I am the difference between 'at risk' and 'at ease'

Nov 2, 2012 8:49am


The following is a guest blog from Symantec

Symantec’s Corporate Responsibility in Action blog features posts from employees and partners, highlighting the company’s commitments to their employees, the world, and your information. You can read more about their approach in the 2012 Corporate Responsibility Report.  

By Patricia Titus, Symantec's Vice President and Chief Information Security Officer.

Symantec's mission to inspire confidence in a connected world requires that we ensure both our own operations and those of our customers are safe and secure. As the leading global information security company, this is not an easy task. In our tech-based society, cyber criminals are now harder to track and companies are more vulnerable than ever. At Symantec, we see every kind of cyber attack on our operations, ranging from malicious attacks aimed at doing deep infrastructure harm to hacktivism.

As Chief Information Security Officer (CISO), it is my job to manage Symantec's global information security and ensure that we have information protection at all levels within company. What may be news to many is that I simply cannot be successful without the awareness and assistance of every single employee, partner, and third party we work with.

Specifically, employees are one of the most vulnerable entry points for cyber criminals these days. Who me? Yes you!

In all fairness, our employees are the front-line, the primary target of phishing attacks, and the primary target of social engineering. They are on the inside of the world’s largest security company and the natural targets of attack. Also they can be well-intended insiders and often don't realize that they are engaging in risky behavior. For example, there are malware attacks because people are going to suspicious websites, or attacks stemming from employees that delay downloading critical patches or antivirus updates because it caused a disruption to their workday. Additionally, well-intended insiders are often the point of entry for large-scale nation-state attacks known as Advanced Persistent Threats (or APTs). Lastly, the bring-your-own-device trend has made it harder for CISOs or CIOs to effectively track all entry points all the time.

CISOs are very effective at putting up perimeter defenses, but in truth we need our employees to be the first line of defense. That is why we've focused so heavily on cyber security training and building awareness among our employees, partners and vendors. In 2012 Symantec mandated annual security awareness training and has increased communications from the CISO Organization. But it needs to be more than just training, so we go beyond this to continually educate employees about threat vectors and how they are a part of the attack surface. But more has to be done and we need more awareness campaigns, more threat briefings and more brown bag learning sessions discussing how to identify threats, risky behaviors and ensuring employees are up to date on the latest threat trends. Organizations must tap those people willing to offer this education to fellow employees. Those of us "in the know" often assume that because we all work for the largest security company in the world we’re all security experts – unfortunately that’s not always the case.  Everyone needs to be reminded!

So what else can companies do to stay secure?

1. Be aware. Too often companies, including our clients, will take a plausible deniability stance. If we don't know about it, it can't be happening. But this mentality will only exacerbate the problem. Data has become the business, and companies rely much more heavily on technology for business operations and efficiencies. Everyone needs a strategy, and although it may seem a daunting task, a straightforward solution is to base your security strategy on a well-known framework such as ISO 27001 or the National Institute of Standards and Technology (NIST).  

As part of our strategy at Symantec, we have created a feedback loop for the CISO organization to share threat information with our product development teams and employees. As one of the largest customers of Symantec products, we have unique insight into how they are helping, and how we can make our offerings even stronger. By having open dialog with our business units we’re able to offer valuable insight from an operational information security perspective about the integration of our products and services as well as helping share the knowledge we have from daily attacks.

2. Define your risk tolerance, and manage your risk according to this. Some industries can afford to take on more risk and others can't. Decdie how much risk your business is willing to assume.

As a CISO for the last decade I have seen the information security landscape change drastically, and with it, my role. While the role of CISO was originally created to provide visibility into security threats, it has grown to be an integral part of the executive leadership team, reporting to the CEO and the board of directors and driving change in company processes and policies. Additionally, part of a company's responsibility is to ensure their employees’ and customers’ information is safe and secure. Therefore we view our cyber security strategy as an integral part of our responsibility to all stakeholders and shareholders.

The war in cyberspace is one that’s waged against us everyday, and is one in which we need to find solidarity. It’s not just Symantec – it's everyone that participates in the global economy.

For more information about Symantec's approach to information protection, cybercrime, online safety, and privacy, visit the Your Information section of the corporate responsibility website.