McAfee Inc.‘s chief security officer, Martin Carmichael, dropped in for a quick Toronto visit Tuesday night to kibbitz and discuss security with a dozen or so tech journalists. Funny, energetic and obviously straining at his media-trained leash, Carmichael (looking eerily like News Radio’s Stephen Root) covered a lot of ground from the unique perspective of being the chief security officer of a security software company.
Among other things:
- “I am the typical person McAfee sells to,” Carmichael said. “I have a different perspective on McAfee.” And the product ain’t free. It comes out of his budget. There have been occasions when, for point solutions, he hasn’t bought McAfee — but what shop has an end-to-end security solution from one vendor?
- As CSO, he’s responsible for both data and physical security, an unusual situation. Followers of the two disciplines don’t care much for each other, he noted — infosec folks think the physical job is straighforward, the the physical security types think IT gets all the money. The first step in integrating the two sides is to get them to realize they both deal with mitigating risk, and that they’reinterdependent. “The days when you could just put guards everywhere are kind of elapsing,” he said — with CCTV, badge-reader access control, etc., physical security depends on an IT infrastructure.
- Social engineering is evolving, and social networking sites like Facebook are helping it along. Whereas before, social engineers had to wheedle information out of people for their attacks, “now, people are offering up information … we’re seeing social engineers take on whole identities. I can recreate myself in another guise.”
- In most business units, success means visibility, and that’s rewarded with bigger budgets and more resources. But an effective unit that pushes security up the chain and makes it transparent? “You think they get more money? More budget? More resources?” No, security gets more budget after something happens, he said.
- Threat modelling on the infosec front isn’t the same as traditional risk management; there’s a much more subjective element to it. “How many people use fear to sell security?” Carmichael asked (rhetorically, I presume). “Your neighbour to the south has a war going on because people are afraid of terrorism … If we’re going to make business decisions, we have to use business arguments, not fear arguments. We’re not there. We need to focus on tangible arguments, not fear.” The security argument needs methodologies that allow analysis with the same precision of traditional business risk management, building actuarial tables, doing legit statistical analysis, and such, he said.