EXCLUSIVE INTERVIEW
McAfee CSO Martin Carmichael: When Security and Business Lock Horns

Martin Carmichael, the chief security officer (CSO) for security software developer McAfee, is responsible for IT security, forensics, risk management, physical security, IT security engineering, and compliance with regulatory controls. He also serves as the chief privacy officer for McAfee.

His more than 20 years as a security executive at top-level corporate and government agencies has provided him with a front-row seat to the changing complexities of the CSO's job. He has delivered cost-effective security solutions for global and domestic organizations including Asurion, Wells Fargo, NATO and the Department of Defense.

Carmichael has helped to develop procedures for dealing with company data threats and risk assessments. He also played an active role in managing the design of secure environments.

With a heavy blend of academic and industrial training, his credentials form a dizzying array of cryptic letters. Carmichael's security certifications include CISSP (ISC2), CISM (ISACA), ISSMP (ISC2) and ISSAP. In addition, he holds a doctorate of computer science (D.CS) from Colorado Technical University, with his thesis focused on "Evaluating Enterprise Security Risk."

As McAfee's CSO, Carmichael has learned to do what all CSOs must achieve. He blends the need to produce a business return on investment (ROI) with corporate information protection needs.

TechNewsWorld explored the changing roles of the CSO with Carmichael.

TechNewsWorld: What was the original distinction between the role of a chief security officer in a corporate structure and the job performed by a chief information officer (CIO)?

Martin Carmichael: The CSO's job began as being responsible for making sure the corporation's network remained secure. The CSO strictly worried about the internal data protection. This was separate from the CIO's role of maintaining the company's information and data on the network.

TechNewsWorld: How has that role changed?

Carmichael: A number of evolutions have taken place over the years. In the beginning, the area of security was detached from the business operation. Early on, CSOs had only business managing experience, so they tried to handle the tasks involved with security the same way they knew how to handle other business procedures. They found that approach doesn't work.

TechNewsWorld: What was the evolutionary change that CSOs experienced as a result?

Carmichael: The first evolutionary phase was to become more technologically based. The CSO had to become more technical in his or her approach to security issues. They responded early on by teaching staff about the technology issues related to security functions. But CSOs found out that others in the corporate structure who were not involved directly in the security phase did not really care about those things.

TechNewsWorld: How are CSOs handling that and other driving factors today?

Carmichael: Now we are seeing a merging of the two postures -- the security and the business scenarios. From a business perspective, managers do not want to deal with fact or fear confrontations that CSOs traditionally represented. CSOs were often viewed as feeding the fear of the company losing its reputation or its officials going to jail because of reported security breaches. Still, CSOs are seeing the two factors -- security standards and business units -- as not being warm team mates. Why? Business units deal in facts and performance measurements. But security can not be quantified that way and can only present security status in terms of green or blue.

TechNewsWorld: What do you see as the biggest business challenge that CSOs face today?

Carmichael: The business challenge for CSOs is the reality that security standards do not speak about cost. Business managers think in terms of, "What did you do for me with that million dollars I put in your security budget?" Business managers do not want the CSO to say, "You're not in jail."

TechNewsWorld: In this current evolutionary phase, what must CSOs be able to accomplish to do their jobs effectively?

Carmichael: CSOs need to demonstrate an ROI from the security operations, not just offer opinions about blue or yellow security factors. They need to tell that story in business terms. This is not done easily. CSOs must communicate in the language of business, not technology.

To accomplish this job, CSOs have to understand the processes of business. They have to learn how to measure factors of security in business terms. They have to know how to show managers about optimizing ROI.

This can only be done by following a repeatable model. CSOs must be able to say where the security of the company is today and where it will be tomorrow in clearly definable terms. Security solutions do not work that way. They do not easily fit into quantifying and modeling.

TechNewsWorld: Where do you see the role of CSO going in the near future?

Carmichael: The CSO's job will evolve yet again. Being a CSO is not a stepping stone to higher managerial jobs. If CSOs want to move up the management chain of command, they must be able to show that they can function as a business manager.