This page contains a Flash digital edition of a book.
Q & A With Malcolm Harkins THE IRREFUTABLE LAWS OF


AT INTEL, MALCOLM HARKINS MANAGES THE RISK, CONTROLS, PRIVACY, SECURITY, AND COMPLIANCE ACTIVITIES FOR ALL OF THE COMPANY’S INFORMATION ASSETS. PRETTY BIG JOB, EH? WELL, FIND OUT WHAT ELSE INTEL’S CISO AND GM, ENTERPRISE CAPABILITIES THINKS ABOUT WHEN IT COMES TO IMPROVING A BUSINESS’S SECURITY POSTURE


Security Matters: I have read your overall mission at Intel is “to drive the adoption and continued operation of controls to mitigate information risks to acceptable business levels.” How do you accomplish this? Malcolm Harkins: The organization ac- complishes this mission through a variety of efforts that involve the deployment of technology, risk and control analysis, training and awareness across the com- pany. The most important element though in executing this mission are the people within the organization who have the passion, sense of purpose and skills to make it happen.


SM: What are some of the challenges you face in performing your daily job? MH: There are many due to the rate of technology change, the growth and changes in the vulnerability landscape and the complexity of the various threat agents. The most significant challenge I think we face not only at Intel, but across the user base of information technology is the misperception of risk. Sometimes people over-perceive a risk and add too many controls that can be constraining to the productive use of technology. Other times, people underestimate risk and leave themselves more vulnerable than they realize.


SM: Do you think more companies should be running their IT departments as a business? MH: Running IT as a business has been a “buzz” expression for 15 to 20 years. I


30 SECURITY MATTERS • JULY/AUGUST 2010


think IT organizations should do a few things like any “business” should do: 1) focus on value to the customer; 2) keep a tight rein on costs; and 3) be in control of their execution and key business processes. IT has a dual role of enabling a company, but also enabling control and compliance due to the variety of infor- mation risk, security and compliance- related items that need to be managed.


SM: Not all companies have a CISO, CIO or even IT security expert. What ad- vice do you have to these companies re- garding improving the security of their data and networks? MH: Focus on the data and business processes that could have the most sig- nificant impact on your company’s ability to operate and achieve its mission. Think through the dependencies upstream and downstream of those systems and deter- mine what level of risk you are willing to accept as a company.


SM: In a recent presentation, you dis- cussed the “irrefutable laws of informa- tion security.” Can you explain to our readers what this means? MH: These “laws” are the reality of the world we live in today and for me they re- ally help simplify some of the funda- mental challenges we all face. Some of them are behaviour/people-based and some are more technological, but the key message of compromise is inevitable under any compute model and also is really meant to get to the heart of the misperception of risk. At many forums I


INFORMATION SECURITY


speak at, people think they can eliminate risk by changing compute models or technology. I hear others talk about blocking things like social computing or consumerization as a way to substantially reduce risk or eliminate it. In some cases these approaches can work in other cases they don’t. I just want people to think as objectively as possible about their risk and control decisions and not get a false sense of control. As an ex- ample, I don’t believe organizations should block social computing due to the risks. Information should be free be- cause people want to share and they will do that on the phone, in person by the “water cooler,” via e-mail, in IM, or posting it in a blog or on a web site. Blocking these sites and activities from your network may cause a company to feel protected but if an employee is going to make a poor decision to share some- thing they will do it off network. Compa- nies need to address the behaviour and increase the sensitivity of their employees to manage this people risk.


SM: Six, eight, 10 months down the road, what should Canadian businesses prepare themselves for when it comes to threats and vulnerabilities? MH: Focus on the data that is most im- portant and business processes that can impact your business. Understand what could affect these items and think ob- jectively as possible about the risks and don’t be fooled by the illusion of control or fall into the trap that the risk can be eliminated.


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32
Produced with Yudu - www.yudu.com