Now we have to go around and figure out who owns this data, how do you value it and how does the company value it. For instance, my database system that tells me how many chairs I have, if I'm the facilities person that is really important to me. Now you have to look at it and ask, is it really important for Symantec to know how many chairs we have? Unlikely, because developers will sit on the floor if they don't have a chair.
We were accused of changing our story. Well you change your story as information becomes available.
It is an exercise. Identify your systems, identify what is accessing them, identify your data, where it is and who owns it, categorise your data. Then you have to look at the control documents and ask what controls do I need to apply.
Symantec, like most other commercial companies, relies heavily on ISO (a security standard offering best practice recommendations) certifications. I don't think ISO is strong enough or deep enough in the technology side, or prescriptive enough, to clearly define what an individual needs to do. I believe that ISO is a good programmatic tool to use and it's gotten better, but it still doesn't get to the bit and byte level that I really feel is critical for us to protect our data.
Folowing the pcAnywhere, and what happened to RSA with their breach last year as well as Sony's nightmare year, have you learned anything about disclosure?
When you've had a situation, when do you put the public eye on it? The situation changes as information becomes available. So when this first thing came out, it was something completely different than what ended up happening.
Thinking back to 2006, we had completely different forensics capabilties. So what was first released was the hacker saying they had something but weren't going to say what it was. Then they said they were going to tell Symantec what it is and they had some bogus document that looks like it came from some Government and stole it from somewhere. After a couple of days, we were able to say that was a bogus document and you're just full of crap, you just bought it from somebody.
We were accused of changing our story. Well you change your story as information becomes available, so as we got better visibility into it we were actually able to tie it back to the situation that took place. We were trying to be as transparent as we could.
With eveything that has happened in the past year, including disclosures from RSA, yourself and VeriSign, as well as the undermining of the certificate authority system, should companies ensure they're being as transparent as possible about breaches?
I'll use an anecdote. Let's say a Government entity has a sensitive piece of information and it's classified and it gets put into an email and inadvertently sent out to a bunch of people who don't need to know, don't have the right clearance level. So now you've contaminated and polluted your email system.
The next thing you know people have forwaded this information outside your .gov domain into the public domain. Say public disclosure of that information could lead to loss of life - as an entity you have to look at it and if you look at it realistically, do I tell everybody about it? Do I say publicly how this happened, so get ready to die? Or do you say in this situation, I'm going to make a risk based decision?
You have to look at things and make risk-based decisions. In dome instances our products protect national security and so there is a business deicison and a risk-based decision that have to be made with your customers in some instances to say how far we want to go with something.
