Security Experts:

Symantec's CISO Talks Security With SecurityWeek

Symantec Chief Information Security Officer Patricia Titus Shares Security Perspectives

There were multiple lessons to take from the leak of source code for some of Symantec's Norton and pcAnywhere products. For recently-named chief information security officer Patricia Titus, one of the main takeaways was the importance of correlating disparate pieces of information and using it to influence security policy.

Symantec Company LogoJust how disparate? In this case, the word covers everything from the economic condition of the company at the time to the sophistication of attacks, threat vectors and the motivation of the hackers.

"By doing this trend analysis," she explained, "we can start to look for patterns and trends so that we could become predictive in what could happen…(and) take that information, that threat and intelligence data, (and) correlate it into my security roadmap."

Patricia Titus from Symantec"There's been a huge change in the hacker's profile," she said. "Previously it was, 'look at me, look what I did.' Then somewhere along the line, they figured out that they could make money… I do think it's important to understand the process behind their thinking, because I think that's going to help you innovate better and come up with new capabilities to thwart the next coming attack."

That's no small task at Symantec, which sees every type of attack there is against its networks, from advanced persistent threats down to script kiddies. It has been an interesting six months for Titus, who came to Symantec in November after serving as CISO for Unisys and the U.S. Transportation Security Administration.

This week at the Symantec Vision 2012 conference in Las Vegas, Titus sat down with SecurityWeek to discuss a number of topics. Here are some of the issues we touched on:

The Role of the CISO

To Titus, the role of the CISO contains some of the same challenges regardless of what organization the person is working for. Whether it is the public or private sector, employees are both the weakest link and the frontline of defense. Employees need to be educated about the nature of the threats, so that they understand for example why they should deploy a patch and not delay it, she said.

That doesn’t mean that CISOs can always approach security the same way. At Symantec for example, the locking down desktops can hurt innovation.

“If I said no to people in the labs, and say, ‘no you can’t bring in these types of devices, we are only going to support these,’ now I am prohibiting them from innovating on the type of technology that we need to develop for consumers,” she explained. “So now I’m starting to impact business.”

“A lot of times CISOs will pick a risk tolerance level for an organization, and they don’t understand their business well enough to realize that there are different tolerance levels, and so one shoe doesn’t fit the whole bunch of kids," she continued. "So you have to figure out how to understand what your organization does – down to the business unit – and adapt your policies and your protocols appropriately.”

Third Party-Partners and the Supply Chain

Part of security requires dealing with people outside your network as well. Just recently, virtualization giant VMware found itself dealing with source code theft issues as well, in their case revolving around their ESX product. The leak is believed to be linked to a hack of China Electronics Import & Export Corporation. Managing relationships with government and third-party partners is a large issue for any corporation, Titus said, particularly with those partners and government entities that for various reasons may need snippets of proprietary code.

“(The industry is) really great about writing contracts, but we don’t necessarily go back and look if it’s being enforced,” she said. “So what is your audit and assessment process going back to those vendors who you are doing business with and doing that check and balance with them so that they don’t get lazy and that they’re keeping up their security posture. If you’re not coming and knocking on the door at least once a year…they might get lazy.”

In March, a consortium of experts known as The Open Group published a preview of standards aimed at improving the security of the global supply chain for commercial software and hardware products.

"Supply chain security is a fairly large issue for everybody – it just is," she said. “How you deal with that from a process, and a check and balance perspective inside your organization is critical to ensure the security of that supply chain.”

The Security Fight

There are some who have argued that organizations and governments spend too much of their time on the defensive, and have suggested various ways to be more proactive. However, security experts need to tread lightly when it comes to taking the offensive, she said. Because of the nature of cyberspace, it is possible to inadvertently impact innocents while attempting to strike out at attackers.

“The way people mask their attacks, I could actually nuke my own government by accident,” she said. “You have to be careful. Cyberspace is so different than physical security, than physical war and combat,” she said. “It’s a completely different zone…people are hiding in plain sight. You can’t see them.”

Related Reading: IBM Study Shows CISO Role Evolving, More Intense Than Ever

view counter