October 11, 2013
Last week, I and several analyst from Forrester’s Security & Risk team, including Chris McClean, John Kindervag, Tyler Shields, Heidi Shey, and Chris Sherman, attended McAfee’s annual Focus conference in Las Vegas.
I attend numerous security and IT conferences each year, most of which simply blur together into a vendor cacophony about the perils of social, cloud, and mobile device adoption or the ever present danger from devious cybercriminals and nefarious state-sponsored agents. The uniform repetition of this narrative from every vendor in the industry reminds me of the drowning din of thousands of cicadas awakening from hibernation. McAfee Focus had a different feel. And overall, compared to other conferences, it was a worthwhile trip, and not just because Chris McClean and I won at craps, but because while McAfee did pay homage to the technical security pros in the audience with the requisite discussion of the changing threat landscape and accompanying hacking demo, there was a palpable difference in their narrative, particularly in CEO Mike DeCesare’s keynote. Here are a few notable highlights from the conference:
- Business focus. During Mike DeCesare’s keynote, there was an emphasis on the role of security as a driver or accelerator, rather than inhibitor, to business agility and future business and IT innovations. I’m particularly passionate about this topic; I think security FUD has run its course and most line-of-business owners have become numb to it. The security narrative needs to change so we can offer business leaders more than impending doom and gloom. We need to demonstrate how we in security directly contribute to business outcomes like growing the business; improving margins; and acquiring, retaining, and supporting customers.
- Customer focus. There was a recognition that to be successful, McAfee needs to focus on more than just the technology, it needs to focus on customer satisfaction and experience, employee retention, in-house innovation, a healthy channel, product/service quality, and continuing efforts to build out its global scale. I’m normally not a fan of customer panels (I often find them to be too high-level and little more than tightly choreographed vendor infomercials) but I was suitably impressed by the panel I attended. The security execs from these companies genuinely viewed McAfee as partner, not just a vendor. One customer, referring to their relationship, repeated several times that “McAfee has blood in the game with us.” I’m still mulling over the underlying meaning of his choice (conscious or unconscious) to replace the word “skin” with “blood” in this oft-used phrase.
- Platform approach. Three years ago, McAfee outlined their “Security Connected” framework and reference architecture. “Security Connected” aims to ensure that their portfolio of security products (endpoints/mobile, network, advanced malware detection, SIM) have a common look, feel, and user experience and that they plug into a common data exchange layer, ePolicy Orchestrator (ePO) and Global Threat Intelligence (GTI) for information-sharing and integrated management. Partners can plug into the framework through McAfee’s Security Innovation Alliance. There are currently 200 partners in the program. This is a smart approach. Over and over again when I talk to CISOs, they’re tired of stand-alone point products and tired of managing a plethora of vendors in their environment that do nothing more than point fingers and contribute to management overhead. Most are looking to consolidate products and vendors in their environment for simplicity. Embedded security. Embedded security means many things. First, it refers to the need to embed security into IT enterprise architecture, not haphazardly bolted-on after architectural, design, and vendor selection decisions have already been made. But it also refers to the need to embed security into IP-enabled sensors and devices that will surround us in the future — everything from the next generation of smartphones to smart cars and smart grids to wearable computers. In the latter category, joint research and integration into hardware-assisted security between McAfee and its deep-pocketed parent, Intel, should be an interesting area to watch and a competitive advantage for both companies.
There are still areas that I think McAfee needs to do more in: 1) they need to do more to leverage their consumer security position in enterprise IT security, particularly as more and more companies embrace BYOD; 2) they need to have a stronger vision regarding all aspects of cloud security — security to the cloud, in the cloud, and from the cloud; 3) they need to execute on their recent acquisitions, especially Stonesoft, which could become the cornerstone of a disruptive McAfee that integrates network security into their overall product line, creating substantial efficiencies for clients; and 4) they need to explain to heads of information security and risk management how McAfee will support them as a strategic vendor, not just by integrating an array of point products, but offering management tools, managed services, and consultative guidance to help them deal with the CISO’s changing business landscape, not just changing threat landscape. But overall, I was pleasantly surprised with their narrative and the progress toward their Security Connected vision. They’ve come long way from their roots as simply an AV company.