Hacking Exposed and Customer Focus
Recently (yesterday) I had the opportunity to chat over a meal with George Kurtz, a Senior Vice President and general manager in charge of McAfee's Risk and Compliance unit. (whew, that's a mouthful). In attendance were a small number of other CSO's (or equivalent) and we listened to George, also a co-founder of Foundstone, the premier vulnerability scanning solution.
We also bounced some ideas back and forth and generally shared information like good stewards of our respective enterprises.
So, keep in mind that McAfee is a vendor. They sell products and services. I found it fascinating that one of the most common themes to the questions was not technology, rather it was something relating to the "human" side of information security. Question such as: how can we justify headcount? who dictates policy? how do we show value to management?
I find this interesting for two reasons.
One: security people often tend to be caricatures of other IT folks. Even more "black cave" oriented, less social, creepy, etc...etc... and yet this group had the presence of mind to recognize that, though we would prefer to be "tools" to be wielded by others (to paraphrase a coworker, who hates the "political" side of security), we recognize the need to interact, "sell", and justify. These ubergeeks recognize the human side.
Two: McAfee is an odd company to ask these kinds of questions of. These questions would clearly fall "outside the scope" of any implementation. Still...I think they were well founded and well targeted. After all, McAfee is, in the end, interested in selling us their solution just as we are interested in selling management our "solution" as CSOs. George gave an example of something they did for a customer which wouldn't fall under "best practices", but did fall under the scope of "serving" the customer. They chose to accept the risk, a concept that amateur IS professionals still seem to struggle with.
For all that we discussed, I received a good lesson on identifying, understanding, servicing and even measuring our "customers". My customers are the HR and legal departments, as well as the business units who rely on me to keep them safe while keeping them running. The "A" in the CIA model (Confidentiality, Integrity, Availability). Though it's redundant, I like to add "U" for "utility". Sure the data is there, but can our customers *use* it?
So, although I tend to be merciless with vendors (I was one, once, and I *still* have no sympathy for them!) I learned that these guys see the breadth of security implementations that I do not, and they may actually have a good idea or two.
Even if it's outside their product line.
PS...thanks to Sam Van Ryder for reminding me why I like to do this stuff.
We also bounced some ideas back and forth and generally shared information like good stewards of our respective enterprises.
So, keep in mind that McAfee is a vendor. They sell products and services. I found it fascinating that one of the most common themes to the questions was not technology, rather it was something relating to the "human" side of information security. Question such as: how can we justify headcount? who dictates policy? how do we show value to management?
I find this interesting for two reasons.
One: security people often tend to be caricatures of other IT folks. Even more "black cave" oriented, less social, creepy, etc...etc... and yet this group had the presence of mind to recognize that, though we would prefer to be "tools" to be wielded by others (to paraphrase a coworker, who hates the "political" side of security), we recognize the need to interact, "sell", and justify. These ubergeeks recognize the human side.
Two: McAfee is an odd company to ask these kinds of questions of. These questions would clearly fall "outside the scope" of any implementation. Still...I think they were well founded and well targeted. After all, McAfee is, in the end, interested in selling us their solution just as we are interested in selling management our "solution" as CSOs. George gave an example of something they did for a customer which wouldn't fall under "best practices", but did fall under the scope of "serving" the customer. They chose to accept the risk, a concept that amateur IS professionals still seem to struggle with.
For all that we discussed, I received a good lesson on identifying, understanding, servicing and even measuring our "customers". My customers are the HR and legal departments, as well as the business units who rely on me to keep them safe while keeping them running. The "A" in the CIA model (Confidentiality, Integrity, Availability). Though it's redundant, I like to add "U" for "utility". Sure the data is there, but can our customers *use* it?
So, although I tend to be merciless with vendors (I was one, once, and I *still* have no sympathy for them!) I learned that these guys see the breadth of security implementations that I do not, and they may actually have a good idea or two.
Even if it's outside their product line.
PS...thanks to Sam Van Ryder for reminding me why I like to do this stuff.
Comments