve it’s great to see people put competition aside and work together to fight our common enemy. I think it’s necessary for all of us to learn from each other.”

IDGConnect_secretcso_suppliedart_davidmackinnonn-able_1200x800
N-able

Name: David MacKinnon

Organisation: N-able

Job title: Vice President,Chief Security Officer

Date started current role: May 2021

Location: Atlanta

Dave MacKinnon, vice president, chief security officer, has over 20 years of experience leading global security teams focused on cybersecurity, incident response, forensics, and threat intelligence across various industries. He started his career in the software build process—keeping security at the forefront—as a developer and product security engineer. Prior to joining N-able, MacKinnonwas an IT security leader for AT&T/Warner Media, where he implemented an extensive security program managing complex incident response events. As the chief security officer of N-able, MacKinnon is responsible for the information security team, including security incident response; product and application security; and governance, risk, and compliance (GRC).

What was your first job? When I was 15 and lived in New Jersey I worked at a general store called 5-Star. My job was essentially to just stock shelves and help customers. While it sounds pretty boring, it was actually the best job a teenager could have had in my area, it was one of the only shops where you could work as a teenager. We got to mess around a lot and drive forklifts—which is probably illegal now, but it definitely wasn’t then!

How did you get involved in cybersecurity? Cybersecurity found me. After I graduated, I moved from New York to Atlanta and was interviewing to be a sysadmin but was approached by SecureWorks to interview for a SOC Analyst role. At the time I knew almost nothing about security, and I was very transparent about that—but their approach was that I knew networking and sysadmin work and they would teach me. 21 years later I’m still in security.

What was your education? Do you hold any certifications? What are they? I graduated from Rochester Institute of Technology in New York with a degree in IT and specialisation in Systems Administration, Networking and Coding. Simply because of when I got started, I don’t actually hold any certifications—at the time you could get away with only learning on the job, but this has changed. When I interview people, their certifications tell me they have a passion for this industry and are willing to learn.  

Explain your career path. Did you take any detours? If so, discuss. I have had the opportunity to wear a ton of different hats in security, which have led me to where I am today. I’ve worked in support, engineering, consulting, customer engagement, and intelligence analysis. I wouldn’t say I’ve had a typical career path to becoming a CSO, but I also wouldn’t say that a perfect path exists.

Was there anyone who has inspired or mentored you in your career? My love for computers started with my dad. Back in the 80s my dad brought home a Commodore 64—when we plugged it into our television I was immediately hooked. I knew from then and in high school that I wanted to work with computers, but I didn’t really know what that meant. With my career, I have to credit a lot of people who supported and advised me, but really it was my dad that got me into computers in the first place.

What do you feel is the most important aspect of your job? For me there are two. One is protecting our enterprise and our customers. The other is working across the organisation to make sure security works as a partner. Security is often viewed as the giant hammer that smashes any attempt at change but really it needs to work as a partner that is there to help achieve success.

What metrics or KPIs do you use to measure security effectiveness? We measure the effectiveness of our controls over time. We look at our security coverage, from a threat perspective, analysing bad actors and APTs TTPs. Then we check how quickly we can identify these threats and prevent or contain them.

Is the security skills shortage affecting your organisation? What roles or skills are you finding the most difficult to fill? The skills shortage is affecting everybody. We’re tackling it by creating a company culture that people find inviting. So many people job hop these days, and I people will only stay if there’s a good career ladder that means people can grow and find success within an organisation.

Senior leaders are the most difficult people to find because there just aren’t that many people with 10-15 years’ experience in security. Making sure people grow within the organisation and giving them a clear career path helps us fill those roles rather than waiting for the right people who want to move roles.

Cybersecurity is constantly changing – how do you keep learning? My main resource is Twitter! You get news faster there than anywhere else so it’s a really great way to stay updated about what’s going on in cybersecurity. The next resource is just reading and keeping up to date with the news and the third is that I am part of some closed lists where I and other industry practitioners share information. Collaboration across the industry like this is hugely beneficial.

What conferences are on your must-attend list? I love BlackHat and Defcon, but apart from that I really enjoy the B-side events where I can properly meet people and network with local businesses.

What is the best current trend in cybersecurity? The worst? The best is transparency and sharing within the industry. Attacks are more sophisticated than ever, so to stay ahead of the curve it’s great to see people put competition aside and work together to fight our common enemy. I think it’s necessary for all of us to learn from each other.

The worst trend is the professionalisation of hacking services. It’s becoming more difficult to tell the difference between nation state hackers and amateurs because of how commodified sophisticated tools have become. As a result, identifying your adversary and assigning the proper level of risk is much more complicated.  

What's the best career advice you ever received? Don’t be the person who always says “no!” In my first leadership role, I had to turn down a lot of requests. My boss told me that no isn’t enough—when someone asks you to do something you need to explain the cost of what they’re asking. It helped me realise that it wasn’t my job to block people, it was to talk to them, advise them, and work with them so that we can all be successful. I learned that when I was 25 and I’ve stuck by it since.

What advice would you give to aspiring security leaders? Know your people. When I first became a leader, I was not a natural! I didn’t understand people and personality types. Ultimately your team’s success is your success, so I had to learn about different personalities to make sure I knew the right way to manage people and make sure they were on the right path to success.

What has been your greatest career achievement? The program I built at Warner Media prior to joining N-able. I started small and built an entire security operations, threat intel, and incident response team. We built job ladders and came up with a plan to build talent internally, and we’re seeing the results of that; I’ve had interns that are now in leadership roles, and it’s really fulfilling to leave a legacy of security professionals.

Looking back with 20:20 hindsight, what would you have done differently? Everything you do shapes who you are today so I cannot in good conscience say that I would change anything that I’ve done. There’s no point dwelling on what could have been, even the mistakes that I’ve made over the course of my career have made me who I am today.

What is your favourite quote? I go by the Russian proverb: “Trust, but verify”.

What are you reading now? The First 90 Days by Michael D. Watkins, loaned to me by Mike Adler, the chief technical and chief product officer at N-able. As I’m new to the business the book really helped me settle into my position.

In my spare time, I like to… Be a dad! I have two very active boys, so when I’m not working, I am enjoying my time with them. I’m a den leader at Cub Scouts, I take them to karate and tennis, and I enjoy watching them play football.

Most people don't know that I… Hate basketball and everyone expects me to play it because I am tall, but really, I prefer hockey.

Ask me to do anything but… Touch a snake. I never want to do that.