Symantec CEO Says 'Time Is Now' For Policy Change

Change often comes with growing pains. But for businesses and governments, changing security policy to one that's information-centric and holistic is absolutely essential in a security environment that is riddled with sophisticated and evolving threats, said John Thompson, CEO of Symantec during his keynote speech in front thousands of security professionals during the RSA Conference 2008 at San Francisco's Moscone Center Tuesday.

"If ever there was a cry for a change in public policy, the time would be now," said Thompson. "I am glad that policy makers are realizing how important protecting consumers' personal information is, but what we really need is a federal law that will set one, high standard to protect consumers regardless of where they liveand to make doing business easier across the entire United States."

In the present security environment, Thompson asserted, it's all about data and protecting its loss.

"The front lines have in fact shifted," said Thompson. "The battleground for security no longer revolves around the infrastructure. It now revolves around information -- which is unquestionably our most important asset."

And no doubt, the threats that potentially expose that data are more stealthy and malicious than ever before, he emphasized. The number of exposed records tripled in 2007, he cited. Thompson also said that 75 percent of corporate intellectual property is accessible either directly or indirectly via e-mail. Meanwhile, companies that suffer a data breach will ultimately pay just under $200 per record, according to a recent study from the Ponemon Institution.

"In the past, our reaction would have been simple: build higher and stronger walls. But today, you can't do that and have a successful business. Decision making depends on access to information," he said.

In the future, techniques like whitelisting will be critical, identity management will grow in importance and digital rights managment will start to become a reality, said Thompson.

Emphasizing his point, Thompson invited Stephen Trilling, Symantec vice president of Shared Technologies and Security Response, to the stage to discuss the company's newly-released State of Security Report. Amid trading jokes with Thompson, Trilling said that loss or theft of a laptop or mobile device accounts for the majority of data breaches. Trilling also said that nearly 70 percent of malicious code is information-stealing. And Symantec researchers now believe that more software programs, about 65 percent, create malicious threats.

Consequently, businesses will be forced to adopt information-centric solutions, and find ways to prioritize that data to prevent the most sensitive information from being leaked or stolen.

"Information-centric security is about taking a risk-based approach to protecting confidential information," said Thompson. "It's about balancing risk and opportunity. It's about protecting data at rest, data in motion and data in use."

But it won't be easy. For businesses to rethink their security strategy, executives up and down the executive suite will have to set rules for storage-tiering, archiving and encryption, Thompson said. And they'll have to align these policies across the company.

"If policies are the strategies we use to secure and manage information, then technologies are the tactics used to implement and enforce them," said Thompson.

Indeed, businesses will need to enforce those policies with technologies such as encryption, data loss prevention and a range of backup solutions.

"But it's not good enough. We need to take it to the next level," he said. That new level will entail implementing holistic solutions that includes content awareness. It also means applying capabilities to the mobile environment, and doing more around the concept of intelligent archiving.

"I know this won't be easy—change like this never is," he said. "But it's time to start making decisions about how to realign our organizations around this new goal." "It's a challenge all of us must tackle in order for our businesses to thrive, to become more agile and high-performing, and to realize the full promise of the connected world."