Merrill, a research scientist by training, served as CIO at Google until April 2008 when he resigned to become President of EMI Music.
The key, Merrill advised, is to “make it so that security is not the security team’s problem”. The EMI president went on to justify this contradiction. “This is something that the Google security team did very right. They made it so that they were no longer at the centre of security, and made it very easy for employees to do the right thing, and very hard for them to do the wrong thing”.
“We automated everything”, Merrill continued, speaking of his tenure at Google. “It was cheaper, it eliminated the boring parts of our jobs, and it kept people from making stupid mistakes when managing machines”.
Enabling the Google engineers to work in an environment that suits them was part of the strategy. “We wanted to enable their innovation”, Merrill said.
To enable this freedom and innovation without compromising security, Google’s team built security into the infrastructure itself. Merrill explained, “We had AV running on mail servers, not endpoints. Systems monitored traffic, and we flagged alerts. We implemented lots of things like that to protect ourselves from not knowing where the endpoint was. This way, there was no ring of fire problem”.
It’s important to involve your users in your information security requirements, Merrill insisted. “Users will attempt to secure themselves – make it their problem and they’ll be happy to help. Employees want to innovate – we need to enable them to do this”.
“Quite often, the reason people are doing it wrong [compromising security] is that they are hearing wrong. We need to teach them, and we need to do this by speaking the right languages”.
The industry, Merrill said, “don’t understand that the people singing along can help them if we allow them to”.
The wrong motivation
While IT sales are down by 5% in light of the current economic climate, IT security sales are up by 5%. Why? “Because executives are terrified of the CISO” said Merrill. “When we [information security professionals] can’t scare the executives into writing cheques, we pull out the tactical weapon and promise a breach if the money isn’t spent to put security measures in place”.
While compliance is a main motivating factor for the IT security team says Merrill, CEOs are “more concerned with usability”. This is strange, Merrill continued, because “It’s the CEOs that have personal criminal liability for compliance – but for some reason it’s not at the top of their list”.
“We [the information security industry] are spending too much time focussing on the wrong problem. CEOs want to spend money on monitoring internet use” Merrill laughed.
A common misunderstanding, said Merrill, is that employees what to use various technologies and social media for personal, and inappropriate use. “Actually, a lot of people want to use better technology to engage in work-related activities, but they’re being prevented by various policies”.
It’s proven, said Merrill, that companies that make the ‘best places to work list’ make more revenue. “An organisations goal therefore should be to create value for users and take some back as revenue”.
What makes employees happy? “Being encouraged to innovate. We need to find a way to enable people to do this” Merrill concluded.