McAfee CSO: Security pros need to better understand business needs

His advice to fellow security professionals about how best they can achieve their goals and needs when dealing with business was a highlight.

“When dealing with business, security professionals are faced with two questions: what do I get and what does it cost? Until the [security professional] is really able to address those two questions we are going to be in a place that’s difficult for us,” said Carmichael.

“After you put a firewall most businesses ask what does that mean; after you put in a single sign on they ask what does that mean; and after you become compliant again they ask what does that mean and how did you help business?”

The inability for IT and business to adequately communicate and understand each other’s needs is an ongoing issue facing the industry, however in this case Carmichael insists change should be in the hands of the security professionals.

“Security offers so much to business,” said Carmichael. Businesses make risk choices every day, we help business reduce risk. [However] business understands intuitively the value of security and yet you’ll find most security staff don’t have a good business relationship.”

It’s not because securitisation isn’t providing incredible value, because it does. The issue is that they are not providing the right messaging when they communicate their success and effectiveness, he explained.

A prolonged focus on the dark-side of security is also a cause for concern. “Ninety percent of presentations in security start with, the world is not a good place; bad things are going to happen; you’re going to lose your money; you’re going to lose your identity, as well as your corporate reputation.”

If you take a look at that methodology it is not a positive solution space, he said. “We have to get beyond that and change our processes and methodology and our underlying philosophy to succeed. If we continue in the path that we’re in we’re going to be adversarial with business.”