The Myths of Security by John Viega

Everybody with a computer should worry a little about whether hackers might break in and steal personal data. After all, software is complex and has lots of flaws—and people can be tricked by a good ruse. People are in over their heads in trying to figure out this difficult problem, and they need a good security product that works, is easy to use, and doesn’t impact the performance of their machines.

The security industry should be coming to the rescue. But in this book, John Viega shows why many people are at risk when they shouldn’t be. While the security industry points the finger at the bad guys, or even computer users, John rightfully points the finger at the security industry. There’s lots of biting criticism here that hopefully will make the industry examine itself, and lead to some positive change. It would be great to see a world where security vendors aren’t feeding hackers all the ammo they need to break in to machines (which is not condoned at McAfee), and where the industry is more cooperative in general and tries to solve the problem, not just cover up its symptoms.

This book makes me feel proud, because it shows that we did our job staying ahead of the industry during my tenure as McAfee’s CTO. When John complains about problems with antivirus systems, he is talking about problems that other people have, but that McAfee has been working to solve, with industry-leading technologies such as Artemis (http://www.mcafee.com/us/enterprise/products/artemis_technology/index.html). And while McAfee has changed the game with Artemis, I can say it is cooking up even better technologies that will go even beyond the vision of antivirus nirvana that John describes in this book. I am excited to see these technologies come to life, not just because they were incubated under my watch, but because they fundamentally change the playing field in the good guys’ favor.

Even though I recently retired from McAfee, I still believe it is doing far better than the rest of the security industry for a few core reasons. First, it is a dedicated security company. As practice, it doesn’t spread the brainpower around on other technologies, such as storage. Second, it cares about everybody who needs protection, from the consumer to the enterprise, and spends a lot of time listening closely to customers, with frequent customer councils. Third, McAfee hires the best and the brightest people in the industry. But it’s not just about collecting technical talent. Yes, it has a deep bench of experts. But McAfee actually listens to them. When you spend a lot of time listening to both the experts and the people you’re trying to protect, it’s amazing how smart you can become, and how good of a job you can do. And creating real solutions to real problems is something that I love, not just solving symptoms.

McAfee is lucky to have such a deep bench of talent, like John Viega. John has done a phenomenal job at McAfee, helping lead the charge into many emerging areas, such as web protection, data loss prevention, and Software-as-a-Service. He has also been instrumental in pushing forward the core technologies and practices, providing McAfee with even better antivirus and even better product security than it had before he first arrived.

My philosophy is to constantly strive to be better and to always try to delight the customer. By working closely with customers, not only can one understand their pain points, but one can also create a relationship with them that not only allows, but encourages, their feedback into the development cycle. Products are not developed in a vacuum. Many other vendors just rely on their smart guys and don’t talk much to customers, which creates more problems than it solves. For some companies, decision points are squarely based on dollars and company benefit. Not for me, and not for John. John always wants to do the right thing for the company and the customer.

For both John and myself, the customer comes first. We have always tried to do as much as we can to make the world a better place. For instance, we have pushed McAfee to distribute software at no cost, such as SiteAdvisor and our Stinger malware cleanup tool. Whereas some vendors profit while putting people at risk by making software vulnerabilities public, John and I have always pushed to do the right thing for every software user. While I was at McAfee, if an employee found a bug in someone else’s code, the policy was to inform the vendor, instead of the world. (We also advised vendors not to announce the issue, though often they did.) And if something did go public, we provided free information to help people figure out if they might be at risk.

John’s philosophy of doing right by the customer is spot on. I wish the entire security industry felt the same way. Maybe this book will be the kick in the pants that the rest of the industry needs.

John’s leadership has left his fingerprints on all aspects of McAfee’s products, in ways that provide invaluable benefit to customers. He is not afraid to do the right thing, even if it’s not the popular thing. And he’s not afraid to issue a “call to action” for the computer security field in general, which is what he’s done with The Myths of Security. I just hope that the rest of the field sees this book in the same light I have, and uses it as constructive criticism to build better security for everyone. Given my extensive experience in this field over the past 15 years, there are few books that I would put into this category. When I talk with people about the computer security field, I will certainly be advising them to read this book.

—Christopher Bolin

Former CTO and Executive

Vice President of McAfee