Like most information security professionals, Tim Mather focuses on keeping hackers out of his company's network and ensuring all systems are updated with the latest patch.
And like most of his peers in the industry, he worries about the level of sophistication of the next security attack and looks at what his team needs to do to fend off the most vicious ones.
But the difference here is that Mather works for Symantec. As chief information security officer at a company known for its antivirus products, he faces challenges particular to his role.
In an interview with CNETAsia, Mather reveals that his company gets inundated with a barrage of hacking attacks simply because of what it is. Some of these attempts have gotten "pretty close," he says.
He also talks about how he copes with these challenges, why he would never hire former hackers, and why today's many compliance regulations are getting in the way of ensuring security.
Q: What is it like being in charge of security for Symantec, a company that depends on it for a living? Mather: I have responsibilities for the security of our internal networks, all our extranets and our partner connections. Because we're a security company, we also run our security infrastructure based on our own products. My team gets heavily involved with beta testing and actual deployment of those products.
And because of who we are, we get an average of 20 to 30 solicitations, proposals or propositions--whatever you want to call it--from companies on a weekly basis asking us to buy their company, their technology and so on. After the business development people have had an initial look at it, I get called in to see if I would buy the technology as a customer. What's interesting about that is I get to see a lot of small companies, what they're working on. Many of these are very small and very new businesses. Some of them have quite cutting-edge technology.
The sheer number of regulations is actually weakening enterprises.
Another component is with regard to audit compliance, specifically security. So my team is at the forefront of security, the standards, the architecture, the policies and, on a limited basis, some operational aspects of product testing and audit compliance. This includes regulatory compliance, so things like Sarbanes-Oxley fall under my responsibility from the IT side. That is a major drain of my time.
The accounting scandals at the Enrons and WorldComs gave rise to regulations such as the Sarbanes-Oxley Act (SOX). Besides Symantec, has regulatory compliance become a big focus for other companies, too, in terms of security? Mather: Absolutely. Regulatory compliance has become a huge issue. It is an enormous investment in time and resources (in terms of people), and the cost is not insignificant at all. Sarbanes-Oxley for Symantec alone is an eight-figure sum. It's an investment worth multiple millions in dollars.
The issue I have with regulations, while they're well-intended, is that you have a real proliferation of them. They've gone from being a good idea to being a distraction, to what it is now which is a diversion on security. The sheer number of them is actually weakening enterprises, many of which have to comply with multiple regulatory compliance guidelines. That's a huge burden on companies.
So what really needs to happen instead is a harmonization of those requirements...Very rarely do companies operate in a single location anymore. How many banks here in Singapore have to not only comply
with the (local) monetary authority's regulations, but also have operations overseas that are subject to Basel II, SOX in the United States, and probably the European Union Privacy Directive requirements if they operate in Europe? How many different regimes are they subjected to?
Making sure that Enron, WorldCom and all of these others don't happen again is a very good thing. But there's a better way to do that.
Speaking of compliance and security policies, are there any policies at Symantec that might be different from other nonsecurity companies? Anything that's unique to your company, simply because of who you are? Mather: No, as far as scopewise, I'm sure we're very similar to other companies. As far as granularity, we're probably far tighter than other companies, because security is our business. The possibility of an incident for us is far more serious than it may be for other companies. A security breach for someone in the retail industry probably doesn't
..The same Symantec that recently purchased @Stake? The company that was touting that several of their researchers were hackers? The one that purchased the "Hacker Think Tank" called The L0pht?
In this day and age, especially in Information Security, it's impossible for someone NOT to hire hackers, or at least former hackers, in the Information Security industry. The majority of those in it generally weren't the most honest of individuals in their past.
Personally, I have run into SEVERAL Symantec employees, current and former, that have engaged in activities ranging from trading of commercial software to all-out system intrusion at some point in their life. This doesn't make them any less reputable employees.
As a matter of my own opinion, it is generally the sales staff of any organization that I worry about when it comes to ethics. Symantec is no different in that respect.
Apple, Google, Microsoft, Amazon--all are targets for Mozilla's plan to use Web apps to free people from ecosystem lock-in. Also: new Firefox features aplenty.
The rise of Apple's stores is one of the past decade's great retail stories. So, why then does the company continue to creep back into the big-box outlets and will this hurt the brand?
The company helps small businesses with little tech savvy build apps easily, and now its partner Constant Contact will email-blast prospective users, too.
The Samsung Galaxy Mini 2 S6500 could make its debut at the Mobile World Congress in Barcelona later this month, according to a leaked promotional image.
Web giant is spending $120 million to beef up its Mountain View, Calif., headquarters, according to filings with the city reviewed by the San Jose Mercury News.
In this day and age, especially in Information Security, it's impossible for someone NOT to hire hackers, or at least former hackers, in the Information Security industry. The majority of those in it generally weren't the most honest of individuals in their past.
Personally, I have run into SEVERAL Symantec employees, current and former, that have engaged in activities ranging from trading of commercial software to all-out system intrusion at some point in their life. This doesn't make them any less reputable employees.
As a matter of my own opinion, it is generally the sales staff of any organization that I worry about when it comes to ethics. Symantec is no different in that respect.