OTTAWA – Symantec’s new CEO, Enrique Salem, used his first official Canadian appearance to urge public sector IT professionals to “operationalize” security and ensure that protecting information helps achieve organizational objectives, rather than gets in their way.
Speaking at IT World Canada’s annual GovSym conference on Tuesday, Salem recalled a conversation with a chief information security officer (CISO) of a large organization who was “bemoaning the fact that no one in the organization wanted to talk to him or include him in the important meetings.
“That’s when another of his colleagues said to him, ‘You’re really good at saying no,’” Salem told the audience, which largely consisted of CIOs and IT managers with federal, provincial and municipal organizations. “That’s the problem with a lot of security professionals. You need to enable the business, to use risk as a way of having a constructive conversation.”
Although most security professionals are focused on eliminating thwarts from hackers while guaranteeing maximum uptime and availability, Salem suggested that it may be necessary for the government to choose its battles. “What’s worse – a server going down or data being lost?” he asked. “The first is bad if you’re transaction-oriented, but we have to recognize that the data is more important.”
Some organizations go too far in the interests of security, according to Salem. He cited a firm in which an IT professional mandated that the auto-complete feature in Microsoft Outlook be disabled, just in case a message was inadvertently sent to the wrong person. Instead, everyone would have to manually key in e-mail addresses every time. “In the name of security, they hurt productivity,” he said. “How can that be the right answer?”
Salem noted, however, that the nature of security threats was changing, and the level of vulnerabilities on the increase in many public sector organizations. The Symantec president – who was appointed to his post earlier this year after being hired as the company’s eighth software developer many years ago – described malware created in the 1990s as “Warholian threats” which sought 15 minutes of fame by infecting as many people as possible. Today’s attacks, in contrast, are highly targeted. Last year Symantec had to write 1.6 million signatures into its software, more than in the past 17 years. “What will it be next year? Five million? We don’t know.”
Symantec is also focused on a reputation-based approach to security through a project code-named Quorum, which will analyze applications and assign them a rating or score based on a series of attributes. This could include software that is used by many people, such as Microsoft Word, versus a potential piece of malware that would be expose to only a small group of people. Quorum might also look at how long the application has been in existence, he said.
This year’s GovSym theme was “people are the new perimeter,” which Salem endorsed as a key area of focus for security professionals who need to address internal as well as external threats. For Denise Ernst, director of IT security and recoverability at the Ottawa-based Canadian Payments Association, this extended to how well people work in teams to achieve a common goal — a concept that can surface in unexpected places.
“I saw the new Star Trek movie recently and it just struck me how much it was all about the people,” she said. “The reason the Federation (a Star Trek government organization) succeeded wasn’t about the rules or the documents but all the officers pulling together.”
Salem challenged Canada to show leadership in the standardization of security, including the recently developed Secure Content Automation Protocol (SCAP), and explore how it can be applied here.
GovSym wrapped up on Tuesday.