The Intel IT employee newsletter, sat down with Matthew Rosenquist, an IT information security strategist who recently reached the midway point of his 6-month rotation working with Intel PC security products team focusing on strategic planning. Intel CIO Diane Bryant is a strong advocate of such job rotations, believing it not only grows the person doing the rotation, but gives other parts of the company exposure to IT’s greatest resource—its people.
If you missed it, see Part 1 of the series.
Q. Now that you’re settled into your new job, how are things going?
Outstanding! The product groups have welcomed me into the teams and shown the upmost patience with my persistent questions. They, in turn, leverage me as a resource to provide insights of how the consumer and enterprises will view and challenge our security designs and initiatives. I provide the tough questions that the market will voice.
Q. What’s one of your key roles in the group?
I sit on the PC Strategic Planning team which ties into the very heart of our products and the bulk of Intel’s revenue. From this position, I have access to work with specific technology groups to recommend new use-cases, help refine focus to maximize benefit, and drive product roadmaps. In the planning discussions, I help build the Intel playbook with the development of relevant new security feature stratagems, identifying emerging opportunities, warning against inaccuracies of anticipated benefits, and recognizing industry nuances that may lead to unintended consequences in the future. In short, I’m doing what I do best—constructively adding to the planning conversations for a better end result.
Q. So, what have you learned so far?
I’ve been exposed to the complex world which develops and manages the process to make intricate technology changes to our products. The cooperation, focus, and deep interaction across hundreds of people are truly mind-boggling. I never knew the amount of time, resources, and effort necessary to innovate, make changes, and deliver our technology to the world. It almost seems surreal as all this feverish effort is for products that will emerge three to five years from now. Unlike IT, these groups rarely have the luxury of seeing or touching something tangible. Everything is on paper, in theory, and described in varying ways. This is all about planning for what doesn’t yet exist.
In security, we’re looking to develop meaningful capabilities and services to intersect customer and service provider needs of the future. Many volatile factors affect how security as a market will vary, including how technology evolves, the different ways people will generate and handle data, and the innovative methods attackers are sure to develop to achieve their objectives. Peering into the future is more of an intuitive art than science. Traditional tools of market analysis, partner surveys, and finance estimates are represented in pretty charts, but they’re attempting to forecast the highly chaotic security industry; therefore, potentially misleading as nobody can accurately predict the future security opportunities. In the product groups, I’ve found common sense discussions are what really drive decisions. The more knowledgeable the people in the room are, the better the outcome. I’ve learned a lot about how Intel delivers products, but I’m still looking upwards at the mountain. With every step, I learn and contribute.
Q. From your fresh perspective in IAG, have you learned anything new about IT?
After 15 years in IT, I know the great effort we place in making it easy for the other business groups to leverage us. However, now standing on the other side of the fence, I’ve seen how, in some cases, IT is still difficult to engage. Sometimes, we put our own processes and metrics ahead of what’s needed or best for our enterprise business. There are times when this is the right decision, but we must be open to those times when it’s not. Situations where the business value to our stockholders exceeds the value of alignment to established processes do occur. Breaking with practice may cause a short-term hit to IT efficiency, but may result in a much larger dividend to Intel. As a support and enablement organization, every level of IT must be aware of the big picture and ready to contribute in non-traditional ways.
On a humorous note, I’ve always believed IT had far too many acronyms. My viewpoint has now changed. Since I started in IAG, I’ve been inundated with a flood of new abbreviations and acronyms. So many, in fact, I started my own personal glossary to keep them all straight. I’ve surpassed the 350 mark with no end in sight. I add a handful more every day. I’ll never again complain about how many acronyms IT uses!
Q. So, what have they learned from you?
The planning and engineering teams are world-class experts on developing and delivering superior integrated computing technology. Designs and features involving processing speed, power efficiency, and I/O are well understood from both the supplier as well as the consumer perspectives. Intel is masterful in leading, adapting, and transforming the industry. We’ve proven brilliance in establishing our brand and selling our products. Security, however, is a new and unfamiliar beast. We’re short on organic security expertise to understand the drivers in the security industry, practical integration and operational challenges, as well as how to sell security to consumers and enterprises.
As an example, faster processors, longer battery life, new human/computer interactive modes, and social enabling technology are all sexy and consumers will pay, stand in line, and generally drool for such features. Security, on the other hand, is not sexy. Nobody waits in line for the release of the latest security product. Consumers and enterprises don’t want to pay for security; they only do so because they feel they must. So, the marketing strategy is completely different from the traditional models.
This is where IT, specifically the information security organization, can add tremendous value. Within IT, our security department is well versed in the usage challenges of security technologies, the ever-changing threat landscape, and the important role attackers play in the changing trends of what’s important. Every day, IT evaluates the value of security programs, competing technologies, services, and capabilities for internal use. This is the very data needed for our external strategic planning. Additionally, with the acquisition of McAfee, we have another world-class security organization to leverage. I bring my experience of the security industry to the planning discussion and am working to establish permanent links between the internal IT resources and the IAG development teams. I challenge the engineering-minded teams with the behavioral and usage aspects of the industry. At times, this can be an uncomfortable discussion. Engineers are wired to think about achieving functionality. As an example, engineers tasked with building a hammer will make it strong, cheap to build, ergonomic, and efficient—able to sink nails in one skillful swing. With their job done, they can rest easy in knowing carpenters will be able to use the hammer to build wonderful things with such an efficient and effective tool. Often, the security aspects are missing. Can the hammer be counterfeited, stolen, or used as a weapon to threaten others? These are important considerations in the security product space. Translating back to Intel, we don’t want our products compromised or used in malicious ways, especially when they’re designed to promote security.
Tactics to insure security considerations are understood, include the infusion of ‘Red Team’ principles—thinking how the bad guys do, profiling the most likely threat agents, and learning from historical attack methods. These exercises are used by Intel information security internally and can be equally important tools to temper the external feature design process. In spearheading these discussions, I help expand the scope of work from the ‘does the design work’ mindset to include ‘how can someone break it or leverage it to do something malicious.’
Recently, I’ve been involved with market value and competition analysis. This includes giving input on how our products will be evaluated by the security industry. In IT, we are particularly critical of outlandish claims of certain security product vendors peddling their wares to Intel, which are quickly dismissed. Our marketing claims must be realistic and accurate. They must properly reflect what we can deliver in the security space. We can’t make the same mistakes we’ve seen from others in the industry who rely on fear, uncertainty, and doubt to artificially drive short-term sales. Important checks and balances exist. Nowadays, a healthy worldwide security community takes the role of evaluating and vetting products and services as expert proxies for the customers. They quickly callout companies who overstate their products or make misleading claims and are particularly ruthless to established corporations looking to leverage the ‘security’ moniker just to sell more products. Understanding how these security experts will measure effectiveness, value, and longevity goes a long way in properly positioning our marketing message. Ethically, Intel always strives to be open, straightforward, and do the right thing. So it comes down to the accuracy in the message of what we deliver.
Q. So, what’s next?
Moving forward, I hope to land more security product pilots internally, build more cross-organizational bridges to share insights, and contribute to strategies and designs that intersect future business opportunities in the market. So far, the journey has been exciting, educational, satisfying, and frustrating. The most important measure for me, though, is when I wake up each morning—I look forward to the challenges ahead. Halfway through the rotation and I continue to enjoy every day. I can't wait to see what happens in the next few months!