Champions in Security – Honoree Profile: Michael Machado, 2023 Champion for Innovation
Michael was a recipient of the inaugural 2023 Champion in Security Awards hosted by Portal26. The Champion in Security Awards honor security leaders embodying meaningful values within the security community that make the profession better for current and future practitioners. Michael won the Champion in Security Award for Innovation, which honors security leaders who understand that new ideas and innovation require sponsorship and safe spaces.
What does it mean to you to win this award?
I’m honored and humbled to win this award.
Who in your career helped demonstrate this attribute that influenced your professional behavior?
I’ve been privileged to work with many leaders and peers who support innovation and push to continually improve and advance our practice, from leaders encouraging strategic rather than tactical problem-solving to building scrappy security programs with colleagues over the years.
What advice would you give to professionals who want to work in this field?
For those who are interested in cybersecurity, it helps to know a few things that are probably not obvious to those who haven’t worked in the field yet. First, there are many specialties and focused areas of work within the cybersecurity field. Second, security is a meta-skill set in that the stronger you are in multiple areas of technology, the better you can apply that knowledge to secure things. For example, you want to specialize in secure software development. In that case, you need to know how to code, and security becomes an overlay skillet to the foundational skills of software engineering. If you want to be an all-around defender, then it helps to know how public and private cloud infrastructure works, with security skills being an overlay of those foundational skills. Third, security is a frame of mind and a way of looking at things as much as a technical skill set. Last, remember that when working in security, we must remember our organizational context. We’re working for organizations and must keep our efforts aligned with broader organizational goals, needs, and missions.
What innovative idea that you created are you most proud of?
I’ve come up with several ideas that I and my teams have moved forward over the years. Trust and safety tactic models help us understand and execute defensive strategies and ways of measuring so that we can manage and improve aspects of our work.
I’m most proud of encouraging my teams to innovate. The support, nudging, and encouragement of others generally advance innovation more than any one person’s individual ideas.
What innovations in security have inspired your work?
Many concepts and great ideas get me thinking in new ways and about new things – cyber kill chain, adversary-informed defense, MITRE attack framework, and critical security controls.
Who inspires you to continue innovating?
Lots of people. People I work with, people who push me, people pushing themselves, people introducing exciting ideas and innovations in the industry. We’re all also motivated to innovate by necessity.
What are the most innovative ideas you have seen in security during your professional career?
We see lots of iterative innovation in cybersecurity. Iterative improvement is important and often overlooked. In the context of big game-changing innovations, I believe that innovations exist in thinking and looking at problems and technical solutions. In terms of how we look at the problem, I’d say the cyber kill chain was a huge innovation from how security was discussed prior to it. Also, the concepts of offense inform defense and develop and use cyber threat intelligence. On the solution side, two-factor authentication was game-changing, just like passwordless authentication is continuing this area of innovation today. EDR was game-changing and a huge innovation on the technical side. This idea is that you put a laptop or server under surveillance rather than simply monitoring for signatures and pattern matches. End-to-end encryption for cloud services and local encryption of portable devices with user-managed keys have been significant innovations. Applying data analytics to cybersecurity has been hugely important, and its importance is still growing. The changes in cyber risk oversight and board governance will drive essential changes in involving security more deeply in business strategy.