The man with one of the most demanding roles in technology
McAfee’s president Michael DeCesare deals with the fast-changing landscape of cyber security threats on a daily basis
Michael DeCesare, president, McAfee. photographs: eric luke
When you operate the world’s largest computer security company, the scale of the challenge you face is daunting: “It’s asymmetrical warfare – we have to protect every single spot where somebody can get access, and the bad guys only have to find one way in.”
So says Michael DeCesare, president of McAfee security and thus one of the key figures in the global computer security business. “You have to understand what the technical threat landscape is like these days. It’s very very different than it was even five years ago.”
Facing that changing landscape and adapting to new cyber-threats, and fast-changing business opportunities, means DeCesare’s is one of the most demanding roles in the technology business.
With his sharp suit and serious demeanour, he’s a far cry from the company’s founder, the notorious John McAfee who fled Belize last year after being accused of murder. DeCesare is the very opposite of a wild-eyed eccentric and indeed, despite the Italian name, DeCesare looks positively Irish, with pale skin and thinning red hair – he happily divulges the fact that his mother’s family is Irish.
“The security industry is very interesting – it’s incredibly fractured. We’re the big guys and we have about a 10 per cent market share,” he says. “What makes it unique to be in security is that it’s not really us against Symantec or anybody else, it’s all of us collectively against the adversaries.”
In cyber-security parlance, an adversary is any person or entity that poses a risk to your assets. But in the cyber-security business, the adversary is much more nebulous – the changing nature of our computer usage.
There was a time, not so long ago, when computer security meant protecting your PC from viruses, trojans and protecting yourself from online scammers and phishing attacks. It was a Windows-centric world, and the security risks meant every PC-owner was basically obliged to purchase anti-virus software. The biggest vendor of such software was McAfee, and it was an extremely lucrative side to the computer security business – the company grew big enough to be purchased for $7.68 billion by Intel in 2010.
But as DeCesare points out, the computing industry is changing fast, and just as Intel is showing vulnerabilities as the post-PC era means dwindling demand for its silicon chips as customers move to tablets and mobile devices, so McAfee must reposition itself as a broader-reaching security company.
DeCesare, it seems, relishes the new challenge. “Most of what you do on a smartphone is cloud-based. When you look at Intel, there’s a very similar paradigm between Intel and McAfee. It’s true that Intel doesn’t have as big a footprint on mobile and tablets as they do in the PC world, but they’ve got equally as big a footprint in the data centres. And the data centres translates to cloud-based computing. And it’s the same thing for McAfee.
“A lot of what we’re doing to ‘stay relevant’ in this is we’re going after the cloud providers. We’re making sure we engineer our products into those cloud fabrics from the day we are started. Certainly we have mobile products and such, but it doesn’t matter as much to us if you have anti-virus downloaded to this device as it matters that the applications that you’re using on this device are secured by McAfee on the back-end, because that’s where all the breaches happen.”
By reaching into the cloud, McAfee is expanding its existing network-security technologies, with less priority placed on its client-based antivirus software offerings.
“I have a very strong belief that we’ll be sitting here in three to five years and there won’t be the concept of any applications that run on premise anymore,” he says. “If you believe in the paradigm that eventually most of what you do on a daily basis will be cloud-based, then it doesn’t necessarily become as much about security that sits on devices as it does ‘Is the applications that I’m going in the cloud secure’?”
That move to the cloud, however, is not unrelated to a dramatic change in the public’s online risk perception – in a post-Snowden world, the feeling is that while our data might possibly be susceptible to the threat of unscrupulous hackers, it most certainly is susceptible to the threat of unscrupulous government agencies.
“This constant move to being more online in your life means that eventually virtually every minute that you spend awake you are going to be online,” he says. “That’s where the line on privacy gets drawn. Nobody wants to feel that all their information is being used in a way that is malicious behind the scenes. There’s a term out there that I’ve always latched on to, if you’re not being sold something, you’re the product being sold. For the purposes of security, the utilisation of private information is a good thing, as long as it is contained strictly for the purposes of making sure the devices that you’re trusting us to guard, stay guarded.”
DeCesare points to the sophistication of their encryption processes, and feels that the privacy standards that arise in the next few years will revolve around end-to-end encryption of private information.
A major misgiving reserved for computer security firms, however, is the suspicion that their business model revolves around amplifying potential risks in order to increase demand for their products. It’s a balance that DeCesare is all too aware of.
“As a security company, when a big and high-profile attack happens, it’s typically good for business. But there’s a natural distrust of the motives – the Y2K incident was a good example of that. But I think unfortunately in the cyberworld, it’s quite the opposite. You almost can’t pick up a paper these days and not see some major breach that’s out there. The reality is that as millions and then billions of systems go online, there’s going to be examples where there are high-profile breaches.”
Given the scale of the fallout from the hacking of the Loyaltybuild database in Co Clare, DeCesare’s example is all too apposite.
In DeCesare’s view, however, computer security isn’t restricted to protecting the data on your devices – it also encompasses the whole range of activity that now occurs online. Earlier this month, he visited Dublin to launch an online awareness scheme for children and teenagers, involving an outreach programme that aims to teach more than 10,000 children in schools across Ireland in 2014, and raise awareness about the risks they face through a “Digital Disconnect” study of Irish children’s online behaviour.
“The survey makes you realise that a huge percentage of children go places online their parents don’t know about,” he says. “It shouldn’t be surprising to anybody. All of our kids these days have grown up never understanding any world except the world with the internet. They really are digital natives. Everything they do is connected in an amazing way. Our position is that you have to train youth in order to be safe online. The same way you train them to ride a bike, or when you let them have a car. You do the best you can and then you send them out into the world, and it’s the same thing in the digital world.”
The campaign to educate Irish children is borne out of McAfee’s Irish operations in Cork. “When you look at our Cork operation, I think it’s 350 currently with plans to grow up to about 500 in the next year or so. Having been acquired by Intel, we’re part of what is one of the larger employers in Ireland overall. We’ve got a huge desire to grow operations in Ireland, because Intel is so committed to Ireland. And Cork is a pretty fantastic place, it’s a very easy labour market to get multilingual people, that’s very important for us.”
It seems the need to keep an ever-connected, computer-dependent world safe from adversaries will mean good news for Cork, at least. And DeCesare is optimistic amid the warnings of the risks we face. “The sophistication of the adversaries is growing so aggressively that there needs to be changes to the security industry,” he says. “You want to encourage that connected world that we live in, but with that comes complexity from a cyber-perspective.”