Q&A: Symantec’s CISO on the source code hack

We chat with Symantec's CISO to talk about what happened during and after the source code leak saga earlier this year.

Now we have to go around and figure out who owns this data, how do you value it and how does the company value it. For instance, my database system that tells me how many chairs I have, if I'm the facilities person that is really important to me. Now you have to look at it and ask, is it really important for Symantec to know how many chairs we have? Unlikely, because developers will sit on the floor if they don't have a chair.

Advertisement - Article continues below

We were accused of changing our story. Well you change your story as information becomes available.

It is an exercise. Identify your systems, identify what is accessing them, identify your data, where it is and who owns it, categorise your data. Then you have to look at the control documents and ask what controls do I need to apply.

Symantec, like most other commercial companies, relies heavily on ISO (a security standard offering best practice recommendations) certifications. I don't think ISO is strong enough or deep enough in the technology side, or prescriptive enough, to clearly define what an individual needs to do. I believe that ISO is a good programmatic tool to use and it's gotten better, but it still doesn't get to the bit and byte level that I really feel is critical for us to protect our data.

Advertisement
Advertisement - Article continues below

Folowing the pcAnywhere, and what happened to RSA with their breach last year as well as Sony's nightmare year, have you learned anything about disclosure?

Advertisement - Article continues below

When you've had a situation, when do you put the public eye on it? The situation changes as information becomes available. So when this first thing came out, it was something completely different than what ended up happening.

Thinking back to 2006, we had completely different forensics capabilties. So what was first released was the hacker saying they had something but weren't going to say what it was. Then they said they were going to tell Symantec what it is and they had some bogus document that looks like it came from some Government and stole it from somewhere. After a couple of days, we were able to say that was a bogus document and you're just full of crap, you just bought it from somebody.

We were accused of changing our story. Well you change your story as information becomes available, so as we got better visibility into it we were actually able to tie it back to the situation that took place. We were trying to be as transparent as we could.

Advertisement - Article continues below

With eveything that has happened in the past year, including disclosures from RSA, yourself and VeriSign, as well as the undermining of the certificate authority system, should companies ensure they're being as transparent as possible about breaches?

I'll use an anecdote. Let's say a Government entity has a sensitive piece of information and it's classified and it gets put into an email and inadvertently sent out to a bunch of people who don't need to know, don't have the right clearance level. So now you've contaminated and polluted your email system.

The next thing you know people have forwaded this information outside your .gov domain into the public domain. Say public disclosure of that information could lead to loss of life - as an entity you have to look at it and if you look at it realistically, do I tell everybody about it? Do I say publicly how this happened, so get ready to die? Or do you say in this situation, I'm going to make a risk based decision?

Advertisement - Article continues below

You have to look at things and make risk-based decisions. In dome instances our products protect national security and so there is a business deicison and a risk-based decision that have to be made with your customers in some instances to say how far we want to go with something.

Featured Resources

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Remote working 2020: Advantages and challenges

Discover how to overcome remote working challenges

Download now

Keep your data available with snapshot technology

Synology’s solution to your data protection problem

Download now

After the lockdown - reinventing the way your business works

Your guide to ensuring business continuity, no matter the crisis

Download now
Advertisement
Advertisement

Most Popular

How do you build a great customer experience?
Sponsored

How do you build a great customer experience?

20 Jul 2020
Labour Party donors caught up in Blackbaud data breach
data breaches

Labour Party donors caught up in Blackbaud data breach

31 Jul 2020
Why it’s time to expand beyond 16:9 monitors
Advertisement Feature

Why it’s time to expand beyond 16:9 monitors

21 Jul 2020