Interview: Chris Young, chief executive of McAfee

McAfee’s chief shares his views on Brexit, GDPR, encryption and his company’s new independence in an exclusive UK interview with Computer Weekly

A week after officially taking the helm of a newly independent McAfee when it was spun out of Intel six years after it was acquired, chief executive Chris Young is resolute.

“Failure is not an option in our industry. We have to move forward, so I’m not giving up,” he told Computer Weekly.

As long as there is value in data, he says attackers will go after it, but data defenders have to find a way of winning because they cannot give up.

“We have no alternative but to keep investing and keep getting better at what we are trying to do,” says Young, who points out that cyber security is a relatively new and immature board-level issue.

“Cyber security is only around 15 years old as a discipline, compared with other board-level issues like audit and finance that are backed by centuries of practice.”

As a result, Young says there are still no well-established, definitive ways for measuring success, and until these are developed and established, there is no way of knowing who is winning.

Young, on a visit to the UK and Europe, says a lot of businesses in the region are paying close attention to the General Data Protection Regulation (GDPR), what that means from a security perspective, and what they need to do differently.

Read more about McAfee

Anyone who is selling security is also paying a lot of attention to GDPR because compliance is always a driver of how people think about cyber security and the purchase decisions they make. But, he says, there is still a “chunk” of the market that is “a bit behind” and not focused on it yet.

While Young agrees that GDPR will generally have a positive impact by pushing data security up the agendas of company boards, focusing attention on the topic and driving more security spending, he fears it could also have some unintended negative consequences.

“Cyber security is an overarching problem. It does not confine itself to a single domain. And inevitably in cyber security, when you focus in one place, you get attacked in another. While there is certainly the need for a greater focus on data protection, you run the risk that the focus on data might move budget and focus away from other areas where organisations may need to be paying attention to security.”

Adopting a cloud first strategy

After the GDPR, there is a lot of talk about cloud in the UK, but Young says that while there appears to be a lot of companies adopting a “cloud first strategy”, only a small percentage of the market are making real investments in this area and actually moving workloads into the cloud.

On the question of Brexit, Young admits he has not been getting many “definitive” responses about what Brexit could mean for McAfee’s business, but he says because it is a global company he does not expect Brexit to have much of an impact at all.

“One UK banking customer told me they had made a lot of the structural changes that will allow them to keep operating [post-Brexit] largely the way they are already operating.

“There has certainly been no panic and most organisations are taking it in their stride. They are neither sceptical nor optimistic, but just looking to see what changes they can make now that won’t impact business operations but put them in a better position for the future.”

In terms of attack types, Young says the UK is facing basically the same things as the US and other countries, but that the geo-political landscape is constantly shifting.

“I don’t think you can ever take your eye of the ball in terms of being vigilant about any unique geo-political items that might affect the threat landscape. For example, as the UK adopts new ways of currency management – as we see bitcoin taking off – I am sure it will be different in the UK than it will be in the US and even parts of continental Europe, and that may or may not offer up opportunities in terms of how attackers go about attacking the UK market.”

Getting ahead of changes in the market

Asked about the UK’s controversial Investigatory Powers Act that seeks to give law enforcement and security agencies access to electronic communications, Young says McAfee always pays attention to new legislation and trying to get ahead of changes in the market.

On the question of encryption, Young says he believes that it is important. “It is a foundational element of trust in all online transactions and interactions where there is an expectation of privacy, and encryption is crucial to that.

“We all need to look for creative ways to balance the need for maintaining privacy with the need for law enforcement to be able to do their jobs.”

In this regard, he says McAfee is “in dialogue” with various governments about encryption and what the company sees the security tool of encryption impacting how other security tools work.

“One of the things you have to be careful of is that you don’t drive unintended consequences. You have to think about the balance between security and privacy. If you tip the scales too far in one direction, there are consequences on the other side.

“I think real transparency is important. It is a transparent approach to the problem that I think will ultimately make the biggest difference. It is not an easy subject to manage, but it is important.”

Going forward as a standalone company

Turning to the decision to spin out of Intel as a standalone business, Young – who was previously senior vice-president and general manager of the Intel Security Group – says that in the light of the changes in the cyber security market in recent years, it became clear to everyone involved that it made more sense for McAfee to pursue new market opportunities as a standalone company.

“In terms of your priorities and decisions you make, there is a big difference between having your whole company focussed on cyber security, versus being one group within a much bigger company that does a lot of things, where cyber security is just one of those things.”

This means being able to provide all 7,500 employees with a new computer with the latest version of all McAfee’s products “without having to argue with an IT organisation that supports 100,000 people about their priorities in rolling that out.”

However, Young points out that Intel has maintained a 49% stake. “They believe in the upside of this organisation and they believe there are places where we should have stronger partnership and continue to make those investments together.”

McAfee will also continue the work it has been doing with Intel such as the collaborative work with OEMs (original equipment manufacturers) and channel partners as well as collaboration on technologies such as the Secure Home Platform developed in conjunction with Intel’s Connected Home division. Another area of continued collaboration will be on security features and functions Intel is building into silicon chips.

A tradition around innovation

A key takeaway from Intel, says Young, is Intel’s strong tradition around innovation. “Intel is also very disciplined in how they approach their business, they are good at analysing markets, and they are good at making good long-term strategic bets, which are some of the positive things we’re taking with us.”

At the same time, he says McAfee leaves behind a very positive ethos around security within Intel, which is still doing a lot of foundational security throughout its product portfolio.

While there are benefits to being independent at a company level, Young firmly believes in collaboration across the cyber security industry, including with competitors. McAfee already has a track record of collaboration through integrating third parties into its ePolicy Orchestrator (ePO) security management framework, which Young regards as one of McAfee’s key value propositions.

More recently, McAfee has extended that collaboration through its data exchange layer (DXL), which the company has made open source to enable everyone in the security industry to do threat intelligence sharing in real time between and among the different point products in their infrastructure.

“In making DXL open source we have put real technology investment into the collaborative and architectural approach we are taking with security,” says Young.

He also points out that in 2016, as Intel Security, McAfee was a founder member of the Cyber Threat Alliance (CTA) along with Fortinet, Palo Alto Networks and Symantec.

Identifying challenges to intelligence sharing

In February 2017, the CTA announced the addition of Cisco and Check Point as members, the appointment of former Whitehouse cyber security co-ordinator Michael Daniel as the organisation’s first president, and the organisation’s formal incorporation as a not-for-profit entity.

In April 2017, McAfee’s latest threat report identified five key challenges to cyber threat intelligence sharing, and Young says the CTA is one way of tackling those obstacles through real investment on the ground, but says it is “early days” in threat intelligence sharing and there is certainly more to be done.

“CTA is more of a private sector oriented approach, but there is opportunity for more of a public-private partnership both nationally and internationally, and there needs to be more technology involved, which is why we open-sourced DXL because we wanted to give people an automated way of sharing threat intelligence and making it actionable.”

McAfee’s new slogan is “together is power”, and behind this, says Young, is the belief that through better-integrated technology, organisations can get to responses faster.

“A common impediment to effective cyber security is the complexity of all the tools and technologies, with the average large company having 50 to a 100 different technologies in their infrastructure, and so part of what we are doing with DXL and the integration and collaboration work we are doing is to try to drive a faster, more intelligent response to cyber threats.”

The channel response to the “new McAfee” has been “very positive” says Young. “Our channel partners are out there competing for business and they really value the pure-play McAfee cyber security brand. Being able to go to market jointly with us is valuable to them.

“They are also interested in an integrated approach because they are trying to deliver outcomes to customers, with many of them pivoting from being value-added resellers to being solutions providers, selling a combination of product and people, so they want technology providers that can give them both depth and breadth as well as integration, which makes their lives easier.”

McAfee name remains a trusted brand

Despite the potential association with controversial John McAfee, founder of McAfee Associates that was acquired by Intel, the company is confident in the brand, which was retained in the names of several products even after the acquisition and rebranding as “Intel Security”.

“We did a lot of research into this and we found that McAfee is one of the most well-known and trusted brands in cyber security, and the value of what McAfee is and what our customers want us to be far outweighs any of the noise that comes along people who used to be involved with it,” says Young.

Looking ahead, he says the security market is growing and so McAfee will be making investments for growth, which includes investments to make the company more effective in the way it operates as well as investment in technologies through acquisitions.

Cloud is an area that McAfee is already investing in to fill out its portfolio relative to pure cloud companies, with plans to introduce a cloud access security broker (CASB) software tool in 2017 and cloud-based integrated data loss prevention (DLP) on the horizon.

“Relative to our traditional competitors, we are pretty far along – if not further in some cases on cloud than they are,” says Young. And when it comes to managed services, another area where some analysts have said McAfee lags behind its competitors, he says McAfee’s strategy is to work with partners on that.

In other efforts to align with competitors in a changing security market, McAfee has begun offering subscription options. Young says most customers still prefer to purchase products in the traditional way, but as McAfee adds more cloud-based services, it is moving more offerings to subscription-based licences and consumption-based pricing models.

“What is interesting about consumption-based pricing and even term licences is that more organisations like to say they want it than are actually willing and able to buy it that way, because while large organisations like to commit to a new direction, it usually takes time for the organisation to change, especially in the public sector and regulated industries,” he says.

Calls for a new approach to information security

In the past two years at the RSA Conference in the US, there has been a much stronger call by most of the key players for a new approach to information security across the industry than ever before. Asked if McAfee’s strategy is consistent with that push in a new direction, Young says he believes that it is.

“The work we are doing is trying to usher our customers and the industry into a different way of doing things, and automated threat intelligence sharing across the different domains of organisations’ cyber security architecture is just one example.

“In today’s world, most people don’t have a mechanism where their network appliances can signal their endpoint and their cloud and have that show up automatically in the security operations centre. That doesn’t exist. Each one of those tends to be in silos, with organisations typically collecting logs in a security operations centre to decide what to do.

“We are making investments in automation and in real threat intelligence sharing, and that is a different way of operating to what most security shops are doing today,” he says.

“This notion of an integrated ecosystem, bringing different pieces together, trying to drive more of a solutions orientation, is a real change course – not only for industry suppliers, but also for customers in terms of how they buy, deploy and use technology.”

Read more on Hackers and cybercrime prevention