CISO Warns Against Security Complacency
“Security is a journey, not a destination.”
That maxim sits at the bottom of every email sent by Patricia Titus, vice president and chief information security officer (CISO) at Symantec. It serves as a reminder to herself and others that you should never take information security for granted.
“Cyber-threats constantly change, so companies have to constantly change too,” Titus told Baseline. “For instance, there are many more politically motivated hackers these days, and that requires management to make a complete change in mindset. There’s no more business as usual.”
Titus knows what she’s talking about. Before joining Symantec, she was vice president and global CISO for Unisys, and prior to that, she was the CISO at the Transportation Security Administration within the Department of Homeland Security, where she implemented a robust IT security program. Titus also held senior security positions with the Department of Defense and the State Department.
One of the most important lessons Titus has learned from her more than 22 years of security management experience is that most organizations can’t protect all their information, so they should safeguard their essential data. “I’m a huge proponent of DLP [data loss prevention] to monitor critical data, such as intellectual property, customer information, and financial and HR systems,” she says.
“Most companies can’t afford to spend millions to protect all their data, so they should focus on their mission-critical data first and put a fence around that. Stop trying to boil the ocean. Create a data protection road map—not a technology road map, but a road map to help protect your information.”
She urges management—both technology and line-of-business management—to know where their critical information is stored, find the right security controls, implement those controls and then test the system continuously.
Education Is Key
Another essential lesson Titus has learned is the important role education plays in the security arena. She reports that Symantec has an extensive security education and awareness program.
“We bring in security professionals to speak with employees about cyber-threats and how they can protect the company from those threats,” she says. “I also let employees know that I’m an available security resource. I answer their questions and emails, and I go to other Symantec locations and talk to them about security.
“I can’t be successful as a CISO without our employees. They are my cyber-cops, the front lines in the war against cyber-threats—and I am out there with them. I’m the cultural ambassador of security to our employees, and my goal is to help them adapt to a culture of security. I want security to get into their DNA.”
Titus says security professionals also need to embrace the importance of balancing business operations and security. “There’s a fine line,” she says, between protecting corporate data and obstructing employees from doing their jobs.
BYOD—bring your own device—is a prime example of this principle. “We need to embrace mobility,” Titus says, even though it raises security concerns. She points out that as more “digital natives” join the workforce, they are going to expect—if not demand—to use the same tech tools they grew up with and use in their personal lives.
Titus believes that companies should allow BYOD, but should also implement security technologies and policies that are appropriate for each job role. For instance, financial and human resources personnel will need stricter security policies, and will need to comply with regulations such as the Sarbanes-Oxley Act and the Health Insurance Portability and Accountability Act. For many employees, however, simply sandboxing business data from personal information on a smartphone or tablet may be enough.
“CISOs need to remember that’s it not about the endpoint,” she says, “it’s about the data. They need to focus on data-centric security and network-centric security, not just endpoint security.”
Cloud computing is another technology that’s causing headaches for CISOs, but Titus says it doesn’t have to be a major problem. “If you do your homework and negotiate your contract with the cloud provider properly, the cloud can be safe,” she says. “Go through a review process with a potential cloud provider and learn about their security protocols. Work with the provider and, if necessary, educate them about the need for top-level security.”
“Whether you’re working with your employees or a third-party company, communication is paramount,” Titus concludes. “Take what you know as a CISO and communicate it at all levels on an ongoing basis. That will protect your organization’s data and help you do your job more effectively—and that’s euphoria for security professionals.”