Is it hard being a CISO at a security company?
Malware hits the Mac but is it worth worrying about?
In the day-to-day job as a security manager, one of the biggest challenges is managing people and making sure they don't do things they shouldn't.
However, what if you were the CISO at a major security company, surely all your staff would be well-versed in secure practice with the talent at hand? Also, surely you would never have a product dilemma if you shared a building with the creator?
I met with the CISO of Symantec, David Thomson, to find out what sort of challenges someone in his position faces.
Do you find people are so familiar with what you are doing that there is not a huge problem?
"We train our employees on security, use of our products, and the behaviour to keep themselves secure personally. That is a key attribute that we focus on in our company because our reputation is really key to our future and key to customer confidence, but we are one of the largest attacked companies in the world, so much of our time is spent on looking for the weakest link, and typically that is the well-meaning insider.
"Individuals are trained on what a targeted attack looks like, and we constantly update our emails to employees. If we see a wave or trend internally on our attack analysis, we alert employees; they are exposed to it, we always have our radar up."
Did the RSA incident open your eyes to what could happen to you as a security company?
"Our board of directors did ask me to take a look at our risk profile, which we do on an annual basis, but they asked us to do a fresh look at our operations, our certificate issuing authority and how we operate, and one thing that we did identify was a separation of duties.
"We made sure that infrastructure has the best of our technology, but we are also reviewing our procedures so that we have extreme due diligence to those that access those infrastructures. One thing that you have to be cautious of is that we have third parties that assist Symantec, and we require the same level of diligence with those providers as we do with our own employees, so that is the extra work that is required at Symantec.
"It is a cultural assimilation that has to occur, you have to indoctrinate the employees that come on board through an acquisition; our customers look to us with confidence, and that is a thing we focus on."
When talking about security issues, do people usually understand what you are telling them?
"There are different subsets of users in the company that are more technically-savvy and security-aware, so we have to take extra steps in restricting access for certain roles that maybe are not as skilled as others. We also hold ‘brown bag sessions' between security professionals and our staff, designed so that the administrator can focus on staff who are not as technical or security oriented, and they can come and learn specifics.
"They have been very valuable and we hear from employees who say that had they not attended, they would have probably done something that maybe would have been inappropriate. Our tools help too to catch something before an employee makes a mistake.
"From an IT perspective, we deploy our technologies internally in the alpha and beta stage. The advantage we have in our tools is that we are trained on them and we have full production reference for our clients internally – that is a key role we play from a support perspective. Our customers like it too as they can ask ‘how did you deploy it?'. It is a critical part of our strategy and I like to be part of it."
Tech-savvy employees probably want to add patches and upgrade operating systems immediately. How far in advance do you prepare for this?
"Well we are like any other corporation whose user population is asking for more mobile devices and current technology. What we find is that Apple is no different from Microsoft in that they release a product to the marketplace and in a period of time, typically a week or two, IT needs to evaluate the product and develop the deployment methodology, and in many cases you do not get an early warning with the technology providers.
"If they download iOS5 and we have not approved it, then they could potentially be locked out of our infrastructure. So we have educated our employees so that they are not authorised to use these devices, they need to wait for an all-clear message from IT, and we work quickly to deploy it shortly after it is released. That gives us a chance to update all of our firewalls, all of our signatures, make sure all of our products and technologies work with that operating system, implement it and then employees can download it.
"As Apple gets into more corporations, that will have to change. We would need a week's notice before release, or put large corporations interested in beta in the enterprise, as it allows the big clients to be primed. But you also don't want to slow down innovation; a challenge in any tech firm is that you want to work with your companies as closely as possible and have them involved in the technology, but you also want to be quick to market and meet market demand."
Has the consumerisation of IT been a real problem for you this year?
"We were ahead of this from a company perspective in that we saw early demand from our customers, so as we reflected internally, one of the things we have done is give employees a pretty lengthy list of devices and carriers that they can select from, so there is significant choice.
"However, we do not allow personal devices on our infrastructure, it is against our policy and that allows us to remain focused on our company assets. Long term, I would love to have any device, any time, anywhere, and we are getting closer with our technology to enable that, but fundamentally we have a position that devices should be company-owned."
Day to day, what sort of team are you working with?
"We have a team of 393 IT and security professionals in my group – that does not include the enterprise support functions. We have two major suppliers that provide services to Symantec externally, and those teams are really focused on governance of our suppliers and business requirements, information security and operations. The majority of our team is in Mountain View, California.
"We have a programme called ‘the way we work', where employees who have been authorised to work from home have the technology so that they can connect through a VPN. We have data-loss prevention (DLP) on those connections, so it allows us to protect our intellectual property, protect our customer data, alert the employee that may be outside the bounds of their role and block access to classified information inside the company."
How does it work with you having software engineers in the same building?
"We do meet with our engineering staff and we build an annual deployment roadmap for our products, and if we have a new release coming of the desktop encryption, we will work with engineering to get it as soon as it is in alpha stage to deploy it. We deploy it in IT first, then we deploy it to the remainder of the organisation.
"We put the customer hat on internally, you want to be as much of a customer as possible – just because the engineer is down the hall, doesn't mean we tap into that.
"The feedback we give is genuine from a IT information security perspective, versus an insider view, because I want our team to be a key advocate for our customers. My team is responsible for deployments also, so they can be prepared for any step that a customer might miss; we are prepared for that ahead of time."
Finally, 2011 has been such a busy year for information security news, do you think the job has become more difficult?
"Well, I tell you that more boards of directors have become aware of security and the risk associated with the loss of intellectual property, customer data, the risk to brand and shareholder value, so the conversation has shifted to a much higher level of discussion – so there is more risk management inside a company. It has made the job in many ways more difficult, but it has made the job a bit easier too as the conversation has been about 'if you highlight a risk, you get more attention to that risk'.
"We are just like any large corporation: we have people that operate our infrastructure, we have technology that we leverage and, in the end, frequent training, frequent update to our procedures – constantly reviewing our risks is the key to success."