Securing the press: Meet The New York Times' new infosec leader
In this geopolitical era, freedom of the press is guaranteed to those who can protect sources and methods. The New York Times' new cybersecurity chief explains why his progressive approach to protecting the global media organization is more important than ever.
A.J. Liebling, that great American journalist, cynic and provocateur, once opined that "freedom of the press is guaranteed only to those who own one." These days, such freedom of the press is under siege by cyber and nation state adversaries that would give anything to have access to the information, sources and methods used by a media goliath such as The New York Times.
It's worth remembering that freedom of the press is earned by having trusted sources and technology that a security team can protect
Bill McKinley, who has been with the Times for more than five years, and has a background in technology within financial services, is now the global media giant's executive director of information security.
He might be a new name to readers, but the security community is not a new environment for him. A self-professed geek, who grew up wanting to learn to build, break, and secure, now has a dream job with his dream team in a formidable organization -- and he's poised with that team to bring the progressive change media organization security needs as a whole -- and the leadership skills, to boot.
We spoke to McKinley about his new role and the challenges ahead.
ZDNet: First, tell me about what it means to be executive director for information security at an organization as prestigious as The New York Times, and what the role includes?
Bill McKinley: Leading information security for The New York Times is a great responsibility; one that I couldn't be more excited to take on. Since I started at the Times five years ago, I've been proud of our brand and the quality of our content. This role affords me the opportunity to make an even greater contribution to our product.
Our brand, reporters, research, subscriber information, and sources are all appealing targets; leading the team that is tasked with protecting those assets is tremendous. Information security for the Times is far more than reviewing access logs and firewall requests. It's also about educating everyone who not only works here but also interacts with us on security best practices. We can buy 17 different tools to help monitor, alert or take action against threats but that only means that someone out there has come up with eighteen ways to circumvent them.
The human element is absolutely crucial to our success. We educate our users on topics such as authentication, phishing, and malware, and we also partner with our developers and newsroom staff in areas such as protecting our sources and securing sensitive information. Then there's one of the most important aspects of my role, surrounding myself with top talent and ensuring they're truly excited to be part of the team.
ZDNet: How did you get here? You have a background steeped in financial markets in technology. What made you curious and interested in security?
McKinley: Truth be told, security has been a love of mine in my personal life from when I was a young kid. Granted, back in the early '80s, the landscape was quite different. (Most kids had role models like The Bionic Woman, Mr. T. and Michael Jordan, mine were L0pht, Legion of Doom and Captain Crunch).
Yes, I spent 23 years in the financial services vertical and I'm very thankful that I did. It's instilled in me the need for process, procedure, expedience and security; dating back to when I was an engineer on the infrastructure side of the house. Sure, I was responsible for design and implementation of systems, but I was equally as involved in securing and hardening those systems. Then, as I moved ahead in my career, I was more involved in segregating areas of business to adhere to regulations, securing online communications with clients, and setting standards for hardened desktops.
ZDNet: The Times has been regaled in media and security communities for being at the forefront of innovation in securing journalists, some of which are down to Runa Sandvik, the newsroom's director of information security, on your team. What makes you excited about this, and how do you envision that thought leadership growing?
McKinley: I'll go so far as to say that most of what's been done in the space of securing our journalists has been on Runa's watch. She and I have been working closely together since she came to the company and I trust her implicitly. She's made tremendous strides in the newsroom and her energy is infectious. It's that energy that I hope to leverage more outside of the newsroom as well so we can push the company further down the path of being a culture that's conscious of and passionate about security.
ZDNet: It's a very unique time for media organizations, with threats against the businesses and their newsrooms as pervasive as ever, given the geopolitical client. How do you progress the security to stay ahead of those attackers?
McKinley: To say that the threats are evolving would be a gross understatement. Couple that with what's at risk and it's daunting to think about. Lately, we've been heavily focused on keeping up with new techniques used to compromise systems and gain access. There are many individuals and groups that have become very creative in not only the means of attack, but the way by which they activate kill switches or send commands to [command and control] servers. Having a constant flow of information among industry leaders helps collectively protect against the next new attack.
ZDNet: What keeps you up at night in terms of securing the Times?
McKinley: Coming from financial services, we were responsible for protecting systems which, if compromised, could result in a financial loss. Here at the Times, exposing a source or not properly protecting our journalists could result in their being detained, the release of highly sensitive information, a source being burned and potentially putting someone's life at risk. That's hard to comprehend sometimes.
ZDNet: This is a big move, having someone of your pedigree in this leadership role for the company. How do you see the overall impact to the Times as a business?
McKinley: I started back in 1991 repairing printers for a company responsible for printing and distributing financial reports. Since then, I've gone to PC technician, server support, [security operations center] analyst, engineer and from there a career in management. I'm hopeful that my technical knowledge coupled with my knack for defining process, setting standards and motivating teams helps me live up to the role. If I'm successful, I'll have a highly skilled team and a corporate culture that sees partnering with security as a valuable step in producing our content and protecting our staff and assets.
ZDNet: What makes you feel confident about the role -- not necessarily in security? You don't want to pose a challenge to hackers, of course.
McKinley: I'm confident because I have the makings of a great team, a management team above me that understands the criticality of our role and an amazing company full of motivated people who are proud of our brand. The logistics of my role is the easy part when the aforementioned is in order.
ZDNet: If you were to mentor someone to get to this level of his or her career, what's your number one piece of advice?
McKinley: One of the most difficult skills to master for so many in the technology sector is humility. I've seen too many people fail in my career by focusing on their own personal success. If you inspire people and encourage them to flourish, the returns are immeasurable. Conversely, if you hold people back because your ego demands it, nothing good comes of it.
ZDNet: I understand that you're hiring to fill out the infosec team as you rebuild more strategically. What are the right roles and/or skill sets of the people you think would be a good fit?
McKinley: Technical ability is the easy part that can be vetted out by a pre-screen interview. We need security professionals who are truly passionate about their roles. People who enjoy networking with others so that they can further their own knowledge and see all angles of a challenge. We need more creative thinkers who also have a real dedication to our brand and our staff. I want that sense of pride seeing someone on my team packing the room full at Black Hat. I came to this role to build a team, not to hire individuals.
ZDNet: Finally, on a personal note and not The Times, what worries you the most about the current threat landscape?
McKinley: Putting on my tinfoil hat for a moment: The more technologically advanced we get, the easier it becomes for individuals to wreak havoc on society. I remember watching Charlie Miller and Chris Valasek present on the Jeep hack a couple years ago and thinking about cars, pacemakers, home automation, power grids, voting booths, nuclear centrifuges... When you throw cyber warfare in the mix, the potential for a serious real impact on both individuals and countries is horrifying.