The annual RSA conference always provides a great opportunity to connect directly with our customers and hear what’s top of mind when it comes to the cyber security issues they’re facing. This year, I had the privilege of hosting a customer panel with CISOs across diverse industries. They provided excellent insights into how they are approaching cyber security in their organizations. I’d like to share their views on three key topics: advanced threats, security in the cloud, and security as a cloud service.
Our panel participants included:
- Myrna Soto
Corporate Senior Vice President & Global CISO
Comcast Corporation
- Tim Callahan
Senior Vice President, Global Security & Chief Security Officer
Aflac
- Christopher Kemble
Global Information Security Manager, Information Services
The Hershey Company
- Tim Hillyard
IT Security Director
Voya Financial
Advanced Threats
As you know, an advanced threat is a network attack in which unauthorized persons gain access to a network and stay there undetected with the intention of stealing data. Symantec sees a million new threats a day and we know that our adversaries are well-funded, incredibly talented and extremely bright.
So, it’s no surprise that our customers think about advanced threats “night and day.” Some take the realistic view that attackers will get through. Said one panelist: “That is our approach, and based on that, we have to change the way we work.” CISOs are looking for quicker detection and automating response capability to respond faster.
One of our customers has been expanding globally at a rate where its current cyber defense couldn’t keep up with demand, so they partnered with Symantec on our ATP product and commented: “ATP has been very powerful for us—we were able to quickly integrate it and have seen many positive results. Being able to work across endpoint, email and network—it correlates everything to give a prioritized view.” The panelist noted “…issues with some global locations where they were seeing threats. With ATP installed, we were very quick to react.”
Security in the Cloud
Our panelists all agree: cloud is here and it’s given each of them the opportunity (and challenge) of how to protect their data. Some are using only private cloud, which considering their industry sector and regulatory requirements, offers them more control. In one case, one of our panelists noted that “private cloud is a benefit—it gives us a chance to simplify. As we stood up our private cloud, we looked at how to streamline and set up rigid standards. Security is embedded into the stack.”
Yet another panelist is currently adopting many cloud–based capabilities and uses Symantec’s DLP for cloud. “Three years ago we didn’t know how to address it. Now we have options with proxy and access brokerage.” Another panelist remarked that going to the cloud makes planning for identity more complex. “We tie it back to our active directory. In one case we had a provider in the cloud but built out an extension of our network. That helps with protection.”
Security as a Cloud Service
Are customers interested in security as a cloud service? “It’s definitely an option,” noted one customer. Said another: “Security as a service will evolve—it’s certainly something we see. With all of the growth happening, it’s impossible not to consider these types of services. The velocity of getting these capabilities quicker is important.”
“Often times a provider does it so much better,” said a third panelist. “We’ve got a firewall application in the cloud now, use Symantec for email, had to get over the initial hurdle (which came from legal, not security) about letting data out.” Symantec is moving towards a SaaS mode that is subscription-based.
Third Party Apps
Across the board, our panelists noted that third party vendors are what keep them up at night. They had varying degrees of comfort with third parties, but all agree that security issues exist. They’d like to see a security industry scorecard on third party vendors—in fact, some already have them. Said one panelist: “We’ve built 3rd party apps into our risk assessment program, categorized by what they do—and spend lots of time examining sensitive data. That’s how we manage them.”
Closing Thoughts
Finally, regarding the topic of Cyber Insurance, our panelists loved the idea of a cyber security risk score from Symantec. One response: “Great idea. You are the endpoint for millions of customers. Your view of data is different from ours and can give us more intelligence.” That said, they advised us to approach scores with caution on their execution—legal liability has to be thought through. Symantec will definitely work closely with our customers to determine that approach.
And, I couldn’t end the session without asking our panelists their opinions on a hot topic in the media: Apple vs. the U.S. Government. Thanks to our two panelists who were brave enough to answer! Views were mixed as to who is right—Apple or the government, but all agreed that back doors to maliciously secure data should not be made available.
Partnering with our customers on our security products will continue to enable Symantec to stay ahead of tomorrow’s threats and protect critical data wherever it lives. Special thanks to our four panelists—we appreciate and value your insights!