Three years ago, McClure left McAfee to find it. Typical antivirus software, he explains, relies on maintaining a database of known offenders—a list of viruses and malware known as virus definitions—that it uses to identify new threats. The trouble, of course, is that the threats have to succeed in wreaking havoc somewhere before they can be added to the database. “In other words, for me to protect your house from being burgled, someone else has to have already been burglarized by that individual,” explains McClure.
In fact, studies suggest that traditional cybersecurity software detects only 45% of attacks. McClure’s new company, Cylance, takes a completely different approach. Using mathematical models and artificial intelligence, it seeks to protect computers against attackers—both known and unknown. “It took about two solid years of training the models and getting all the infrastructure built properly,” he says. “Now, the computers that run our CylanceProtect software can completely protect a computer—more than 99% detection—even when they’re disconnected from the cloud.”
Hackers, however, are persistent, says McClure, who notes that in addition to strong security, software companies need to practice vigilance with their outside vendors. “Security is only as strong as your weakest link,” he says, pointing out that hackers who can’t get in the front door will turn to the windows and the chimney.
Asked what else CEOs can do to safeguard their companies, McClure offers three suggestions:
1. CHALLENGE YOUR CIO. “Most chief security officers want to give the impression that they have everything under control—but they really don’t,” says McClure. “Create a culture of challenging your security people and asking them, ‘What makes you think we’re so secure?’”
2. FIND—AND FILL IN—YOUR BLIND SPOTS. “The biggest mistake CEOs make is not knowing their limitations and hiring to fill in those blind spots,” explains McClure. “They should be hiring people who can take over their jobs.”
3. MAKE SECURITY A CLEAR PRIORITY. “Move the security function out from under IT and make it a direct report to the CEO,” urges McClure. “Eventually, elevate the chief security and risk officer to have IT reporting to them.”