Ted Barlow, McAfee Inc.’s chief security officer (CSO) and vice-president, risk management, sat down with ComputerWorld Canada contributor Tom Venetis last month to explain how the role of the CSO is changing to meet the challenges of today’s new regulatory environment.
What trends are you seeing in regards to security and how are those trends affecting your position? Are those trends changing the role of the CSO?
The role of the CSO has been around for quite some time, but it is becoming more mature. When you look back in IT history, look at the role of the chief information officer (CIO). It started as a title and did not mean a whole lot, but over time the title matured. It is similar to what is happening with the CSO or CISO (Chief Information Security Officer). Companies are starting to understand that they need a person who is responsible for security, compliance and regulatory issues such as Sarbanes-Oxley, so companies are creating this role that is more than just a title. It is giving a person real responsibility to affect change.
It is interesting that you mention compliance and legislation such as Sarbanes-Oxley. At the recent RSA conference in San Francisco, CSOs said their role has changed from focusing on the technology of security to focusing on understanding and implementing the new regulatory environments. Is this something you see?
I would agree with that. I have been given the responsibility of managing our compliance and controls, both on the IT side and on the application side for Sarbanes-Oxley. My title also includes vice-president of risk management, so my role is not just focused on security, but is more broadly focused on risk management, which means focusing on business needs and goals, and having to sell the idea of security as a business need. It is something I also have to sell to our customers.
What is the biggest challenge with compliance issues?
It is trying to be compliant while allowing people to have the freedom and flexibility to do their jobs. But my goal this year is to make sure everybody understands that compliance is part of his or her job — and I mean everybody, from the help-desk person right up to the CIO.
Is it creating a culture of compliance?
We have been doing that for some time with security and now we have to do the same thing with compliance.
Does this mean you had to change from thinking of security as a technology issue to thinking about security as a business driver? Does it mean not just preventing intrusions, but seeing intrusions as something that affects the overall business and its success?
Absolutely. That is why you cannot just focus on security, but you have to focus on security and controls. While they are not the same thing, they are very much complementary. Security relies on controls and controls rely on security. I think the regulations today have really allowed us on the security side of things to focus more on controls. For example, having much better change control processes. That you just don’t allow people to make changes without having it approved, testing it and plans to back things off if things go wrong. Good security operations controls are also important. This means collecting the right events, reviewing them and responding quickly with good incident response.
How do you talk about security now when you speak to companies? Before, security was about the firewall, antivirus and protecting yourself from external intruders. Has it changed?
We certainly talk more about compliance today, but the day-to-day realities of people’s work is still very much about threat management. There are four domains in security management — threat management, incident management, identity management and vulnerability management. But of the four domains, people still spend and inordinate amount of time and resources on threat management because that is what is disruptive. It only takes one Slammer event to have them wake up to such problems.
In your opinion, what are some of the threats that companies will have to tackle?
[The situation] will resemble some of the same threats we see right now: those that take advantage of a known problem and create a worm to exploit it, for example. We will still have those kinds of problems. Microsoft just announced 11 vulnerabilities, so there are plenty of opportunities for a big event to come along, like another Slammer. But today, companies must deal with things such as spyware and a whole host of malicious programs and phishing attacks. Companies must also deal with the issue of loss of trust where a security breach happens.…It comes down to risk management: what is the risk of a lawsuit?
Why don’t more companies have a CSO? Is it because a company might not think a CSO’s role is that different from the guy focusing on security and the network in the back room?
I think segregation of duties is important and companies are starting to recognize that you do need someone who is independent of the operations or the people who install the IT infrastructure. You need someone who can stand back and take in the big picture. It is a maturing process for companies and for the role itself.
Quick Link: 056373