Q&A with Enrique T. Salem, president and CEO, Symantec
Q. What are the best ways organizations can address compliance and data security issues this year, given the challenging economic climate in which we all find ourselves?
A. Establishing an information-centric security strategy that is driven by policy and operationalized across a managed infrastructure creates a more agile, high performing business. It enables IT organizations to not just keep up with, but get ahead of external and internal threats, better balance risk and opportunity, lower operational costs while improving protection, and improve and prove compliance.
The first step is for organizations to get a deeper and more comprehensive understanding of their information risks. To mitigate these risks, you must understand what sensitive information you have, where is it being stored and how is it being used, both on the network and at the endpoints. Thanks to the increasing convergence of security, storage and systems management technologies this is much easier than it used to be. This information must then be protected completely, controlled automatically and managed more easily across the business.
Q. What problems or challenges is your company facing in the face of a declining economy, and how are you and your executives going to overcome these?
A. Against the backdrop of a challenging economic environment, Symantec has been able to report stronger than expected results due to the mission-critical nature of our storage, backup and security solutions. We have delivered solid top line growth which, coupled with our effective cost and expense management programs, has been instrumental in our success. Our results reflect the team's ongoing commitment to improving our execution, which positions us well in the marketplace.
Even in a tough economy, we expect that storage and security solutions will remain top priorities for most customers since securing and managing information is critical to keep their businesses moving forward. We offer a range of security, storage and system management solutions that reduce the cost and complexity of protecting information. By maintaining our focus on execution and understanding and meeting the needs of our customers, we will be ready to emerge from the downturn a stronger company.
Q. According to SC Magazine's research and many experts in the industry, the information security market may not see as difficult a time in this degraded economy as others since protection of data has become so critical to bottom lines. What are your thoughts on this?
A. Information is an organization's most valuable and vulnerable asset and unstructured information – in the form of emails, Instant Messaging (IM) or files – is here to stay. It's an inevitable result of the powerfully open, flexible and interconnected way we all work, empowering business agility and competitiveness in the global economy. The challenge is that information is now at risk everywhere. We've heard from customers that unstructured information is the root cause of a whole range of pressing security and operational challenges, as well as a major driver of rising IT storage costs.
Businesses are looking for simple and cost-effective ways to secure, manage and automate control of their unstructured information – now, and in the long term. We offer an end-to-end strategy that protects unstructured information and makes it accessible, wherever it flows or resides, while reducing storage overheads and automating high-cost workflows.
Q. Speaking of data protection, we're still seeing a great many exposures of personal and critical information, the most recent and largest being the Heartland incident. Where do companies keep making the biggest mistakes in protecting their customers' data?
A. Unfortunately, we've seen that cybercriminals are more sophisticated and driven than ever, and they operate in an increasingly profitable underground economy that makes it easy for them to not only buy and sell stolen information such as credit card data or even identities.
As companies look to protect their sensitive information, they need to take a holistic approach towards securing and managing it: one that keeps attackers out, information in and enables the smart storage and easy search of data. This means having multiple, overlapping, and mutually supportive defensive systems across endpoints, networks, and storage systems to guard against failures in any specific technology or methodology. No single information security technology alone is sufficient.
The rapidly increasing number of security breaches and data loss incidents is driving companies to implement data loss prevention (DLP) solutions as part of their overall information risk management approach. Effective data loss prevention (DLP) solutions should include a comprehensive platform that allows customers to enforce centralized policies that prevent the loss of confidential data wherever it is stored or used – across endpoint, network and storage systems.
Q. As we move through 2009, what will be the biggest threats IT security practitioners will need to be mindful of and what are the ways to best address these?
A. In 2009, we see three key trends that could impact IT security – a continued explosion of new malware variants, advanced web threats, and an uptick in threats related to social networking sites.
Data from our Global Intelligence Network shows we have reached an inflection point and there are now more malicious programs created than legitimate programs. These new and emerging threats have given rise to the need for new, complementary detection methods such as reputation-based security.
Attackers are also leveraging Web site-specific vulnerabilities which affect the custom or proprietary Web application code for a specific Web site. These vulnerabilities allow attackers to compromise specific Web sites, which can then be used as a means for launching other attacks. IT needs to look for innovative solutions to protect against these threats, such as establishing a virtual execution environment that can help to maintain security but is completely transparent to users and the web site they are interacting with.
With social networking threats, enterprise IT organizations need to be on the alert for attacks that automatically spread through these sites because today's workforce often accesses these tools using corporate resources.
Q. What about the newest technological advances that companies are taking advantage of, such as virtualized environments or cloud computing, and other newer ways to conduct business—how should they ensure they are managing their data safely and securely?
A. To fully realize the benefits of virtualization, organizations need a management framework that provides architectural flexibility and supports multiple virtualization platforms as well as physical environments. After all, you can't secure what you don't manage. Data protection environments need to detect new virtual machines and protect them in a manner that doesn't compromise performance, availability, and recovery expectations. And, data protection solutions should manage both physical and virtual environments together rather than separate point solutions for each.
Cloud computing solutions also offer businesses a variety of benefits, including ease-of-use, cost savings, and flexibility. To further ensure the safety of their data, however, organizations must consider a number of issues before implementing an online backup service. These include ensuring that the communications channel they will use is secure, advanced data encryption methods are used, data is encrypted both in flight and at rest, and data is stored in redundant data centers that the service provider has in different cities.
Q. If there's one thing security practitioners and their bosses should be mastering when safeguarding their business, what would you say it is?
A. The rapidly increasing number of security breaches and data loss incidents highlights the need to shift the focus from locking down devices and infrastructure to protecting sensitive data itself. Companies must know where their confidential data is, how it is being used, and how they can prevent its loss.
Organizations can do this by making DLP—or data loss prevention—a part of their overall information risk management strategy. Effective DLP solutions should be comprehensive and allow organizations to discover where confidential information is being stored, monitor how it is being used, protect and prevent the loss of confidential data as well and manage and enforce data security polices.
Q. Given the many acquisitions made and the evolution of various solutions offered by Symantec, what should customers expect this year from Symantec?
A. While we will continue to enhance and augment the broad set of products and services that help our customers secure and manage their information-driven world, we will focus on three key areas. The first is enterprise security, where we will leverage our market leading solutions to deliver new integrated security solutions that help customers protect their critical information. The second is next-generation data protection, which includes disk-based backup, virtualization support, continuous data protection, and de-duplication. The third is our Software-as-a-Service solutions, which we will expand to include archiving, DLP, backup, and many other services.