Share

That is according to security software vendor McAfee's own chief security officer, Martin Carmichael. "(As security managers) we're not effective in communicating the business message of security."

Carmichael added that managing risk in the enterprise should be accomplished through definitive planning, strategy and process, and not through fear-based arguments.

Carmichael, who was meeting with reporters and analysts, admits his role in McAfee gives him a "different perspective of McAfee than anyone else" in the company.

For starters, Carmichaels says he is essentially a customer of McAfee in that he uses some of the McAfee products in his day-to-day security management tasks. But even the McAfee products that he chooses usually go through the typical product evaluation prior to purchasing, even though his company actually makes the products themselves.

He admits, though, that while he uses many of McAfee's security tools, there have been instances where he had opted to use a different technology.

And that's typical among enterprise security managers, he said.

"There is no security officer in the world that is (running) one flavour of everything," said Carmichael, who is also McAfee's chief privacy officer.

Carmichael runs all aspects of McAfee's security and risk management, including physical security, which he says should be ideally integrated with information or logical security.

Integration of the two can be challenging, however, especially if you have two parties that have traditionally functioned separately in the enterprise and have differing views about each other, he said.

"IT security thinks physical security is clear-cut and defined, while the physical security people think the IT guys get all the budget," claims Carmichael.

The first thing he did at McAfee was to allow each party to get an understanding of what the other does, and then define how they can work together.

With digitisation of the enterprise, physical security is increasingly dependent on the IT infrastructure (IP-based video surveillance or biometric-based access authentication, for instance) while physical security plays a big role in compliance and policy enforcement, he explains.

"It's all about how do we mitigate risks," he argues, pointing out that while others may view security and privacy as two conflicting aspects of his role, he fails to see the contradiction.

Wearing his privacy chief hat, Carmichael said McAfee has checks and balances in place to ensure that security initiatives are not undermining privacy policies. He added that compliance requirements also make sure that the balance is there.

IDC analyst David Senf pointed out that despite the regulatory requirements enterprises are faced with, compliance is an aspect that seems to be under the radar for many firms.

Carmichael admits security vendors play a role in changing the way security and compliance is presented to the business. "It's not about, 'If you don't do this, you will die.' We have to focus on tangible arguments."