TORONTO, Ontario – Martin Carmichael doesn’t strike an imposing figure. But the chief security officer for McAfee Inc. manages to loom large in the sense of his views on how integrated information and physical security ought to be sold to businesses and consumers.
Carmichael is responsible for both IT security and physical security at McAfee, not a common function of the typical CSO.
And while his views on how IT security should be pitched to the masses versus how it is currently might not be entirely practical, his passion for what he insisted is required for the greater good in general is indeed genuine.
“I am the typical person McAfee would sell to,” he said, while on a visit to Toronto recently. “I’ve always used McAfee products in some substantiation. Do I always choose a McAfee product? There have been times when I haven’t . . . but there is no security organization in the world that has one flavor of everything.”
He wasn’t shy discussing the many challenges the security industry faces either.
“The reality is — if you take a look — vendors have a huge part in how we define security on the whole. If you talk to customers, they take things from vendor presentations and put them into their own presentations,” he noted. “One of the challenges facing the (security) industry is how security is viewed by businesses, by governments, by our world.”
To that end, he said the balance between regulatory compliance and business is no different than the balance between business and risk management itself.
“I believe fundamentally the idea of compliance is very difficult to achieve. If you look at most organizations and ask them if they’re compliant and they said ‘yes,’ you would have to step back and say ‘let me introduce you to a new auditor’,” he remarked. “Compliance constraints tend to be much more subjective these days.”
Traditionally, businesses and security have not had great relationships. Businesses don’t cheer when risk management walks into the room. That needs to change by way of demonstrating a value proposition in compliance, he said. It shouldn’t be compliance versus business. It should be compliance enhances business but it isn’t viewed like that and Carmichael said we often approach security in the same fashion.
In terms of the CSO, he said unlike the sales department, if the CSO is effective in achieving his/her objectives and transparently enhances an organization’s security, that success typically isn’t rewarded.
“We’re at a crux in time that will define where we’re going to be over the next 20 years. Look at business: When someone sells more material they get more money, when they’re more effective they get more resources. Every time a CSO is effective … what happens? More money? More resources? That’s not the way that it happens at all,” he said. “The success of security offers the CSO financial concerns. Think of the message that sends. We need to understand the whole architecture of security and where we’ve come down as a business process.
“It’s not just at the technical level. It’s in the message we’ve (the security industry) been giving.”
Ultimately, architectural changes are required industry-wide, he continued. We need to either say, ‘live free and accept the risk characteristics’ or we need to change the architecture of what things look like and build new mail systems, new encryption systems, etc.
“At some point we need to look deeper at the underlying architectures that we’ve got and have a group that comes up with international standards that are going to be effective,” he said. “But one challenge is legacy systems; not everyone is at the same point. There are a lot of people still using legacy systems and they don’t have the ability to integrate into a new environment.”
At some point, Carmichael expects governments to step forward and push such advancements and compliancy upwards, though he admitted to being uneasy with that concept.
“We’re the security industry. We should be leading that charge. We should be defining these characteristics,” he said. “Look at the struggle governments are having with regulations, some are very broad and not articulated very well. Instead of the industry leading, we’re following … we’ve fallen under the auspices of compliance as a result.”
Furthermore, he said the trouble with security today begins with how the industry has presented itself. Risk is not unknown. Insurance companies have dealt with risk for years, he pointed out, adding risk management plays an integral part of business.
“The challenge is how we sell security today. We use fear to sell security. [The U.S.] has a war going on [in Iraq and Afghanistan] because we’re afraid of terrorism … we need to make business arguments for security, not fear arguments,” he said. “We always use the impact’ and talk about it in broad, extravagant terms … that’s not what risk management is really about. It’s a daily, effective management of risk because you could be anywhere and get killed … we need to focus beyond disaster and on the daily life of security.”
Taking it a step further, why don’t security vendors like McAfee adopt the insurance company actuary model? That is to say, why not guarantee users coverage in the event of a data disaster or security breach after taking their money?
“You want me to make a statement on behalf of the board of directors, the CEO, about what McAfee is going to do as a business and you want that to be printed. Let me think. That’s a tough one,” he said jokingly. “Will I commit the entire company to that direction? It’s an excellent comment. That’s all I’ll say.”
This column was written by Liam Lahey of ConnectIT
a>>
