Type your search and hit enter
What Would You Do As Chief Information Security Officer?

What Would You Do As Chief Information Security Officer?

Four CSOs share insights into what's involved in being the security guardians of their enterprises

Name: Martin Carmichael

Title: Chief security officer at McAfee

Installed base: Windows-based computers to support over 3600 employees globally, many of whom also have BlackBerries and mobile phones, not all provided by McAfee

Although McAfee is a veteran in terms of selling security products, it didn't really have a well-defined chief security officer position until Martin Carmichael joined last October.

"Before me there was a security officer who was a consultant from Deloitte & Touche," says Carmichael. "This is the first time the office is broadly defined."

Specifically, Carmichael takes on CSO responsibilities that include defining risk management and compliance reporting for McAfee as well as acting as the chief privacy officer on questions of personally identifiable data. "I report jointly to the CIO and to the board," says Carmichael.

Carmichael, who has 22 security specialists directly assigned to his security group with 160 others at McAfee working collaboratively with his division, has already organized a number of specialized teams that include security operations, compliance and business continuity.

Carmichael noted that sometimes highly technical people "don't communicate as well with businesspeople as we'd hope". By formally building bridges between the technical and business sides, Carmichael hopes to achieve the best results within an allotted budget. "I'm here to reduce risk. I fight for budget resources," said Carmichael. "I can't imagine one CSO in the world who doesn't lobby for more."

Carmichael comes to McAfee from the US wireless handset insurance provider Asurion where he was CSO, and has also held senior IT security positions at US organizations such as Wells Fargo, Los Alamos National Laboratory, Oak Ridge National Laboratory, and NATO. Carmichael fondly recalls working on one of the very first commercial firewalls at Digital Equipment.

While there are a number of useful security governance models, Carmichael says his own favourite is a security-evaluation metric called the Systems Security Engineering Capability Maturity Mode, which was developed by the Defence Department and some industry partners to evaluate both practices and products.

"It's a process-based framework metric we could use at McAfee," Carmichael concluded.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about ACTAmerican Express AustraliaBlackBerryDefence DepartmentDellDeloitte & ToucheDovetail DistributionErnst & YoungErnst & YoungGuaranty FinancialHISIBM AustraliaIPSJP MorganMcAfee AustraliaMorganNATONetIQOak Ridge National LaboratoryPLUSSECSecurities and Exchange CommissionTippingPointTippingPointWells Fargo

Show Comments