“Taking an Information-Centric Based Approach to Security” IA08 Conference June 17, 2008 FINAL – as of June 13, 2008 Thank you for that warm welcome. It’s a pleasure to speak at the IA08 Conference and to address some of the top leaders across the UK. One of the biggest parts of my job – and my favorite part – is to spend time meeting with customers. In fact, that’s why I’m in Europe this week – to meet with some customers and hear firsthand what is on their mind. Regardless of who I’m talking to, I hear about one essential challenge: the need to secure and manage an enormous amount of information – and, to do so in a more holistic way. We live and work in an information-driven world. Information is the lifeblood of modern business and, increasingly, of modern life. Consequently, the amount of data you must deal with is growing exponentially every year. The average medium-to-large enterprise experiences data growth rates of 50 percent a year. That means that every two years, the amount of information many companies need to secure and manage doubles. One analyst went so far as to predict that the number of bytes of data generated by computers and other devices will soon rival the grains of sand on all of the beaches of the world. Now, that’s a powerful image. Today, information is as distributed and mobile as your workforce. In addition to the structured data that is so important to typical business decision-making, you also need to worry about data that lives in hard-to-protect unstructured formats – email, spreadsheets, and instant messages. And as software-as-a-service continues to grow in popularity, your most sensitive data – more often than not – will be found in the “cloud.” Securing and managing all this information is a tough, tough job. John W. Thompson – IA08 Keynote 1 You have to contend with an increasingly complex infrastructure – more applications, more servers, and more heterogeneous environments. Not to mention a growing number of endpoints. And you have to do this in a way that uses your resources efficiently. While many of the traditional security risks are still around today, the frontlines have shifted. The battleground for security no longer revolves around only the infrastructure. It now revolves around information – which is unquestionably our most important asset. In our new world, the risks to information are real – and growing. [Pause] Our most recent Internet Security Threat Report found that during the last six months of 2007 nearly 70 percent of the most common malicious code threats we received in our labs were designed to steal confidential information. These threats log keystrokes, grab passwords, take account information, and send the information from your computer to a remote attacker. And, attackers aren’t stealing this information for fun – but rather for financial gain. They’re selling this information in what is called the “underground economy.” You can buy almost anything there – credit card numbers, bank account information and even identities. And, here’s an interesting stat for you – the identities of EU residents trade at prices 50 percent higher than American identities. That’s because of the flexibility an EU identity provides, enabling citizens to travel and conduct business throughout Europe. Attackers find real value in identities that can be used easily across borders. [Small Pause] Malicious code isn’t the only threat to information. Data breaches continue to be an issue for many organizations. According to the Privacy Rights Clearinghouse, the number of exposed records tripled last year. From the high-profile breaches that are splashed on the front pages to the smaller ones that we never hear about, millions of consumers are affected each year. These breaches affect a number of sectors. During the last six months of 2007, education was the most affected sector – representing 24 percent of the data breaches worldwide. Government followed close behind with 20 percent of the breaches. Next on the list were healthcare and financial institutions. John W. Thompson – IA08 Keynote 2 The number one way organizations are losing data is through theft or loss of portable devices. Together, theft of laptops and storage devices make up almost 60 percent of the data loss we saw in the last six months of last year. Time is of the essence. We need to move quickly to protect information because right now, too many organizations across the world are leaking critical data like a rusty bucket. And it’s costing real money. According to the Ponemon Institute, the average cost per compromised record is about £47. They also put the average cost per breach at £3.2 million in legal and PR fees – and lost business. [Pause] If ever there was a cry for a change in public policy, the time would be now. I applaud the work that is being done in Brussels around data breach notification laws. We must continue to raise awareness of the issues and the public and private sectors must work together – to ensure that citizens across Europe – and around the world – have confidence that their personal information is protected. Whether it’s protecting against malicious code, plugging the flow of data breaches, or protecting people’s privacy, we need to recognize that these are problems not limited to one country or even one continent. These are global problems that require the attention of governments and businesses around the world. It will take innovative technology solutions, a strong partnership between the public and private sector, and the right laws to address information assurance. That’s what this conference is all about – sharing ideas on how to help each other develop more robust strategies for protecting information – as it’s used, shared, and stored. [Pause] So, as the leader of a global software company, I’d like to talk a little bit about the technology aspect and give you one perspective from the private sector. In the past, our reaction would have been simple: build higher and stronger walls. But today, you can’t do that and have a successful business. Decision-making depends on access to information. So, we must rethink our approach to security. As we think about the growth of information and the current threats to information, a few things are clear: John W. Thompson – IA08 Keynote 3 If the growth of malicious software continues to outpace the growth of legitimate software, techniques like whitelisting – where we identify and allow only the good stuff to come in – will become critical. Identity management will only grow in importance. And we’ll need to expand it beyond the boundaries of an enterprise environment to include every consumer in the world. Digital rights management will start to become a reality. And I’m not talking about music and video, but important digital content that drives your organization day in and day out. We need to think about how to use today’s tools to set us on the right path. And, I believe this starts with a fundamental shift toward an information-centric view of security. I’m sure you’re asking, what do I mean by that? Information-centric security is about taking a risk-based approach to protecting confidential information. With the amount of stored data growing 50 percent a year, trying to protect it all is both inefficient and costly. Instead, it’s about securing the most critical information – from source code to patient information to employee data. It’s about balancing risk and opportunity. It’s about protecting data at rest…data in motion…and data in use. We are seeing the contours of information-centric security take shape now. It starts with you being able to answer a few simple – but important - questions. First, what sensitive information do I have? Next, where is that sensitive information stored? And finally, how is the information being used – both on the network and at the endpoints? Once you gain insight into how your information is being used, you can begin to set policies that help you mitigate your risks. And I’m not talking about a handbook that sits in the top drawer of everyone’s desk and is read once – if ever. These policies are the strategies that guide how your organization uses information – and secures it. They set rules for things such as storage-tiering, archiving, and encryption. For example, you might decide that your employees can copy data to a USB drive – but only if the John W. Thompson – IA08 Keynote 4 drive is encrypted. Or you might decide that confidential information about employees can’t be sent via e-mail. The policy nuances are endless. But what is constant is that these policies must be aligned across the organizations. Your information security policy needs to be consistent with how you want to run every aspect of your business – from managing HR records to patient information and customer data. Beyond that, executive involvement is critical to fostering a culture of security. I was struck by a visit to a major New York bank recently. In the lobby, was a large poster that lays out the key points of their information security policy. What a great way to make expectations clear and remind employees – each and every day – of the important role they play. And that’s what we need: a society in which the value of information – both business and personal – is understood, and in which all of us work to protect it. [Pause] If policies are the strategies we use to secure and manage information, then technologies are the tactics used to implement and enforce them. Traditional security solutions – antivirus software, content filtering, and anti-spam programs – remain important. But, that’s no longer enough – we need to be able to protect information wherever it is. Doing that requires security and data management solutions to work hand-in-hand – and as part of a broader information risk management initiative. [Small Pause] When I look at the solutions the IT industry offers today, compared to where we were a decade ago, it’s clear that we’ve come a long way. We’ve started to recognize the business value of our information. We’ve recognized that security and data management are inextricably linked and together are the core of an information-centric approach to security. But, it’s not good enough. We need to take it to the next level. I believe that in five to 10 years we’ll get to a system that marries security and information in a more complete and holistic way. As we enable enterprises to gain John W. Thompson – IA08 Keynote 5 knowledge of their content, knowledge of their users and knowledge of all of the devices on their network, we’ll see an enterprise rights management system emerge. But to reach that goal, we need to do more around content awareness. Today, we have the basic building blocks in place to accurately identify confidential information on file systems, databases, and desktops. We need to extend these capabilities more deeply into the mobile environment. Today, we can see what information is being sent from a handheld device over the corporate network. But there are still gaps – someone could use their handheld device to send confidential data over their personal email account or download it onto a memory card. And you can’t see it or stop it. Being content aware also enables us to do more around the concept of intelligent archiving. We can make smarter decisions about archiving information – whether it’s storing information that needs to be retrieved regularly on disk…encrypting highly-sensitive information, such as your personal health records, automatically….or deleting all the spam and silly jokes that don’t need to be archived at all. In the end, this enables you to archive only the key data and save on the rapidly growing storage costs. Moving forward, advances in content awareness will be critical to enhancing information-centric security solutions. And, as I look at the future of security, the path ahead is pretty clear. What’s needed now – and in the years to come – is a broad set of policies and solutions that can enable a true information-centric approach to security. The bottom line is: you can’t secure what you don’t manage. [Pause] Ensuring information assurance isn’t just about layering on security solutions. We need to embed information assurance into day-to-day business and that means we all need to focus on building better software. After all, we rely on software every day for our daily operations and business processes. Software vendors have undertaken significant efforts to reduce vulnerabilities, improve resistance to attack and protect the integrity of the products they sell. These efforts are often referred to as “software assurance.” John W. Thompson – IA08 Keynote 6 It’s a concept that is especially important for organizations like yours that are critical to public safety and national security. Your organizations require a high level of confidence that commercial software is as secure as possible, something only achieved when software is created using best practices for secure software development. While a number of international standards and certification regimes for software assurance have been issued, I believe that a more successful way forward is through public-private collaboration. In the U.S. Symantec is a founding member of a non-profit organization called SAFECode, which stands for the Software Assurance Forum for Excellence in Code. The goal of this group is to increase trust in technology products and services by leveraging proven software assurance methods. Groups like SAFECode provide an opportunity to share best practices in a manner that helps vendors and governments better manage risk. We’ve leveraged our involvement with SAFECode to have dialogues with many of the U.S. federal agencies like the Department of Homeland Security and Department of Defense to educate them on the best approach to ensuring the integrity of software so they can have confidence that their information is secure. We are doing the same with government here in the UK . As members of the UK Information Assurance Collaboration Group we’ve been actively working to share best practices and lessons learned around Information Assurance. I firmly believe in the notion that sharing is protecting. As we share information with each other we’ll be in a better position to protect critical infrastructure and cyberspace. There is more work to be done, but we are moving in the right direction by meeting at conferences like this. [Pause] John W. Thompson – IA08 Keynote 7 As you consider how you implement changes today, you need to also look ahead – to embark on a longer-term journey that shifts the focus of security from the infrastructure or devices to the information itself. While regulations certainly have a role I believe the best approach – and the one that will be most successful – is one that is more collaborative. That is, more public-private partnerships that bring together the best ideas from government agencies, universities and business to tackle these challenges ahead of us. I know this won’t be easy – change like this never is. But ultimately, the work of protecting information is everybody’s job. It’s a challenge all of us must tackle in order for our organizations and our economies to thrive…to become more agile and high-performing…and to realize the full promise of the connected world. Working together I know we can meet this challenge. Thank you. John W. Thompson – IA08 Keynote 8
"Thank you for that kind introduction"