It has been a year since Ted Barlow took on the position of Chief Security Officer (CSO) for Plano, Texas-based security product provider McAfee Inc., and already his position has brought new challenges and opportunities.
In February of last year, Barlow was McAfee’s IT director of security (he continues to retain the title of vice-president of risk management). Then his job was focused on IT security — protecting systems from threats such as viruses and worms.
Today as the company’s CSO, he manages very much more than such traditional security risks. His job now involves making sure McAfee’s security policies meet the new regulatory requirements for security of financial and private information laid out in such legislation as the Sarbanes-Oxley Act of 2002. The act is meant to ensure the protection and integrity of corporate financial information.
“The role of the CSO has been around for a while, but it is now becoming more mature,” Barlow added. “Companies understand that they need a person who is responsible for security, compliance issues, and for such regulatory issues as Sarbanes-Oxley.”
Security, in Barlow’s opinion, is a business process as much as it is about technology.
He said one challenge he faces is there are no guideposts to help him figure out how to make McAfee’s own security policies conform to the government regulations. It is very much an on-the-job learning experience.
“It is a work-in-progress,” Barlow added. “There are no definite guidelines out there to tell you what you must do, so you have to develop some of that in conjunction with internal audits and with many of the other functions of the company. It is very much a moving target.”
Barlow said getting a company to conform to such legislation as Sarbanes-Oxley involves changing the thinking of everyone in the company about what security is, and how each employee should approach the issue.
He said this means getting employees to think about the security implications of actions they take. For example, he said, a simple action such as changing access rules for data can have real security consequences and affect on the bottom line. If an access change is not done correctly, it could expose sensitive information and if that becomes public the company suffers a loss of trust among consumers and partners, affecting the company’s stock or sales.