Q&A: Symantec’s CISO on the source code hack

We chat with Symantec's CISO to talk about what happened during and after the source code leak saga earlier this year.

Now we have to go around and figure out who owns this data, how do you value it and how does the company value it. For instance, my database system that tells me how many chairs I have, if I'm the facilities person that is really important to me. Now you have to look at it and ask, is it really important for Symantec to know how many chairs we have? Unlikely, because developers will sit on the floor if they don't have a chair.

We were accused of changing our story. Well you change your story as information becomes available.

It is an exercise. Identify your systems, identify what is accessing them, identify your data, where it is and who owns it, categorise your data. Then you have to look at the control documents and ask what controls do I need to apply.

Symantec, like most other commercial companies, relies heavily on ISO (a security standard offering best practice recommendations) certifications. I don't think ISO is strong enough or deep enough in the technology side, or prescriptive enough, to clearly define what an individual needs to do. I believe that ISO is a good programmatic tool to use and it's gotten better, but it still doesn't get to the bit and byte level that I really feel is critical for us to protect our data.

Folowing the pcAnywhere, and what happened to RSA with their breach last year as well as Sony's nightmare year, have you learned anything about disclosure?

When you've had a situation, when do you put the public eye on it? The situation changes as information becomes available. So when this first thing came out, it was something completely different than what ended up happening.

Thinking back to 2006, we had completely different forensics capabilties. So what was first released was the hacker saying they had something but weren't going to say what it was. Then they said they were going to tell Symantec what it is and they had some bogus document that looks like it came from some Government and stole it from somewhere. After a couple of days, we were able to say that was a bogus document and you're just full of crap, you just bought it from somebody.

We were accused of changing our story. Well you change your story as information becomes available, so as we got better visibility into it we were actually able to tie it back to the situation that took place. We were trying to be as transparent as we could.

With eveything that has happened in the past year, including disclosures from RSA, yourself and VeriSign, as well as the undermining of the certificate authority system, should companies ensure they're being as transparent as possible about breaches?

I'll use an anecdote. Let's say a Government entity has a sensitive piece of information and it's classified and it gets put into an email and inadvertently sent out to a bunch of people who don't need to know, don't have the right clearance level. So now you've contaminated and polluted your email system.

The next thing you know people have forwaded this information outside your .gov domain into the public domain. Say public disclosure of that information could lead to loss of life - as an entity you have to look at it and if you look at it realistically, do I tell everybody about it? Do I say publicly how this happened, so get ready to die? Or do you say in this situation, I'm going to make a risk based decision?

You have to look at things and make risk-based decisions. In dome instances our products protect national security and so there is a business deicison and a risk-based decision that have to be made with your customers in some instances to say how far we want to go with something.

Featured Resources

B2B under quarantine

Key B2C e-commerce features B2B need to adopt to survive

Download now

The top three IT pains of the new reality and how to solve them

Driving more resiliency with unified operations and service management

Download now

The five essentials from your endpoint security partner

Empower your MSP business to operate efficiently

Download now

How fashion retailers are redesigning their digital future

Fashion retail guide

Download now

Recommended

New malware uses search engine ads to target pirate gamers
malware

New malware uses search engine ads to target pirate gamers

21 Jul 2021
CVS Health data breach leaves a billion records exposed
data protection

CVS Health data breach leaves a billion records exposed

16 Jun 2021
Millions of Volkswagen customers affected by data breach
data breaches

Millions of Volkswagen customers affected by data breach

14 Jun 2021
Researchers send “unhackable” quantum data over 370-mile optical fiber
data protection

Researchers send “unhackable” quantum data over 370-mile optical fiber

11 Jun 2021

Most Popular

The benefits of workload optimisation
Sponsored

The benefits of workload optimisation

16 Jul 2021
Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021
IT Pro Panel: Why IT leaders need soft skills
professional development

IT Pro Panel: Why IT leaders need soft skills

26 Jul 2021