Securing the security vendor

McAfee Inc.‘s chief security officer, Martin Carmichael, dropped in for a quick Toronto visit Tuesday night to kibbitz and discuss security with a dozen or so tech journalists. Funny, energetic and obviously straining at his media-trained leash, Carmichael (looking eerily like News Radio’s Stephen Root) covered a lot of ground from the unique perspective of being the chief security officer of a security software company.

Among other things:

  • “I am the typical person McAfee sells to,” Carmichael said. “I have a different perspective on McAfee.” And the product ain’t free. It comes out of his budget. There have been occasions when, for point solutions, he hasn’t bought McAfee — but what shop has an end-to-end security solution from one vendor?
  • As CSO, he’s responsible for both data and physical security, an unusual situation. Followers of the two disciplines don’t care much for each other, he noted — infosec folks think the physical job is straighforward, the the physical security types think IT gets all the money. The first step in integrating the two sides is to get them to realize they both deal with mitigating risk, and that they’reinterdependent. “The days when you could just put guards everywhere are kind of elapsing,” he said — with CCTV, badge-reader access control, etc., physical security depends on an IT infrastructure.
  • Social engineering is evolving, and social networking sites like Facebook are helping it along. Whereas before, social engineers had to wheedle information out of people for their attacks, “now, people are offering up information … we’re seeing social engineers take on whole identities. I can recreate myself in another guise.”
  • In most business units, success means visibility, and that’s rewarded with bigger budgets and more resources. But an effective unit that pushes security up the chain and makes it transparent? “You think they get more money? More budget? More resources?” No, security gets more budget after something happens, he said.
  • Threat modelling on the infosec front isn’t the same as traditional risk management; there’s a much more subjective element to it. “How many people use fear to sell security?” Carmichael asked (rhetorically, I presume). “Your neighbour to the south has a war going on because people are afraid of terrorism … If we’re going to make business decisions, we have to use business arguments, not fear arguments. We’re not there. We need to focus on tangible arguments, not fear.” The security argument needs methodologies that allow analysis with the same precision of traditional business risk management, building actuarial tables, doing legit statistical analysis, and such, he said.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada
Dave Webb
Dave Webb
Dave Webb is a freelance editor and writer. A veteran journalist of more than 20 years' experience (15 of them in technology), he has held senior editorial positions with a number of technology publications. He was honoured with an Andersen Consulting Award for Excellence in Business Journalism in 2000, and several Canadian Online Publishing Awards as part of the ComputerWorld Canada team.

Featured Download

IT World Canada in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Latest Blogs

Senior Contributor Spotlight