Interview: McAfee CTO Raj Samani

The CTO role at leading security firm McAfee is split into two separate functions. On one side there is the focus on technology strategy and how it relates to markets across the world, including feeding back to development teams. But on the other there is the need to be a public spokesperson. Raj Samani, CTO for the EMEA region at McAfee, explains the two sides to his role.

“The McAfee CIO is internally focused, whereas in my role I have a foot in both camps,” he says. “I work with the local IT teams, assisting with strategy, and am also a thought leader.”

In order to stay up to date with the latest thinking in the security space, Samani is active within the industry, writing white papers and regularly speaking at events.

“I wear various industry hats as well,” he says. “For example, I’m the founder of the CAMM [Common Assurance Maturity Model] project” – a project designed to produce a quantifiable assurance framework for third parties.

Samani asks: “How do you know the information assurance maturity of your third party and how do you know that one cloud provider is any better than any other?”

He answers his own question, stating that it is about building a controls framework that produces a quantifiable number at the end – and this is the aim of the CAMM project. “If you want to stay in a nice hotel, you choose a four or five star,” he says. “But what if you want a really good cloud provider? We don’t have a framework to help us choose.”

Metrics system

Samani adds that having an easily accessible metric will also enable simpler conversations with the board.

“You might get 30 seconds in the lift with your CEO to talk about security or cloud,” he says. “You need to be able to translate what is a complicated subject to not only executive management, but also to the public at large.”

The CAMM project describes its methodology as utilising existing standards to develop a series of control questions for providers, the answer to which will be made publicly available. From these answers, CAMM will develop a score that describes the providers’ Common Assurance Maturity level.

A white paper providing more detail on the methodology was released earlier this year, and the group is now working on a follow-up release with its partners.

But Samani’s interest in the cloud does not stop there. Another of his industry roles is with the Cloud Security Alliance (CSA), a role he describes as being similar to being CTO at McAfee.

“I really believe in the cloud,” he says. “I believe it will change the way in which we do business, the way we live and how we interact with one another. My role in the CSA is much the same as a CTO role. It’s about maintaining that oversight about what we do in EMEA, helping, supporting and guiding research in the area of cloud security.”

He says his goal is to assure businesses that the cloud isn’t as inherently insecure as it’s often made out to be: “There will be some cloud providers that may or may not be [insecure], but the issue comes down to transparency.”

Samani gives the example that anyone can check if their own business employs armed guards. You simply go downstairs and see for yourself. However, you can not really do that with a cloud provider.

“Google Apps has more than 10 million customers, but it won’t give you the right to audit its service,” he says.

The answer is not as simple as forcing providers to allow onsite audit checks. After all, it is the very prevention of external access to a provider’s own data centre that is often cited as a security feature.

Samani wants the CSA to bridge the gap between a firm’s due diligence requirements and the requirements of the cloud service provider.

A great believer in the cloud, Samani quotes the UK’s digital champion, Martha Lane Fox, stating that we need to embrace the adoption of digital services if we want economic prosperity. He predicts a more flexible working environment for UK employees in the relatively near future.

“In 10 or 15 years, you’ll just have a connection and cloud services [rather than a set office space],” he says.

Moving back to his role at McAfee, Samani discusses the idea of vendor consolidation.

“It’s no longer sustainable to have 50 or 60 vendors, or specific point solutions in play,” he says. “The NAO [National Audit Office] released a report last year which talks specifically about consolidation and leveraging economies of scale.

“From a broad perspective we’d encourage all organisations – not just the government – to look at leveraging economies of scale.”

He explains that this is especially true in a fast-paced environment such as security, in which researchers claim to see something in the region of 150,000 unique malware samples every day.

“If you go with 40 or more vendors, that’s all you have – vendors,” he says. “What you need today is a security partner – someone to keep you protected, but also to keep you up to date with the latest changes and threats.”

Sure thing

Samani explains that his firm’s reputation hinges on its ability to protect customers: “Our ability to stay competitive rests on our ability to detect the latest threats and trends.”

However, this ability is constantly challenged by the pace of technological innovation – and not just from hackers. “Fifteen years ago, I worked at PC World, selling computers with 100Mb hard drives,” he says. “Now I have 4TB of storage at home. It makes your eyes water just how quickly things change.”

In fact, technology now changes so quickly that the old method of spending a few days analysing threats, then adding them to the firm’s anti-virus database, no longer works. Now, top security firms use the cloud to add speed and agility to their protection.

“It’s our ability to anticipate and provide solutions ahead that sets us apart,” says Samani. “We have more than 100 million customers worldwide, sharing with us the threats they see. When a number of customers identify a suspicious file, we can immediately push down protection mechanisms to ensure the majority of our customers are protected before they even see the threat.”

Today, cyber criminals are increasingly targeting mobile platforms, as devices such as Apple’s iPhone and iPad, or those running on Google’s Android operating system, see greater enterprise penetration.

Samani explains that criminals follow the valuable data. “Cyber criminals will go after devices that have the largest proliferation, and where they have the greatest chance of success,” he says. “If lots of people use a specific device or operating system, that’s what criminals will target – they choose the path of least resistance.

“You need to identify the risks, then determine how much risk you’re willing to tolerate and implement controls to manage that.”

He says this affects all organisations, and there is no such thing as being too small to be a target: “One CIO told me, ‘We’re so small we’re not even a target.’ I said, it’s not a question of if you’re going to be a target – your data is leaving your network right now.”

Criminal minds

Cyber criminals are not just targeting financial details, but also personal details. Any information about us is of value and can be sold – our shopping preferences and even social networking data.

“There is an underground economy in trading social networking profiles,” says Samani. “It’s not just about credit card numbers any more – personal information itself has value.”

Another way in which cyber criminals have moved in is by embracing the outsourcing model seen more commonly in legitimate businesses. “The term of the year has to be ‘crimeware as a service’. There are criminals performing illegal technology attacks to order,” says Samani.

“It started in 2005 with [Microsoft security patch] MS05-039. The patch was released and within hours the Zoton worm was out. This is malware that was written to order.”

He also cites Stuxnet as a further evolution in the security landscape. This proves that even supposedly closed systems – those that are unconnected to the internet – can be vulnerable.

He concludes by explaining how security becomes more critical as more data goes online. As utility companies install more smart meters and pump out more information, further opportunities for cyber criminals will arise.

“It’s now about the way we live, operate and consume services in the public and private sectors,” he says.