From the 'negativity sells' files:

LAS VEGAS. Douglas Merrill former president of record label EMI has a few thoughts on what's wrong with security today. He shared those thoughts in a keynote presentation at the Black Hat security conference.

"CEO's are terrified of security and as a result they are writing more checks, Merrill said. "But the downside is they don't know what they are paying for."

Merrill argued that the problem is that we compute ROI on avoiding downside, but that's the wrong thing to do. He commented that we should make security decisions based on positive feedback and not negative.

Merrill knows what he's talking about - he used to be CIO at Google. In his view the right thing to do is to try and make sure that security is not a problem.

Instead of concentrating security knowledge in one area, it should be embedded across an enterprise.

"We have to make it so security is not a problem," Merill said. "At Google, we didn't control what environment our engineers worked it because we thought it would remove their ability to innovate. So we built security into the infrastructure and made it untrusting. We didn't have AV on the end points we had it on the mail server."

PIC: Doug Merill Credit: Sean M. Kerner