Ex-Google CIO breaks his own security rules

Douglas Merrill talks about being CIO at Google and an exec at EMI, and how more companies need to foster innovation, letting employees use Google Calendar if they want.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
3 min read
Douglas Merrill, ex-Google CIO who recently left EMI. Elinor Mills/CNET News

LAS VEGAS--You can take the man out of Google, but you can't take Google out of the man.

While working as chief information officer and vice president of engineering at Google from 2004 to 2008, Douglas Merrill oversaw the search giant's internal IT systems. He left to be chief operating officer of new music at EMI, marrying his professional ambitions with his love of music.

At EMI, employees used Exchange Calendar, which uses a "painful remote-access methodology," he said in a keynote speech on Tuesday at the Black Hat security conference.

"I paid my admin to put appointments and contacts in my private Google Calendar," said Merrill, who left EMI earlier this year. If he were in charge of IT security, he would have had to censure himself for violating corporate policies, but he didn't care--he just wanted to access his appointments while waiting in the Hong Kong airport.

"Humans are like rats. If you make it easy for them to get through the maze, they will."
--Douglas Merrill

"It's just a lot easier to use," he said of the free Web-hosted calendar his former company offers.

That might be a strange message to give to a group of security professionals, but it fit with a larger theme of the importance of innovation to companies, including innovation and practices driven by users with consumer software. That's effectively a Google mantra.

"The center of innovation is consumer technologies, not enterprise," he said. "A lot of companies are doing consumer technology that is a lot better than what we have in the enterprise."

That innovation should be fostered by companies by allowing employees to work on their own projects. (Sound familiar? Google lets engineers work 20 percent of their time on special projects of their own design.)

Engineers also have a lot of choices at Google. "We didn't control what environments our engineers work in," said Merrill, who is writing a book due out next year titled "Organization in the Google Era."

Meanwhile, companies need to design security systems that will more readily and easily be used by people, and that eliminate the chances for human error.

"Humans are like rats. If you make it easy for them to get through the maze, they will," Merrill said, acknowledging that the cynical viewpoint would likely end up as the main quote in news stories. (Sorry Doug.)

One feature in particular that seems to be helping users is a link at the bottom of Gmail that provides information about the activity on their account, such as Internet Protocol addresses used to access it and when.

"Larry Page pushed us to add that feature. We all thought it was dumb, but he's writing our checks, so we did it," Merrill said.

It turns out, the feature gets a lot of users, as people realize that information can help protect them, he said.

At least one IT security manager at the show disagreed with Merrill's liberal attitude about security and the work environment.

"I'm for well though-out projects to promote innovation," John Johnson, a senior security program manager at tractor maker John Deere, said during a chief security officer panel discussion.

But "it's not security's responsibility to go out there and say, 'Users want to use Gmail. Let them use it,'" Johnson added. "If we decide to use Gmail, we need to have a project and treat it in a formal way and pay money to do it right."