For security to get the financial backing that it deserves in the corporate budget, security managers need to stop the fear mongering and start making the business case.
That’s according to security software vendor McAfee Inc.’s own chief security officer, Martin Carmichael. “(As security managers) we’re not effective in communicating the business message of security.”
Carmichael added that managing risk in the enterprise should be accomplished through definitive planning, strategy and process, and not through fear-based arguments.
The McAfee CSO, who was in Toronto this week for some face-to-face time with Canadian technology reporters and analysts, admits his role in McAfee gives him a “different perspective of McAfee than anyone else” in the company.
For starters, Carmichaels said he is essentially a customer of McAfee in that he uses some of the McAfee products in his day-to-day security management tasks. But even the McAfee products that he chooses to use usually go through the typical product evaluation prior to purchasing, even though his company actually makes the products, he said.
He admits, though, that while he uses many of McAfee’s security tools, there have been instances where he had opted to use a different technology.
And that’s typical among enterprise security managers, he said.
“There is no security officer in the world that is (running) one flavour of everything,” said Carmichael, who also happens to be McAfee’s chief privacy officer.
Carmichael runs all aspects of McAfee’s security and risk management, including physical security, which he says should be ideally integrated with information or logical security.
Integration of the two can be challenging, however, especially if you have two parties that have traditionally functioned separately in the enterprise and have differing views about each other, he said.
“IT security thinks physical security is clear-cut and defined, while the physical security people think the IT guys get all the budget,” Carmichael said.
He said the first thing he did at McAfee was to allow each party to get an understanding of what the other does, and then define how they can work together.
With digitization of the enterprise, physical security is increasingly dependent on the IT infrastructure (IP-based video surveillance or biometric-based access authentication, for instance) while physical security plays a big role in compliance and policy enforcement, explained Carmichael.
“It’s all about how do we mitigate risks,” he said, pointing out that while others may view security and privacy as two conflicting aspects of his role, he fails to see the contradiction.
Wearing his privacy chief hat, Carmichael said McAfee has checks and balances in place to ensure that security initiatives are not undermining privacy policies. He added that compliance requirements also make sure that the balance is there.
Giving Carmichael’s talk a Canadian spin, IDC analyst David Senf pointed out that despite the regulatory requirements enterprises are faced with, compliance is an aspect that seems to be under the radar for many Canadian firms.
Carmichael admits security vendors play a role in changing the way security and compliance is presented to the business. “It’s not about, ‘If you don’t do this, you will die.’ We have to focus on tangible arguments,” he said.