Alex Stamos, Yahoo Security Expert, Moves to Facebook

Alex Stamos, the outspoken chief information security officer (CISO) at Yahoo, is leaving to take on a new job as chief security officer (CSO) at Facebook. The announcement of the Stamos departure was not made via a press release, but rather by way of a Facebook post.

Stamos started as CISO of Yahoo in March 2014 and made a number of noteworthy contributions. On the public-facing side, Stamos challenged National Security Agency (NSA) Director Admiral Mike Rogers about security backdoors.

From a Yahoo perspective, Stamos has been leading multiple security initiatives, including one for enabling end-to-end webmail cryptography, which is an effort that is not yet complete. It’s not clear to me if Yahoo will, in fact, have the leadership vision needed to complete that task, without Stamos at the helm.

I’ve seen Stamos speak on multiple occasions (typically at Black Hat USA), and he’s as stubborn as they come. He’s committed to his ideas and willing to stand his ground against anyone, including Yahoo CEO Marissa Mayer. There is no reason to suspect, however, that Stamos wasn’t happy at Yahoo. Rather, his move is less about Yahoo and more about impact.

At Yahoo, Stamos has had a positive impact on the millions of users that rely on Yahoo. By moving to Facebook, Stamos is taking a step up. While Yahoo has a large user population, it’s not Facebook.

“There is no company in the world that is better positioned to tackle the challenges faced not only by today’s Internet users but for the remaining two-thirds of humanity we have yet to connect,” Stamos wrote. “The Facebook security team has demonstrated a history of innovation as well as a unique willingness to share those innovations with the world, and we will build upon that history in the years to come.”

The ability to impact security at Facebook is non-trivial. At the Black Hat USA security conference in 2014, I saw Stamos speak about the concept of security paternalism. That’s his idea about how vendors should handle security on behalf of users. Stamos’ argument is that the vendors (in his case, now Facebook) know more about security than users and can take proactive steps to help users.

I strongly agree with the security paternalism concept as users shouldn’t be burdened with security paranoia. They should just be able to use the Web and feel safe and secure knowing smart security folks like Stamos are looking out for them.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.