Exclusive: Bugcrowd's Nick McKenzie discusses the evolving role of CISOs
Nick McKenzie has been with Bugcrowd for over three years, having made a significant transition from his previous roles in the banking sector.
His move to Bugcrowd wasn't just a career change but also a shift in the industry focus, from finance to technology. McKenzie's journey started as the Chief Security Officer at National Australia Bank and other banks before that. "I came in as a customer of Bugcrowd, and I just saw all the awesome outcomes that I was getting," McKenzie explained to TechDay.
He admitted this experience is what sparked his interest, leading him to join Bugcrowd and eventually take on the role of Chief Information Security Officer (CISO).
At Bugcrowd, McKenzie's role is multifaceted, encompassing responsibilities as a Chief Information Officer (CIO), Chief Security Officer (CSO), and a field CISO. "My day-to-day operational responsibilities include managing all enterprise-wide software, hardware, networking, and user support globally," he said.
Beyond these tasks, McKenzie also runs the first-line cybersecurity processes and works closely with sales teams to understand and meet customer needs. His role focuses on strategy, vision, and risk management, supported by a team of governance, risk, and compliance professionals, as well as cybersecurity tech experts.
One of the key topics McKenzie discussed, during an exclusive interview with TechDay, was the findings from Bugcrowd's recent report: Inside the Mind of a CISO.
The report revealed a concerning belief among CISOs that many companies are willing to sacrifice long-term privacy and security for cost savings. "It was quite surprising to see that statistic," McKenzie admitted. He sympathised with the struggles CISOs face, particularly the internal bureaucratic challenges that often place security as a lower priority compared to other business objectives.
"There's still a lot of internal tug-of-war, with business leaders pushing back against security-first approaches."
Despite these challenges, McKenzie believes there has been a mindset shift over the past few years. "Companies are now more acutely aware of the direct and indirect costs of a breach," he explained, pointing to the increasing regulatory pressures and public scrutiny. This awareness is driving more companies to prioritise cybersecurity, although there is still a long way to go in changing the broader corporate mindset.
The report also highlighted a significant gap in understanding cybersecurity risks, with 40% of respondents believing that less than one in three companies fully comprehends their risk of being breached.
McKenzie emphasised the importance of internal awareness and risk management practices. "It's all about communication at the right levels and ensuring that people understand the consequences of a breach," he said. He also noted that companies often fail to adequately raise these risks within their organisations, leading to a dangerous underestimation of the potential impact.
In terms of recruitment and retention, McKenzie acknowledged the high demand for cybersecurity skills. "There's actually no shortage of cybersecurity professionals in the field, but finding the right talent at the right level is where the challenge lies," he explained. Retaining staff is another challenge, requiring a focus on engagement, appropriate compensation, and career development.
"Cybersecurity professionals love a challenge. They want stretch objectives and clear career paths," he added.
McKenzie also stressed the impact of artificial intelligence (AI) on the cybersecurity workforce.
According to the report, a whopping 70% of respondents plan to reduce security team headcount due to AI adoption in the next five years. McKenzie, however, believes that this will depend heavily on the maturity of AI within organisations.
"I don't see AI as a big threat to jobs in the short term. It's more about repurposing roles to focus on areas where AI can't help," he said. He also pointed out that AI is still in its early stages, with the technology "evolving rapidly."
"As AI becomes more sophisticated, we might see a direct reduction in roles, but this will also create new opportunities in AI-related areas."
When asked about the growing concerns that AI could outperform security professionals, McKenzie agreed that AI has the potential to enhance security operations. "There's a lot of manually intensive work that humans just can't process quickly," he noted. AI, with its ability to handle large datasets and perform detailed analysis, can significantly improve outcomes in areas like threat intelligence and anomaly detection. However, McKenzie emphasised that AI should be seen as a tool to assist cybersecurity professionals, not replace them.
The risks associated with AI in cybersecurity were also discussed, with McKenzie outlining Bugcrowd's approach to categorising these risks: AI as a threat, AI as a tool, and AI as a target. "AI as a threat is about the potential for AI models to cause harm, such as reflecting bias or hate speech due to inappropriate training data," he explained. He also highlighted the risks of adversaries using AI to automate and fuel attacks, making them faster and more sophisticated. "We're seeing deepfake AI-generated images and more convincing impersonation techniques, which are becoming increasingly difficult to detect."
Despite these challenges, McKenzie remains optimistic about the future of cybersecurity. He believes that a dynamic, tactical approach to cybersecurity strategy is essential for staying ahead of evolving threats. "Your strategy needs to be directly proportionate to the threats you face and the risks within your organisation," he said.
McKenzie advocates for a one-year strategy with the flexibility to pivot and adapt as needed, rather than a multi-year plan that becomes outdated as the threat landscape changes.
"We match the best and brightest hackers to our customers' needs, helping them find vulnerabilities that might otherwise go unnoticed," he said.
"It's all about staying ahead, adapting quickly, and leveraging the collective ingenuity of the cybersecurity community."