Security Profile: Martin McKeay

Martin McKeay – a long time security specialist and popular blogger is next up as Security profile. He has been in the industry for more than a decade, and moved on to StillSecure a couple of month back. He probably got one of the best jobs in the world – evangelizing about Cobia. He loves getting attention to Cobia, and if you let him start, you end up using Cobia yourself.

Martin has his own security blog over at http://www.mckeay.net/. I have enjoyed it for quite a while as he expresses interesting and educated views. He has maintained this blog in more than 3.5 years (June, 2007). It has made him many new friends, he have learned a lot, and enabled him to share his knowledge – something we all know he just love!

Lately, he has maintained most focus on the Cobia blog – a job he blogged himself into according to himself: Blogging has expanded my horizons, introduced me to new friends and made it possible for me to become the Cobia Product Evangelist. I love to learn and love to share it with others, which made the position a perfect fit, Martin says.

The interest

Martin found his interest in Information Security in a manner many of us will recognize:

M: I've always thought of the security implications of IT, even as desktop support. It amazed me at the time how little people thought of handing their computer over to someone who claimed they worked for the IT department, not to mention passwords on stickies.

When I took over my first network, I continued making security one of my primary concerns, and several years later when an opportunity to become an IDS administrator for a major state agency came along, I jumped at it.

Sounds like someone you know, right?

M: I got interested, and remain interested, in Information Security because of the challenge of thinking of what could go wrong and doing your best to make sure it doesn't happen or happens in a controlled manner.

I like the challenge of thinking about how someone might try to gain access to my network or business and how to stop them.

Controlling your resources

When asking Martin about his view on the role of Information security in the organization, he makes it clear that technology itself is only a measure to enable controls.

M: Security is about controlling what happens to your resources, whether it's the computers on your network or the data on their drives. If someone else controls your resources, your not secure, it's that simple. All the rest is in the details of how you do it.

K: How can you make yourself a secure environment?

M: If you keep in mind that security is about maintaining control over your resources, not what technology or vendor you use; you're more likely to end up with a secure solution in the end.

K: So by looking beyond technology itself, you are able to better control your business environment?

M: I used to think of security as a set of absolutes, but I've come to learn of it as a viewpoint, especially when you get to the board room. We know what the problems are, how to fix them, but sometimes we don't understand how it affects the rest of the company. So when it comes down to it, security is about doing business, and if a security measure is going to interfere with business, it's security that's going to have to change.

Business impact

Martin is making a very important point here. Security only exists in order to support business goals.

M: I think that one of the trends in security for the last few years has been the realization that security is an integral part of any business and should be treated as such. No longer are the IT and IS departments their own fiefdoms, they're now considered as part of planning from the beginning in many corporations.

This shows that we're maturing as an industry, but it also means we're more responsible for understanding the overall business rather than a small part of it.

K: Do you find security integrated in a good manner today?

M: I think the need to integrate with the rest of the business structure will continue to be major theme this year and the foreseeable future. We've started down the road to integration, but so far it's only a few companies that really have security involved in all projects from the ground up.

But some day this will be the standard rather something only exceptional companies are doing.

K: What about compliance and regulations?

M: Industry and government regulations, such as HIPAA and PCI will continue to play a major role in companies as well. The benefit of such regulations is that they give businesses a specific checklist of items they need to secure; the downside of such regulations is that many businesses only deal with the security requirements on the list and don't examine their enterprise outside of these regulations.

As an example, all of the PCI regulations are aimed at keeping credit card information secure. Which means you might be able to pass an audit but still have gaping holes in your security somewhere not covered by PCI.

New challenges or new solutions?

K: I know the readers would love to hear about how you view the security market 2007. What are the challenges you see?

M: What will always be the biggest challenge in security is always going to be dealing with a landscape that is constantly changing. Ted Demopoulos calls it securing a moving target, Michael Dahn refers to the need for 'continuous security'.

The business is growing and changing around us, and we need to adapt as well. As much as we'd like to rest on our laurels from time to time, business is changing too quickly for that to happen.

I don't think we face to many really new challenges in IS. We have new solutions to answer the challenges with, but it's always the same problem we're trying to solve. Network Admissions Control was the big buzzword a few years ago, but the real issue was controlling the network endpoints.

New technology, but the same old problems.

A big thank you to Martin!

Read more on Martin:

Personal blog

Cobia blog