Getting to know the CISO: Kevin McKenzie
Spend 30 minutes with Security Sister Network as we chat with Kevin McKenzie, the former CISO of Dollar Tree. We will discuss the importance of Advisory Boards and relationship building. We will also get to know Kevin better by asking him some fun questions.
Chris Blum:
Hello, everybody, and welcome to Security Sisters Network Podcast, Getting to know the CISO. Today we have the pleasure of meeting with Kevin McKenzie. He is the former CISO of Dollar Tree. Welcome, Kevin.
Kevin McKenzie:
Welcome. Thank you. I look forward to our conversation today.
Chris Blum:
We also have Suzanne Higgs here. She is the co-founder of Security Sisters Network and the CMO. And so, let’s go ahead and get started.
Kevin, why don’t you tell us about yourself and your background?
Kevin McKenzie:
Oh, well, all right. So I’ve been working in the IT industry for about, well, close to three decades, to be honest with you. I started at a very young in my career, so to speak, in general IT, and worked my way up through those ranks at Clemson University. Pretty much was responsible for every facet of what you would think of as traditional IT within the IT stack. And the last spot I served in, I was their Chief Information Security Officer there, and sort of built up and created what was known at that time as our Office of Information Security and Privacy. I guess I did that job for about, I don’t know, seven years roughly. And then, I was recruited away to Dollar Tree to be their first Chief Information Security officer and was charged with building their program there.
And this was right after the merger. I say merger. It was an acquisition. Dollar Tree had just recently closed on its acquisition of Family Dollar, bringing both Family Dollar and Dollar Tree together. They did security between the two companies, and I won’t say piecemeal, but they certainly didn’t have an organized unit. They didn’t have a Chief Information Security Officer then, and they were looking for someone with that experience who could build that program. And so they had reached out to me after hearing me speak at a national conference and began recruiting me for that role there.
So for the last six and a half years, I’ve been the Chief Information Security Officer for the company and senior vice president for IT. So I received progressive job responsibilities and duties. When I finally left the company just recently, I had everything from not only everything security but I had all of the infrastructure, think of it as the data center servers and all of the managed infrastructure you would traditionally find in IT. I had all of the networking that reported to me, all of our store distribution, and all the technologies that go out into the stores. Even IT finance had reported to me as well. So I had a wide range of responsibilities prior to leaving the company there.
I did fail to mention another thing even when I was at the university. I was also the Chief Information Security Officer for a healthcare organization in the state of South Carolina. So these was two programs. One was the clinical trials and database warehousing that was being done. That was Health Sciences of South Carolina, which is a collaboration between the five major hospital systems and the three research institutions. And Clemson does the Medicare claims and eligibility processing for the state of South Carolina. So I was responsible for, I don’t know, 65-70% of most medical data in the state of South Carolina and what I was doing at the university during my time. So that’s the short version of what I’ve done in the last 20 years. Yeah, yeah, it’s been fun. I enjoy it.
Chris Blum:
In addition to all that responsibility, have you ever served on a CISO Board? And if you have, tell us a little bit about that and what it was like.
Kevin McKenzie:
So I’ve served on various boards, some comprising all but CISOs, and it’s designed for the CISO. I will do my best not to name the company specifically, but I’ve been on what’s been called a President’s Advisory Board. So this is the President of a Fortune 50 company on their advisory board. It was primarily security folks, but not complete security on their side as well as several other point products or large vendor boards. Serving on the CISO boards, I’m passionate about the CISO industry.
I think that’s where I’ve made my name, but I’ve contributed to the industry as a whole, and I’ve certainly grown through the experiences I’ve had with other CISOs that are out there in the marketplace. I’ve learned far more than I’ve given, at least how I perceive it from my colleagues in the field.
But serving on the board, if you think about it… I’ll give you two perspectives. One from the CISO’s perspective, just being there, being with, not to be cliche, but this other esteemed level of CISOs in the market and across the industry. And it’s not typically people who will be in my same industry. I’ve been in higher ed, I’ve been in medical or healthcare, and I’ve recently been in retail, but these advisory boards are typically across the board. It’s not in any one particular silo. So I’m learning how others are either using a particular technology, dealing with a particular issue that’s going on that’s affecting our industry as a whole, and how it’s being applied to other industries. And part of that is just seeing that creative mindset work together, to help each other because while companies, I’ve said this long before I got into the private sector space, but companies at the end of the day, they’re obviously concerned with the shareholder wealth kind of thing.
And for CISOs, the competitive nature is not there. It’s not company A versus company B. It’s like we’re all fighting the same enemy, and we all seem to work together well to help prevent that. And I think there’s the mutual respect in that sense where it’s less about the competition between company A and company B and more about, hey, we’re all trying to do the right thing. If I was at company A, my data might be in company B, C, D, or one of these others. And so I have a mutual interest in working together with them on these boards to solve these problems and to do these things. From the company’s perspective, having these boards provides them a resource they can’t get otherwise.
Our schedules as a C-level executive are just full from one end to the other. The demands of the job it’s a 24×7 kind of environment. The demands of the job alone take up a lot of our time. So vendors getting in to sit in front of us and spend quality time with us is very limited. And these boards, it’s a give-and-take kind of deal where we get a direct connection with the companies. The companies get a direct relationshipindustry’s with us.
We feel like we’re making a difference in the product because that’s what we’re on these for, is to make the product better to serve either our needs or the industry needs and to help have a voice for the CISOs, how we’re using the product that’s out there, different creative ways. And to give feedback on where the companies excel in what they’re doing, as well as to give them feedback about where they’re failing and where they’re falling short. Because it’s like anything, you can build it and put it out there until you create that feedback loop to understand, “Did I meet the market?” “Am I solving their problem?” “Is it a good value for what they’re trying to do?” And so I think, depending on your perspective, the CISO boards have advantages for both parties involved.
Chris Blum:
I agree a hundred percent.
Suzanne Higgs:
All right, Kevin, are you ready for me?
Kevin McKenzie:
Sure.
Suzanne Higgs:
Okay. What is one thing you refuse to share? You can think outside of the box here. One thing you refuse to share.
Kevin McKenzie:
Are we talking about data or a personal object like a movie? What are we talking about here?
Suzanne Higgs:
For example, someone said, I refuse to share my ice cream. One thing that you’re like, nope, I’m not sharing.
Kevin McKenzie:
I’m not a big food sharer. You mentioned ice cream, but I am absolutely not. My wife always jokes about this because even when we were dating, I ordered the portion sizes I was looking forward to. If you want, I will buy a complete other meal if you wish to two bites out of that meal or at the time it was drinks or something like that. But I’ve never been a real food sharer kind of person.
Suzanne Higgs:
You’re not okay if she reached across the table with her fork?
Kevin McKenzie:
One time, maybe. Twice, we’re going to fork fight.
Suzanne Higgs:
All right. That’s perfect. That was good.
Chris Blum:
I’m the same way. So we talked a little bit about the boards for the businesses. The reality is that the vendors are always trying to get in front of you guys, and you have limited time, and I’m sure you get 500 emails from vendors daily and as many calls as possible. And so that’s been one of the challenges for all these vendors. How do we get in front of these CISOs? And so, what are some of the biggest benefits you’ve seen from companies having a CISO Advisory Board?
Kevin McKenzie:
Well, I mean, you mentioned many of them, and I think I’d mentioned them in a previous question. One is just getting that undivided face time with the CISOs I think is the biggest value that they get because it is tough to get in front of them to get on their schedule. I mean, some of the marketing that goes on now where they just automatically put a calendar invite on my calendar, that’s a surefire way of never getting in front of me. I mean, I’m just being honest. If you take it upon yourself to, go ahead and just drop a calendar invite on my calendar. Now you’re cluttering up my calendar without ever having a relationship with me prior. You just made it exponentially more difficult for yourself to get time with me.
So I think getting that undivided attention in a one-on-one environment with the leadership of the company. This isn’t something to take your engineers and just drop your engineers in a room, “Go ahead, go talk to those CISOs.” If the company’s not putting the same level of representation in the meetings organizationally, then it’s also a failure too, because I can talk to an engineer anytime I want. I can pick up the phone, call any vendor I want, and talk to any engineer I want. They’re going to take my call because my role, regardless of who I am, is just the title and the company you’re working for at that time. So from the CISO’s perspective, we got to feel like it’s being taken seriously. It feels like we’re getting that face time as well. So this is like I said, this is the give and take that both sides were coming.
A lot of the boards I’ve served on where we’re going to go away on whether it’s a retreat or we’re going to take a day, but we’re going to sort of lock ourselves in this room, and we’re just going to have a Chatham House Rules honest conversation. And I can only speak for myself, but I think I echo the same comments that many other CISOs would say in this situation. We don’t hold back. We’re not there to say, Hey, you got the greatest product since sliced bread kind of stuff. We’re going to tell you where your product fails. We will notify you where your pricing models are out of scope compared to the market or your competitors. We will give you raw, honest feedback that you won’t get any other way, good and bad. Where you excel, we’re going to tell you. Where you are failing, falling short, or your competitor is just handing it to you. But we’re going to give you that kind of feedback.
We’re also going to give you feedback about what we’re seeing, what we’re battling on a day in day out basis, and how your company can help us. We see potential in your product if you do this kind of development if you will go down this path if you add this additional feature. Or, hey, maybe you are considering acquiring a technology to integrate into the platform that you offer today. CISO boards are a great place to bounce that idea and just say, Hey, we’re looking at adding this. You don’t have to talk about the company. Obviously, that is stuff you don’t want to speculate on because it’s hard to keep that secret when doing these things. But if you were to say, just talking about a particular technology choice or selection without naming it or giving the vendor. Certainly, that’s a good place to bounce that idea off of.
Chris Blum:
And I think it’s really important to have an outside perspective of someone who’s not drinking the Kool-Aid that everybody internally is because sometimes you can’t see the flaw in your products.
Kevin McKenzie:
I’ve been on advisory boards that I’m not a customer, and I say that’s even better. And I’m responding to the statement you just made. And from the company’s perspective, yes, because you don’t have the echo box. You don’t have the one feeding you yeses and yeses, and hey, this is great. You do have someone that has no obligation. We’re not trying to renew a contract with you, so I need to play nice or any of that. It’s “hey, I’m just going to give you honest feedback about why I’m not a customer and what you’re going to need to do for me to be a customer.” I’ve been on some of those as well.
Suzanne Higgs:
Would you rather have no cell phone access or no car access?
Kevin McKenzie:
Well, let’s see. Depends. And I’ll couple that if we’re not thinking about work-related needs, I’ll gladly give up the cell phone.
Suzanne Higgs:
Yes.
Kevin McKenzie:
But because when I’m on the job, so to speak, the cell phone is the first thing I look at when I wake up, and it’s the last thing I look at before I go to bed. And sometimes, if I get up in the middle of the night, I still glance at it because I live, eat, and sleep at my job. It’s 24×7 for me when I have to do it. And that would be tough to be without it at that point in time. But if we’re talking just personal needs, no, I’d rather have a car where I can go someplace.
Suzanne Higgs:
All right, now I know you better answer my texts.
Chris Blum:
Oh, okay. Great. Well, okay, next question. Why do you think so few companies have advisory boards? I mean, I’ve worked for a ton of security companies. I’ve been in tech companies since I started my career 20 years ago, and only one or two of them had an advisory board. Why do you think most companies aren’t trying to get this group of knowledge and help elevate their company?
Kevin McKenzie:
Well, it depends on the company’s stage too. If it’s a startup kind of company, cash flow’s limited. They’ll see this as a marketing event more than anything, and they’re not taking the time to do the return on the investment in a non-monetary way. There are ways to evaluate this monetarily, but there are also ways of saying, “Hey, you need this feedback, especially in an early stage kind of deal as you’re growing your product, as you’re growing your customers, as you’re deciding what markets to hit and where you’re going to try to have penetration of your product.” That’s where they need to be looking, but they don’t. They look at it purely as a cash flow kind of situation and marketing, or they think of it as an overhead function, and they’re so head down, eyes on glass in the engineering phase of it.
Companies that have been established for a while, again, I think they’re coming around to it, and they’re seeing that need for it, especially ones who’ve been the market leader for a while, and they’re starting to see a little bit of that slip. They’re trying to figure that out. But also the question, I’m going to go back to the question, the question is, “Why do you think they don’t have it?” Sometimes they get a bit ahead of themselves and don’t think that they need it or that they’re getting this feedback some other way. And I don’t believe that they are. Again, it’s when you bring a collection of CISOs together and put us in a room. Everybody understands we’re having frank and honest conversations in here. The feedback is much richer and more honest about what’s happening versus the drive-by commentary or the flippant response. You’re getting undivided attention at that point in time.
It depends on the stage. If you’re small, you’re more focused on development build and putting your dollars towards that, and you’re losing your target by not creating something like this to get that feedback. And if you become the big behemoth on the other side of it, you lose sight of it because you feel like you’re already the market leader. You already know what the market is, and we’re going to dictate it to you because we’re the big product, we’re the quadrant four kinds of product out here, and you’re going to get what we spoon feed to you versus responding to what we’re needing or what we’re asking for. And I think that’s where a lot of companies lose that. They lose it when they get sort of too large. Yeah, well, they lose it when they’re… It’s hard to be the one on top and have to deal with all the challengers versus being the challenger, and you have a clear target, which is the one on top.
Chris Blum:
That’s interesting. And kind of talking about the budget. So in most organizations, I’ve been to, it would’ve come out of the marketing budget, and if it’s a startup, it was manageable. Do you think companies should think about putting this in their budget, maybe not in marketing? It would be interesting to hear your thoughts on this.
Kevin McKenzie:
There’s a part of most organizations, especially when creating technical research and development, why this is not research, and it will lead to development. It’s certainly technical research that goes on in these, especially if you’re talking about the product and the features and all the bills that can be turned on, all the boxes that can be checked or that are not there to be checked. And then there’s the qualitative research where you get raw feedback of what’s working, what’s not working, kind of deal.
Chris Blum:
That’s a great point.
Kevin McKenzie:
The R & D area is where it should be. Yes, there’s a marketing element to it. Just depends. If you’re building a CISO Advisory Board of current customers, it’s R&D. You’re not marketing to those folks. You already got paper on those. If you didn’t build it for a room full of people who are not current customers, it could be a bit of marketing. But you also have to wonder, too, do you want to find out about your product, or are you trying to find out about the industry and why others are doing something different than yours? Again, the focus is different. That’s why I think a mix of both is where the sweet spot is.
Chris Blum:
Yeah, I think that’s a great point. Thank you.
Suzanne Higgs:
Okay, Kevin, if you were in a made-for-TV movie, who would you want to play you?
Kevin McKenzie:
Yeah. Put the Rock in there. If there are not many lines in the movie, make me the Rock. But if you’re going across the board, probably someone like Costner.
He does all the sports movies and ends up with all the pretty ladies at the end, so why not?
Suzanne Higgs:
That’s perfect. That’s perfect. There you go.
Chris Blum:
Okay, so you’ve been on a few boards, and let’s face it, you’ve got very limited time. So what is it about the companies that attract you to give up your precious time and join their boards?
Kevin McKenzie:
Well, one, is the technology relevant? Is it something that I have an interest in? I go through several evaluations. One, is it relevant and something I have an interest in? Are we currently using it? Do I feel like I have enough understanding of our use case and of the technology, the space that it’s working in that I can contribute to a board. Because I’m going to be in there with a bunch of my peers, I want to feel like I have a good understanding of what that company’s doing, what they’re trying to solve, how we’ve implemented it, and how I can give back to that community and maybe learn how others are using it.
The other thing that I look at is it is a disruptive technology. Is it new and emerging, and I have the opportunity to be at the ground floor and either learn as it’s growing so that hey, it’s something we can bring in here. We can be on the cutting-edge kind of deal through the implementation process. Or I like where it’s headed, but I feel like I want to have a hand in where it’s headed through my suggestions or my feedback as far as how they’re going to build and develop that product.
Those are probably the two biggest things that I evaluate. It’s really around the space. Then the last part is the relationship. What kind of relationship am I going to have through the board process? Is it either with the other CISOs that are there or is it with the company, the leadership of the company who’s participating? Like I said, I don’t like the ones that just stood up for the sake of saying, you did one and move on. I want them, the company, the executive, a peer level to what I’m bringing to the board or higher to have as much interest or skin in the game, so to speak, into participation as I’m bringing to the table too.
Chris Blum:
Yeah. Awesome. And do you find that they tend to take your feedback when you give it to them on a product? Have you helped shape some product roadmaps and some product designs when you’ve been on these boards?
Kevin McKenzie:
Yeah. Where it makes sense and where it’s… As a CISO, what you’ve got to do when you’re providing feedback that you want to be implemented or adopted is: is it a niche kind of solution or situation, or is it something that has a broader impact? These products are built to work across many verticals, not just the vertical I’m in or my particular problem. So is it something where, “Hey, I’m making this suggestion, but I see where it can apply to other industries other than myself, and I sort of work it at that angle.”
The good part is I’m going to be in a room full of other verticals. So I tell them, “Hey, this is how we’re using it, but I wish it had this feature, or I wish it worked this way.” Or suppose they would change this configuration or integrate with what other product, take feeds or direct connections with other particular products that it could feed together and build a. In that case, I don’t want to say a coalition, but just making sure sort of litmus testing it with others that… I’m not suggesting something that’s myopic and only my world, and it’s serving just for me, but it has a broader reach because those are the ones that are more likely to be adopted. Because you’re talking about having them change their product, they need to see the value. And if I’m speaking to it and then another CISO speaks to it who’s in a completely different industry, and a third one speaks to it, they start seeing like, hey, maybe there’s a trend here.
So yeah, I think where it makes sense, certainly, I’ve been able to help not only in the product development side of it, the product integration side of it, but even in the marketing and the modeling of the pricing models and how they roll it out to market and take it to market. I’ve had some suggestions that have been adopted there.
Chris Blum:
Awesome. Yeah, that’s so important, especially with the pricing, because I think that’s one thing companies just missed the mark on.
Kevin McKenzie:
Yeah. Well, they do. And they don’t understand how it’s being used. They make a product, have a pricing model, and then they don’t… How’s it going to be used? How is it going to be used? Does it make sense to have the pricing model for all endpoints?
And I’ll give you an example. As you know, we are running some endpoint solutions. And this is a security solution. It makes sense to run that endpoint solution on as many devices as we can and stick it on there. But I had devices that went in and out of the office daily. People use them every day. They surf the internet on desktops, laptops, and things of that nature. And I completely understand the pricing model there. But when I was at my previous employer, we were talking 60,000 registered or something like that, and it had the same pricing model on those registers as I had on laptops. Well, those registers never left the store. It was a dedicated network. It was completely isolated and blocked. And my thought was, why do I pay the same? Why is the model the same for those devices as it is for a device that goes out and touches every rogue access point, hotels, Starbucks, home networks, and everything else? The model just wasn’t the same.
So I was able to affect change in that manner around that kind of model. And it was significant. So when you talk about the scale that we were dealing with.
Suzanne Higgs:
That’s great. So Kevin, what advice would you give your younger self or those starting in this industry?
Kevin McKenzie:
To my younger self. No, I mean it’s… Be involved. I mean this industry, the thing I like about it, and I’ve said this many times when I speak, is the one thing I like about my job. I say I describe it like a snowflake. No two days are the same. No two problems are the same. The circumstances are different for everything you deal with on a day-in and day-out basis. So be adaptive, be flexible, and understand what technology you’re dealing with, but be involved with it. It’s going to change. The new technologies are going to roll out. The new way of doing something is going to be there. So you’ve got to be engaged. You can’t just get into it and say, “Okay, this is how I’m going to do the job for the next 25 years.” That’s just not the case. You’re going to fall so far behind.
So you’ve got to be engaged with the literature that’s out there. You’ve got to be engaged with the implementation processes and procedures. You’ve got to work with all these vendors because they’re rolling out different products, they’re rolling out different ways of doing it. We’re going through that. We have been going through that evolution now, whereas you back us up at, let’s do, five to ten years, and you ran everything on-premise. And now it is why can’t you run everything in the cloud? And we’re shifting that kind of stuff. But it takes a different stack of technologies to do that. It’s not that it’s difficult or it’s hard. I mean, it has its challenges, but it’s just different. And if you’re not engaged and keeping up with it, it’s difficult. It’ll leave you quicker if you decide to sit on the sidelines. So the advice I would give is you have to stay diligent. You have to stay a part of the industry, not only from your company but what the vendors are doing, what they’re developing out there, what products that they’re rolling out, kind of do.
Chris Blum:
I’ve got one last question for you, and then I think Suzanne’s got one. What suggestions would you give to vendors on building relationships with CISOs? How do they start with an advisory board when they don’t know anybody? What are some of the most important things they don’t know that they need to know about starting?
Kevin McKenzie:
Well, I will come at this two different ways. One I’m going to make the first assumption is they don’t have the relationships… Or I’m going to come at it as first they have the relationships, maybe their marketing staff or whatever have been embedded with companies and so at that level, they’ve got that engagement. I would say the executive level of those companies now needs to come on-site and build a relationship. I’m such a relationship-driven person when it comes to my vendors. Come on-site, at least have that touch base first, and then start thinking about “Is this somebody that would work well on our advisory board?”
And again, you don’t want to build an advisory board where you have a bunch of yes men or yes women. You want some disruptors there. You want some people on the board who others might think of them as problems or difficult to deal with. And sometimes, they are, but sometimes they ask many questions that others are unwilling to put the time and effort into asking. So after you’ve sort of established that, you can do it that route.
But let’s say you don’t have that. Say you were a startup, say you were a large company, predominantly the executives have been hands-off or they don’t have time either. They’re so busy as well that they can’t go and visit all these companies. You use a proxy, somebody who’s established with the CISOs, and already has relationships with them. And you bring them in and let them act in your stead or as your proxy to build your initial board. You give them, through a debriefing: What are we trying to accomplish? What kind of board are we trying to build? What diversity do you like on the board? Not only in what we think of as traditional diversity but also diversity in the industry, and diversity in personalities, bring that mix together. And let that third-party proxy build you a board and run it and be engaged with that board from that perspective.
And they’re out there, and these groups are out there just like Security Sisters Network here. They’ve already got the relationships. They know the people. They know the personalities. Many times they might even know… They know some of the tech stacks they’ve worked with just because they’ve already engaged with the CISOs. So having that in your back pocket, if you don’t have the time internally to do it or have that relationship already established. You could use somebody in your stead or as a proxy to help at least get your first one going, build it from there, and then cultivate that relationship from then on.
Suzanne Higgs:
That’s perfect. Now, Kevin, I have one last question for you, and I want you to think about this before you blur out any answer.
Kevin McKenzie:
It sounds a bit loaded already.
Suzanne Higgs:
But I think it’s a perfect way to end this fantastic podcast today. Who is your favorite Security Sister? It was a trick question, and I just wanted to laugh out of that, but I didn’t expect you to answer. But that-
Kevin McKenzie:
Hey Chris, are you employed? No way I’m going to get out of this alive. That’s a good question to get me in trouble.
Suzanne Higgs:
Yeah. I don’t want to do that to you, Kevin, but I really wanted to thank you today for your time and for answering our questions. It was great.
Kevin McKenzie:
But you know that answer already, so I didn’t want to… I’m just kidding.
All right. No, no, I appreciate it. This was fun.
Chris Blum:
Good. Thank you so much, Kevin. This was great. And thank you, Suzanne. Have a great day, everybody.