The Law Offices of Mary N. Chaney, P.L.L.C.
The Cyber Security Law Firm of Texas

Mary's Blog

The Breach Whisperer

About Mary....

Mary N. Chaney, Esq., CISSP® is a former Special Agent for the FBI where she investigated cybercrime, a seasoned corporate executive that built and operated information security teams and now a cybersecurity attorney.

As a self-described “Breach Whisperer” our firm can train your company to properly prepare for your eventual breach!

The overall goal of our firm is to use our wealth of knowledge and expertise to help support, translate and advise, Boards of Directors, CIO's, CISO's and General Counsel's on how to legally protect their company from cyber related risk.

Blog Entries


 

McAfee Accuses Former Employees Of Stealing "Secret Sauce"

See Article Here

McAfee sues three former employees of stealing their “secret sauce” to take to their new jobs working for their competitor, Tanium. When I read the attached article, I could not help but think about the irony because both of these vendors are in the end-point protection space right? So how is it that your employees were able to access your “secret sauce” without you knowing about it until after the fact? 

In this case the secret sauce was McAfee sales tactics and customer acquisition strategies which included “pricing information, marketing plans, customer lists, deal flow, negotiating methods, personnel and other confidential and proprietary sales information.” One of the employees was accused of accessing the “Deal Tracker” after she had given her resignation and there was “no legitimate McAfee business purpose for [her] to be accessing this confidential sales and marketing information at that time.” My question is McAfee, if there was no legitimate business purpose for her to be accessing the information, why did she still have access to it? It’s called access control, best practices say that once an employee no longer needs access, especially to the “secret sauce,” you remove them.

As I read it, I don’t think McAfee has much of a case, here’s what I would argue, stay with me. The whole assessment process in cyber security starts with identifying your “secret sauce” and putting a program around it to protect it. Protecting the “secret sauce” includes technical controls like DLP, which would have prevented the employees from emailing the information to themselves or downloading the information to a thumb drive as described in the article. In addition, technical controls, through access control, could have been used to prevent the employee who had given notice from accessing the “Deal Tracker” spreadsheet. The case fails a part because if it is “secret sauce” you have to treat it like it is secret. Doesn’t look like McAfee treated the information to the level that it deserved protection, so why should the courts punish the former employees or Tanium for poor security practices? Gasp.