When the auditors come around
When the auditors come around

Art Coviello, CEO, RSA

Q. Considering the number of data exposures we've seen, such as TJX, where are companies making the biggest mistakes in protecting customers' personal data?

A. I am a history buff, and the data breach problem brings to mind a quote from one of Thomas Jefferson's diplomats at the time when the Barbary pirates were attacking our shipping in the Mediterranean and extorting money. He said, "Millions for defense and not one cent in tribute!" Today, it seems to be "millions upon embarrassment, but not one cent for defense." Of course, that's not entirely fair: businesses are spending a lot on their security investments, but where many are falling down is by failing to look at it in a logical, holistic fashion. Too many organizations simply apply point-products to point-problems and are spending without thinking about their overall security and management infrastructure.

Data breaches can occur anywhere that data lives, moves or rests — within the endpoint, the network, applications, databases, files, the storage fabric, and so on. Then you have multiple regulations of increasing scope and complexity. And, of course, there's the human element that should never be ignored! We're talking mostly about innocent or unwitting insiders who make critical mistakes. This alone accounts for the majority of data breaches we have seen. So, with no single reason why mistakes are made, and no single location for sensitive data, there is no single answer.

Gene Hodges, CEO, Websense

Q. What are the emerging threats about which CSOs and their bosses should be most worried this year?

A. CSOs should be most concerned about the threats to their organizations' essential information.

Web 2.0 technology definitely opens the door up to potential data theft. Let's face it; people are visiting sites like MySpace, Facebook, as well as other Web 2.0 sites, at work — potentially putting the organization at risk. Infection is the least of the worries from these threats. The goal of most malware we see today is to steal information for financial gain. Web 2.0 threats are growing in popularity as corporate employees use collaborative technologies, such as wikis and networking sites at work. The Websense Security Labs have seen an increase in these types of attacks most recently with an attack on MySpace in which malware spread virally through users' "friends" lists.

The other threats that should definitely be addressed are attacks that use blended malware from multiple threat vectors, such as email and the web, to exploit vulnerabilities.

John Thompson, CEO, Symantec

Q. What is in store for Symantec and its customers this year after all the acquisitions/product evolution the company has made these last two years?

A. Security and storage management solutions continue to be top priorities for our customers. In addition, businesses will increasingly require solutions that address regulatory compliance, virtualization, and enterprise management, including archiving and data loss prevention.

Q. What are the emerging threats about which CSOs and their bosses should be most worried this year?

A. Today's threat landscape is arguably more dynamic than ever. As security measures are developed and implemented to protect the computers of end-users and organizations, attackers are rapidly adapting new techniques and strategies to circumvent them. Attackers are consolidating diverse attack methods to create global networks that support coordinated malicious activity. Because a single threat can now impact an entire organization, it is imperative that all groups that provide enterprise network protection within an organization — from desktop protection to server and network operations, anti-virus groups and anti-spam teams — work more closely together and share information.

Q. Considering the number of data exposures we've seen, such as TJX, where are companies making the biggest mistakes in protecting customers' personal data?

A. The recent information security breaches in the U.K. and in the U.S. point to failures in the development and implementation of appropriate security policies. These incidents validate our view that a security strategy must be policy-driven, information-centric, and operationalized across a well-managed infrastructure.

Thomas Noonan, GM, IBM Internet Security Systems

Q. IBM seems to be taking steps to help smaller businesses. Is this happening on the security front too? Why are SMEs a target for such a large player?

A. For the past year, IBM's X-Force security research and development team has been following a pronounced trend where cybercriminals are shifting attacks away from primarily large enterprises and increasingly focusing them instead on SMEs. The reason for this is simple: larger enterprises are more difficult targets because they've deployed strong defenses. SMEs typically do not have the staff or financial resources to deploy strong defenses, so they are a much easier mark for the bad guys. But, the risks to SMEs are the same as they are for large enterprises: loss of revenue, legal liability, compliance violations, loss of customer confidence and, ultimately, brand damage.

IBM is focusing on the SME market because it is drastically under-served by the security industry. And the way to effectively serve the SME market segment is through a mixture of first-rate products and outsourced services, so SMEs can benefit from the same technologies protecting large enterprises, at a fraction of the cost and personnel requirements. IBM is also working with telecommunications carriers to help them deliver a new class of "in the cloud" security services. These services will turn security into a de facto utility, where SMEs simply "turn it on" and they are protected.

Scott Charney, Corp. VP, Trustworthy Computing at Microsoft Corp.

Q. Let's face it — Microsoft is ubiquitous. What can its customers expect this year in the way of the company's continuing efforts to strengthen information security for its products and customers?

A. Everytime Microsoft ships a product, I think we improve information security for our customers. Our commitment to the Security Development Lifecycle (SDL) and our constant focus on building defense-in-depth into our products and services ensures each release is better than the last. Not perfect, but better. We continue to be laser-focused on doing the fundamentals right, investing in new security technologies (innovation), providing prescriptive guidance to customers, and working with partners in the public and private sectors to build a more secure computing ecosystem. This year we will focus on end-to-end trust and address the importance of authentication and audit. Our end goal is to make sure our customers have trust in PC computing, whether they are at home, in the office or using a mobile device.

Q. What's your silver-bullet solution — a blue-sky security tool that CISOs and executive leaders would buy up to solve their most pressing security issue?

A. Unfortunately, there is no silver bullet for security. To reduce your risk, there are some basic steps we think most people are or should be taking. In addition to having a documented information security program as described above, users should deploy the latest technology as it tends to be more secure, configure that technology carefully to balance functionality and security, stay current with security updates, and educate users on cybercrime threats and how to avoid becoming a victim. As it is often said, security is a journey and not a destination, and handling security well requires companies to think about people, process and technology.