David Thompson, executive vice president and CIO at Symantec, is responsible for internal I.T. security at the Cupertino, Calif., security software company. Baseline caught up with Thompson at Ziff Davis Media’s CIO Summit, where he shared his thoughts and suggestions on how enterprises can fortify their information systems.
Q: What is the most pressing security issue for CIOs today?
A: The unknown. That’s what scares me as a CIO—what we haven’t thought about. At Symantec, we are trying to stay ahead of the curve. I work at a security company, and I still worry about it. There are a lot of people out there creating vicious software that can really take down an enterprise.
I looked across the meeting room today and saw that 80% of the CIOs had a PDA and were checking e-mail and preparing documents. Think about the intellectual property and insider information on those devices. You’ve got to find a way to secure that information. As data proliferates and moves outside the walls of the enterprise, this presents a new challenge for CIOs.
We make sure we have security technology on those mobile devices so we have some level of protection and an ability to control that asset remotely.
Q: Speaking of mobile technologies, what tips can you offer CIOs trying to protect the fleets of laptops that business people carry everywhere?
A: We’ve heard of recent examples where individuals have taken work home, such as at the [Department of] Veterans Affairs, where the employee’s home was robbed—[millions] of veterans’ records were stolen. Those are the kind of worst nightmares that CIOs worry about.
There is a lot of technology available in the marketplace to help CIOs manage the configuration and compliance of these devices to a certain standard. This will enable them to enforce policies on the device, and also to react when a breach is identified or the asset is stolen, so they can disable the data or destroy the data, or have already protected it with encryption.
Q: Given that the security threats out there are constantly changing, can you offer any guidance to ensure optimum security at the enterprise level?
A: Most CIOs are fairly mature in their understanding of the need for layered protection of the enterprise. We have the network layer and the operating system layer, as well as security protections at the server operating system and database environment. At every area of the enterprise, you need layers of protection.
The recommendation I would give to CIOs is to not have what I call a “soft center.” Think about a piece of candy with a soft center. Once you break into the outer shell, you’re into the meat of that sweet, juicy center. Those are the assets you need to protect. You need to have not just a hard shell, and you don’t want to have a soft center, either. You need protection at every level. Plus an overall architecture to manage all of those components. But above all, avoid the soft center.
Q: What about threats to wireless technologies such as Bluetooth that many companies are using today?
A: Bluetooth, for example, is close-range and it is a secure technology. There are technologies that we deploy in our enterprise to make sure that certain settings are in place, and that each device is compliant with our security policies. That’s the role of I.T., to make sure we understand the vulnerabilities of the device, and have settings or technologies in place to protect it.
In your personal travels—at the airport, the hotel, or another company’s offices—think about all of the networks you connect to. How do you know that environment is protected? You have to operate as if you’re protected on your device to make sure it is secure, so that if you get onto a network that is not well-secured, you’re not going to be personally vulnerable, and your assets are not going to be vulnerable. The I.T. department has to take responsibility for that.
Q: Should the CIO appoint a dedicated director of I.T. security?
A: I definitely recommend that a CIO have a chief information security officer [CISO]. This is someone who is chartered with the management of information security policies, infrastructure and, in many cases, the operations.
That said, I have not talked to many folks who don’t have a security officer in place. This is usually someone under the CIO or a peer of the CIO. I’d say 90% of the CISOs I know are part of I.T. With all the risks we have in place, and all the technologies we have to work with, and all the policies we have to put in place, this is a requirement for the I.T. department today.
