15 Minutes with… David O’Berry

Welcome to “15 minutes with” – an occasional contribution between myself and the movers-and-shakers within McAfee’s technical community.

This week on the stand is my good friend and occasional co-presenter, David O’Berry CSSLP, CISSP-ISSAP, ISSMP, CRMP. Now a McAfee Strategic systems engineer, his previous life was 19 years in the public sector, culminating as Director of Strategic Development and IT at the South Carolina Department of Probation, Parole, and Pardon services where he gained a wealth of experience (and a long list of certifications).

David’s no part of McAfee, and intends to help McAfee customers more effectively deploy and use our wide range of solutions. I thought it would be interesting to pick his brain about the transition, as it’s quite rare for senior decision makers to join the vendor community…

So David, welcome to 15minutes with – Let’s start by introducing you to the audience – you’ve been in the public sector for a long time – what were you doing?

I worked alongside my team to create Personal Productivity Savings (PPS) defined as adding every minute we could to the end-user in the pursuit of Business Operating Efficiency (BOE). To me that meant finding ways within and outside of the organization to help things work better, to insure business processes made sense, to blow up or go around roadblocks whether they be fiscal, political, personal, or imagined, to back my team to the hilt in their pursuit of goals that benefited not only my organization but the community as a whole.

For instance, in 2001/2002 we created an IT Strategic Plan that was titled Secure Access to a Ubiquitous Computing Environment or as we called it S.A.U.C.E. People look at that now and say…well sure…but at that time it was like we were heretics. Now radical consumerization and mobilization is an assumed thing but 8 or 9 years ago it was astounding how different things were.

At times, it was like herding cats and at other times it was like being strapped to a rocket that you had to build from what you could pull together based on funding models. Myself and my team learned to not only tolerate change but over time to embrace and to then truly relish change.

Outside of my agency, I was the Security Domain Chairman for South Carolina, the Collaboration Team Lead, served on the MS-ISAC Executive Board, helped found the Trusted Computing Group’s TNC Customer Advisory Council, served as the Chairperson for the Open Group’s Improving the Digital Ecosystem Workgroup, served as the president of the Midland’s ISSA Chapter, while also steadfastly advocating for rapidly evolving customer-driven standards in both the network as well as the security space.

There are a number of other things but suffice to say without my team none of it would have been possible. They were and are like family to me and I take that very seriously.

Most importantly, I was helping to raise my 10 year old son while coaching everything I could coach for as many years as I could coach it. 😉

Why make the shift to the dark side of the commercial sector? How do you think your experience can help McAfee help our customers?

It was an incredibly difficult decision because I worried about my team, my organization, the organizations like MS-ISAC etc. that I had been so heavily involved in…the State of South Carolina where I have participated so vocally over the last two decades…but when it came down to it I thought that the opportunity to continue the work I had been doing..helping to solve the incredibly difficult problem of strengthening the digital ecosystem worldwide could form a slightly different attack angle…it was time…

You’ve been with us a few months now – I hope you still think it was the right decision, but any advice to someone in a similar position thinking of switching from a customer to a vendor role?

I absolutely believe it was still the right decision. My team at PPP is excelling led by my great friend Bill Miller. The State of SC, while I miss it, probably needed a break from me based on the current state of needed change in various areas. I still am involved, just not in the same capacity and I will always seek to assist South Carolina in becoming the amazing success I know it can be both within IT as well as in the delivery of services to citizens. New blood is never a bad thing and eventually new and old can mix to find a balance that maybe could not have been achieved if things stayed status quo.

As far as advice, don’t jump for money. Don’t jump for fame. Don’t jump for greener grass. Look deep inside you and figure out what you really want to do and where you think you can make the biggest impact. I am a big fan of long term wealth versus short-term greed.

I have always offered my assistance in any and everything without worrying about how it would positively impact me at some point. Don’t have an agenda when you are progressing in your career other than to make that difference, that impact…because in the end people can tell, your team can tell, and there is no substitute for being genuine and doing something you believe in with all your heart. At the same time, don’t let fear paralyze you about a move. Perfection is the enemy of progress and there will never be an absolutely perfect time to make a move like this one.

What was your first introduction to McAfee – any anecdote you’d like to share?

Oh wow…like maybe 1997 or 1998…I was cold called…hard sales job out of New Jersey…the number started at something like five times what I ended up at…perpetual license versus subscription..it was probably my first experience with just how much a vendor will do to earn business in certain times of the quarter/year end. Actually it probably was a keystone of my future negotiations with all of the tech companies I dealt with…so all you companies out there that I beat to death…you can thank McAfee for honing my skills early on!

I think the most interesting anecdote was that we owned all of the four “legs of the stool” or whatever they called it at that point. Gauntlet and PGP…McAfee Desktop…Magic HelpDesk…Sniffer (including the pizza boxes)…and the concept…it was there…it made so much sense…and it was so poorly executed on until David DeWalt and his group came in after the divestiture of most of those lines. I still get a kick out of thinking about the NAI/McAfee to Secure Computing to McAfee journey of like the firewall product etc. As a side not, PPP actually still uses Magic HelpDesk and it has served its purpose…it’s now BMC I think but it’s probably one of the last pieces that exist from that initial purchase…other than the endpoint.

Has McAfee ever burnt you? Did we recover gracefully/earn your respect for how we dealt with the problem?

I think any customer vendor interaction is going to have its challenges. I am fairly certain, with most reputable companies, that they never set out to burn customers but that at some point bad decisions get made that are then compounded by a lack of knowledge and communication, etc., across both the customer and vendor organization.

Very few companies can avoid that aspect because of just how decentralized and haphazard communication with customer’s has become as the spend has climbed. From the McAfee perspective, I would say my experiences have been much more positive over the last three or four years than they were the first, ninth or tenth time.

It took a while for DeWalt to get things moving in the right direction and even now there are hiccups that have to be worked through and breakdowns in communication between the end rep and the customer that take effort to manage. In the most recent years, I would say the integration of SafeBoot into McAfee ePolicy Orchestrator (ePO) and the challenges associated with it and some newer HP equipment probably stand out as one of the most intense challenges for PPP’s relationship with McAfee.

At the same time, we worked through it and McAfee provided the assistance we needed to get things squared up. Beyond that, it’s the normal things associated with all anti-malware vendors…the DAT file issue…etc. All in all, the good has far out-weighed the bad and McAfee’s people and the integrated (hopefully continuing to move to open) story have made a huge difference in why we have stuck with them versus finding a cheaper or possibly slightly better point solution on any given day.

Chasing the shinies as a CIO will get you flat killed…patience matters as long as your vision is solid and you have vendor partnerships that are true relationships that transcend a supplier/consumer model.

So David – 19 years implementing vendor products in local government – if you had to give three pieces of advice regarding vendor/customer relationships, what would they be?

Hmm…great question….

I think first of all I would say that both sides have to realize that it really is a relationship. What happens sometimes is that it turns into a demand/supply equation instead of a true relationship. Both sides have to be willing to work on things that are at times not comfortable and that may not go completely the way they want it to…in a relationship that benefits both parties that is doable. In a supply/demand equation you lose a lot of that flexibility.

Something that goes along with that is do the research on whats out there and at the same time know what business problem you are trying to solve and be able to communicate both what you know and what you need clearly. If you are more interested in what they are selling or where you guys are going for lunch and how much smoke someone is going to blow to pump you up then you lose control of what is going to be best for the organization you are working for in the end.

In the past, the hardest part was that new and shiny is sexy, so often people are down the rabbit hole with boxes piling up of new toys based on what the sales rep said than based on what they need. That can lead to a great deal of angst and miscommunication down the road, which ultimately leads to alienation of both your organization and the vendor. Getting along with the vendor is not only a good thing, but truly necessary to create that win/win relationship everyone is after. But do not let it color what you do for your organization.

That was probably more than two but as as a third, I would say…don’t give up on requiring vendors to be more open. this gives you the freedom to make the decisions that benefit your organization when you need to make them, instead of when the next sales cycle rolls around.

I have always told vendors, don’t make me depend on you executing on your business plan in order for me to execute on mine. I have seen so few companies in this industry actually execute successfully for five or even three years in a row at times. That means they have to make business decisions that may be counter to your best interest. That is fine because that is their business but your business requires you to be flexible and agile which means not depending on a single vendor or a homogeneous ecosystem.

When I first got on the soap box about this many years ago it was Microsoft and Cisco that were the prime targets of my discussions…now it’s any company that expects to prosper going forward. Many thought I was a heretic for saying this a while back, but now I think many of those same people realize this is not hate for any single company. It’s a love for innovation that I firmly believe is significantly encouraged by adherence and support of open standards both on the supply and demand side of the equation.

We often get told that local government users are not capable of handling things like passwords, or understanding the concept of security – do you think this is true? Does user education help?

At this point in my career and for the past 10+ years I actually believe in the user to be perfectly blunt. I think we have failed the user for so many years, as a profession. It is easier for us to lump them all together into some giant ignorant unwashed mass than it is for our profession to actually do an evaluation of how we failed them and how we can eventually fix the problem.

When I say we failed them I take my share of that responsibility. Early in my career, I too went down the path of the user proof concept because I was not confident that users could even care enough to learn. The technology curve kept accelerating and the education curve fell farther and farther behind. This inverse relationship is really hurting us now from a holistic security approach because whether it was too hard, or too tedious, or what…we have pushed user education way way down the charts for 20+ years.

I think the late 80’s and 90’s greatly contributed to this crippled state of existence. It was then that we began obfuscating everything behind GUIs in order to make the “user experience” more palatable as we hit critical mass with consumption of PCs. We never really asked should we…we just did because as a profession we did not really have the ability and even the knowledge to stand up and make a cogent argument for why security even mattered at that point…why the users being able to learn how to be secure mattered…instead we made it as easy as possible and now we are paying for it.

The entire foundation is flawed yet instead of knocking it down and starting over we are forced to try to go top down floor by floor to get to a root of trust that I am not even sure exists now…it if ever existed. The model has to change from absolutes to a more developed set of overlapping nets with holes of different sizes and from an avoidance mind-set to a resilience and mitigation mind-set.

The only way we can get there is through the users though…all the nastiest technology in the world will not solve this if we don’t start working together both as IT and users and enterprise to enterprise.

So David, I know standards bodies are really close to your heart and you’re an active participant in many groups – are there any standards you think could really make a difference, which you think the industry is avoiding taking on or participating in?

Oh boy…you are going to get me in trouble in my first month on the job! Hmm…I am a firm believer in open standards in general and right now a large part of my time has been spent on SCAP, Trusted Computing Group’s Trusted Network Connect, IF-MAP including how that can fit within cloud interoperability concepts etc.

I also believe that a strong standardized fully featured secure network control language has to evolve. Beyond that, in the cloud we have to look to audit and compliance standards…visibility standards…transportability…eventually interoperability…like roaming agreements from cell phone vendors…a spot market with very fast CIA-C profile matches that allow enterprises to really gain the agility required to conduct business at rapidly increasing speeds with little to no margin for error in the marketplace.

Even now I grow more frustrated by the day when I hear companies try and explain why their non-standard black box fabric is better than TRILL and therefore TRILL does not need to be supported. There are companies that have been stalwarts of standards and that have now seemingly turned hypocritical to those professed tenets, based on getting a leg up, that really harm the industry.

I think that companies that have the marketshare are always trying to protect that marketshare as a general rule, and the ecosystem as a whole does not matter to them because the next quarter has to matter. That is unfortunate and one of the areas where I do believe that if we do not get our act together as a industry we will be mandated to do so by some intense regulations.

Longer term, enterprises and governments will not care one bit why something occurred that either breached them or crippled their ability to do their jobs. They will instead care that we, as an industry, were either able to protect them or not. To me, I believe we are skating on a very thin sheet of ice right now as a profession and industry because many companies keep turning a blind-eye to what really does matter to the people they are supposed to serve…their customers.

I’ve always told companies, don’t make me have to execute on my business plan while solely depending on you to execute on yours. That’s a recipe for disaster because I have not seen a single tech vendor execute, from a customer’s perspective, for a five year period…or even a three year period…there is too much internal stuff that has to go on for that to happen and vendors different product managers seldom act as one entity even within their own company.

Bluntly, it has never seemed like a very customer friendly environment anyway.  Most of the efforts going towards assuaging concerns versus actually finding out the real issues and attacking them is at the root of the problem. What we need is a true customer driven gap analysis of standards and where and what we need going forward.

That is going to have to be in an organization that does not exist today, unless there is one out there that can take it up. In my opinion, most of the standards bodies are poisoned at this point. It’s one of the reasons I registered demandstandards.com/org/net a while back in order to start working on that type of solution…in my spare time! 😉

Finally, I have to ask about the excessive number of letters after your name – can you tell us a little about them, and perhaps your thoughts on whether security professionals should go through independent review of their skills?

Yeah, I have stopped putting a bunch of them on there at this point. It is kind of a running joke…talking about tri-fold business cards etc. I have seen some people that dwarf mine though, but you always wonder about the substance. I believe that independent review is a must. One of the ways I do that is writing questions for ISC2 for the CSSLP, CISSP, ISSAP, and ISSMP exams.

Believe me, near instant peer review of questions you write is a humbling and very educational exercise. I also never shy from a conversation as long as people are open-minded. Right now, the important of the digital ecosystem is second to none to the continued stable advance of society.

With that in mind, we allow anyone to call themselves a cyber-security expert. That is counter-intuitive. You don’t let people operate on your brain without intense rigorous review because the number of fatalities would be high. Would they be as high as if a digital event took out a hospital though? The electric grid? Yet, we continue to have incredibly subjective measures of ability in our profession.

Maybe that is all we can do right now but I will tell you I have seen enough paper tigers in my day to realize that certifications are certainly not the only measure of ability and in reality may sometimes be a counter-indicator. There has to be some hybrid though, a balance there between what you can do and what can be measured and then the certifications you achieve. We are just not there yet and bluntly may never be there.

Wow – well thank’s for your time today David – before we go, I know you’re an active speaker on security issues – any events you’d like to promote?

Hmm…I just got back from speaking on a panel at the the NSA’s 2nd Annual Trusted Computing Conference and felt that to be incredibly worthwhile. Coming up, I will be speaking at NASCIO, McAfee’s Focus, followed by the NIST Conference up in Maryland at the end of October.

I believe all of those are worthwhile for the various segments for which they are targeted. If I can answer any questions for anyone while there, either during the panels and talks or afterwards, then please do not hesitate to fire away. I love to learn and solid discourse is the single best way I have found to do that in this world.

You can find David at McAfee Focus 2011 – please drop in and say hello!

Introducing McAfee+

Identity theft protection and privacy for your digital life

Download McAfee+ Now