Symantec’s chief security officer Tim Fitzgerald was in Australia and delivered a speech titled “Defending the Defender: Can I Insure My Way Out of Trouble?” to a Cyber Risk Symposium presented by global giants, AON (insurance), DLA Piper (law) and Symantec (security).
I had a briefing with him and Ian McAdam, managing director, Pacific, to discuss the issues underpinning his speech and to delve a little into what the “chief security officer” for Symantec does.
I could not resist a gentle jibe and asked to see his handcuffs (digital or otherwise). Believe it or not, Fitzgerald is responsible for both the physical safety of all Symantec staff and resources as well as the digital safety, so yes he employs people with handcuffs. “We just call it security,” the laconic yet affable Canadian (well, British Colombian) said.
“Our physical- and cyber-security teams used to be separate, but in 2015 we brought them together as close partners. It’s not a common business model—but we think it should be. If your security teams are operating in discrete silos, you’re not using your resources to their fullest. It won’t do you much good to have the strongest cyber security on your networks if you also have employees who hold secure doors open for strangers,” he said.
The remainder of the interview is paraphrased.
Fitzgerald has a Bachelor’s Degree from the University of Victoria (Canada) and spent five years at KPMG as an IT advisory manager working on securing medical records. He joined Symantec in 2010 and was appointed CSO in 2012. He also leads Symantec’s Customer One programme, which captures Symantec’s experience using its security products and services.
Let’s start with cyber-insurance.
The big question is can I insure my way out of trouble? By the time you take out insurance against cyber threats, hacks, data leaks, breaches, etc., you probably have advanced capabilities in security and incident readiness and understand the risk profile and can manage it anyway. But your premium is almost the same as someone that has basic security controls and does not understand the risk.
Why should you pay the same premium? The answer is that insurance works on “actuarial tables” that average risk over its insured base – and insurance companies seldom lose. It seems cyber-insurance is more about having an aspirin and helping with business continuity if you are hacked.
There are huge security challenges coming from cloud, mobility, IoT, data and identity management.
Threats are increasing both in frequency and duration. A large business attacked once in 2015 is now likely to be attacked three more times. Symantec discovered more than 430 million new unique pieces of malware in 2015, up 36% YoY. The human element is playing a major part, especially thefts of hard intellectual property.
Fitzgerald’s message was more of what a good security programme should look like and how cyber insurers need to understand that one size does not fit all. But even if all the tech was in place there still needs to be regular review and analysis or risks.
We switched to the human element of security
Security is not just a technical issue – sure you can add more tech but Verizon’s DBIR shows the human factor – whether it is intentional or not, is involved in almost every data breach. It is the soft target from gaining logins and passwords to mistakenly clicking on malware links in highly socially engineered spear-phishing campaigns.
The environment changes daily and frankly tech cannot keep up with the bad guys. The fire a thousand arrows and IT has to stop every one – but some will get through. Layers of tech help but they are not the total answer.
With the complexity comes even more chance of human error. And humans being humans will circumvent business processes that are onerous.
Fitzgerald says that we need to plan to fail, but we need to learn from that – plan to reduce failures through training and cultural shift. You have to ingrain it via repetition, testing and drive this down to all levels including the family.
We spoke briefly of Symantec’s activities in Australian schools (iTWire article here) and its support of Symantec Ambassadors including Jarryd Hayne and author Tara Moss who target the security message to school children and women.
You have to create a security culture from the kids to the adults that helps employers to trust them – and employers want to do that instead of locking down everything. At Symantec, our education and culture programs have led to a 500% increase in reporting issues and a corresponding decrease in human errors.
We went back good, old-fashioned, cybercrime. Are the bad guys winning?
Some companies are doing better, but it is still a case of the bad guys being better organised and sharing data. Attempts by corporates and governments to share threat data are very embryonic and not nearly as successful. There are too many issues to solve immediately.
- Some companies simply are not capable of responding – they don’t know if they have been hit or not.
- There is no common “language” to help us share.
- There needs to be a safe, “non-attribution” mechanism to share – trust is a valuable and fragile commodity
- And sharing should not be run by AV companies – they should contribute and be equal members
- On the flip side, Government is not a good steward either and can lead to trust issues. The government can, however, mandate that such sharing happens.
Symantec as the world’s largest security company is happy to help. With our recent acquisition of Blue Coat we now cover so much more like web and network-borne threats.
As we wound up the interview, I asked for some key points.
- It is still too easy to breach security. You don’t have to be super sophisticated to get into a company and use cyber-crime tools as a service
- Cloud is one of the biggest challenges, but it will be solved
- We want to trust employees – the human factor – but that takes proactive education programs and changes in attitudes
- Social media is a new attack vector as is highly sophisticated social engineering
- Every business is likely to suffer a data breach at some point so you need to prepare to respond quickly and effectively to limit the damage, and you practice that response, all the time. So when the real deal happens, you're ready.
- Businesses that are hacked need to stop blaming the bogeyman and saying “It was a highly sophisticated attack -well beyond anything we could have predicted or protected against” – that’s plain rubbish. Mea Culpa – get over it and fix the issues
- And at the end of the day security – physical and cyber – is a serious job
- It needs to be resourced and part of the Board discussions – it is risk management
The two hours passed in a flash – and every bullet point above probably deserves companion articles.