Thank you for that kind introduction by dfhrf555fcg


More Info
									            “Taking an Information-Centric Based Approach to Security”
                                 IA08 Conference
                                  June 17, 2008
                            FINAL – as of June 13, 2008

Thank you for that warm welcome. It’s a pleasure to speak at the IA08 Conference and to
address some of the top leaders across the UK.

One of the biggest parts of my job – and my favorite part – is to spend time meeting with

In fact, that’s why I’m in Europe this week – to meet with some customers and hear
firsthand what is on their mind.

Regardless of who I’m talking to, I hear about one essential challenge: the need to secure
and manage an enormous amount of information – and, to do so in a more holistic way.

We live and work in an information-driven world. Information is the lifeblood of modern
business and, increasingly, of modern life. Consequently, the amount of data you must
deal with is growing exponentially every year.

The average medium-to-large enterprise experiences data growth rates of 50 percent a
year. That means that every two years, the amount of information many companies need
to secure and manage doubles.

One analyst went so far as to predict that the number of bytes of data generated by
computers and other devices will soon rival the grains of sand on all of the beaches of the

Now, that’s a powerful image.

Today, information is as distributed and mobile as your workforce.

In addition to the structured data that is so important to typical business decision-making,
you also need to worry about data that lives in hard-to-protect unstructured formats –
email, spreadsheets, and instant messages.

And as software-as-a-service continues to grow in popularity, your most sensitive data –
more often than not – will be found in the “cloud.”

Securing and managing all this information is a tough, tough job.

John W. Thompson – IA08 Keynote                                                            1
You have to contend with an increasingly complex infrastructure – more applications,
more servers, and more heterogeneous environments. Not to mention a growing number
of endpoints.

And you have to do this in a way that uses your resources efficiently.

While many of the traditional security risks are still around today, the frontlines have

The battleground for security no longer revolves around only the infrastructure. It now
revolves around information – which is unquestionably our most important asset.

In our new world, the risks to information are real – and growing.


Our most recent Internet Security Threat Report found that during the last six months of
2007 nearly 70 percent of the most common malicious code threats we received in our
labs were designed to steal confidential information. These threats log keystrokes, grab
passwords, take account information, and send the information from your computer to a
remote attacker.

And, attackers aren’t stealing this information for fun – but rather for financial gain.
They’re selling this information in what is called the “underground economy.”

You can buy almost anything there – credit card numbers, bank account information and
even identities.

And, here’s an interesting stat for you – the identities of EU residents trade at prices 50
percent higher than American identities. That’s because of the flexibility an EU identity
provides, enabling citizens to travel and conduct business throughout Europe. Attackers
find real value in identities that can be used easily across borders.

                                       [Small Pause]

Malicious code isn’t the only threat to information. Data breaches continue to be an issue
for many organizations. According to the Privacy Rights Clearinghouse, the number of
exposed records tripled last year. From the high-profile breaches that are splashed on the
front pages to the smaller ones that we never hear about, millions of consumers are
affected each year.

These breaches affect a number of sectors. During the last six months of 2007, education
was the most affected sector – representing 24 percent of the data breaches worldwide.
Government followed close behind with 20 percent of the breaches. Next on the list were
healthcare and financial institutions.

John W. Thompson – IA08 Keynote                                                               2
The number one way organizations are losing data is through theft or loss of portable
devices. Together, theft of laptops and storage devices make up almost 60 percent of the
data loss we saw in the last six months of last year.

Time is of the essence. We need to move quickly to protect information because right
now, too many organizations across the world are leaking critical data like a rusty bucket.
And it’s costing real money.

According to the Ponemon Institute, the average cost per compromised record is about
£47. They also put the average cost per breach at £3.2 million in legal and PR fees – and
lost business.


If ever there was a cry for a change in public policy, the time would be now.

I applaud the work that is being done in Brussels around data breach notification laws.
We must continue to raise awareness of the issues and the public and private sectors must
work together – to ensure that citizens across Europe – and around the world – have
confidence that their personal information is protected.

Whether it’s protecting against malicious code, plugging the flow of data breaches, or
protecting people’s privacy, we need to recognize that these are problems not limited to
one country or even one continent.

These are global problems that require the attention of governments and businesses
around the world. It will take innovative technology solutions, a strong partnership
between the public and private sector, and the right laws to address information
assurance. That’s what this conference is all about – sharing ideas on how to help each
other develop more robust strategies for protecting information – as it’s used, shared, and


So, as the leader of a global software company, I’d like to talk a little bit about the
technology aspect and give you one perspective from the private sector.

In the past, our reaction would have been simple: build higher and stronger walls.

But today, you can’t do that and have a successful business. Decision-making depends on
access to information. So, we must rethink our approach to security.

As we think about the growth of information and the current threats to information, a few
things are clear:

John W. Thompson – IA08 Keynote                                                             3
       If the growth of malicious software continues to outpace the growth of legitimate
        software, techniques like whitelisting – where we identify and allow only the
        good stuff to come in – will become critical.

       Identity management will only grow in importance. And we’ll need to expand it
        beyond the boundaries of an enterprise environment to include every consumer in
        the world.

       Digital rights management will start to become a reality. And I’m not talking
        about music and video, but important digital content that drives your organization
        day in and day out.

We need to think about how to use today’s tools to set us on the right path. And, I believe
this starts with a fundamental shift toward an information-centric view of security.

I’m sure you’re asking, what do I mean by that?

Information-centric security is about taking a risk-based approach to protecting
confidential information. With the amount of stored data growing 50 percent a year,
trying to protect it all is both inefficient and costly. Instead, it’s about securing the most
critical information – from source code to patient information to employee data.

It’s about balancing risk and opportunity. It’s about protecting data at rest…data in
motion…and data in use.

We are seeing the contours of information-centric security take shape now. It starts with
you being able to answer a few simple – but important - questions.

First, what sensitive information do I have?

Next, where is that sensitive information stored?

And finally, how is the information being used – both on the network and at the

Once you gain insight into how your information is being used, you can begin to set
policies that help you mitigate your risks.

And I’m not talking about a handbook that sits in the top drawer of everyone’s desk and
is read once – if ever.

These policies are the strategies that guide how your organization uses information – and
secures it.

They set rules for things such as storage-tiering, archiving, and encryption. For example,
you might decide that your employees can copy data to a USB drive – but only if the

John W. Thompson – IA08 Keynote                                                                  4
drive is encrypted. Or you might decide that confidential information about employees
can’t be sent via e-mail.

The policy nuances are endless. But what is constant is that these policies must be aligned
across the organizations. Your information security policy needs to be consistent with
how you want to run every aspect of your business – from managing HR records to
patient information and customer data.

Beyond that, executive involvement is critical to fostering a culture of security.

I was struck by a visit to a major New York bank recently. In the lobby, was a large
poster that lays out the key points of their information security policy.

What a great way to make expectations clear and remind employees – each and every day
– of the important role they play.

And that’s what we need: a society in which the value of information – both business and
personal – is understood, and in which all of us work to protect it.


If policies are the strategies we use to secure and manage information, then technologies
are the tactics used to implement and enforce them.

Traditional security solutions – antivirus software, content filtering, and anti-spam
programs – remain important.

But, that’s no longer enough – we need to be able to protect information wherever it is.

Doing that requires security and data management solutions to work hand-in-hand – and
as part of a broader information risk management initiative.

                                       [Small Pause]

When I look at the solutions the IT industry offers today, compared to where we were
a decade ago, it’s clear that we’ve come a long way.

We’ve started to recognize the business value of our information. We’ve recognized that
security and data management are inextricably linked and together are the core of an
information-centric approach to security.

But, it’s not good enough. We need to take it to the next level.

I believe that in five to 10 years we’ll get to a system that marries security and
information in a more complete and holistic way. As we enable enterprises to gain

John W. Thompson – IA08 Keynote                                                             5
knowledge of their content, knowledge of their users and knowledge of all of the devices
on their network, we’ll see an enterprise rights management system emerge.

But to reach that goal, we need to do more around content awareness. Today, we have the
basic building blocks in place to accurately identify confidential information on file
systems, databases, and desktops.

We need to extend these capabilities more deeply into the mobile environment. Today,
we can see what information is being sent from a handheld device over the corporate
network. But there are still gaps – someone could use their handheld device to send
confidential data over their personal email account or download it onto a memory card.
And you can’t see it or stop it.

Being content aware also enables us to do more around the concept of intelligent

We can make smarter decisions about archiving information – whether it’s storing
information that needs to be retrieved regularly on disk…encrypting highly-sensitive
information, such as your personal health records, automatically….or deleting all the
spam and silly jokes that don’t need to be archived at all.

In the end, this enables you to archive only the key data and save on the rapidly growing
storage costs.

Moving forward, advances in content awareness will be critical to enhancing
information-centric security solutions.

And, as I look at the future of security, the path ahead is pretty clear.

What’s needed now – and in the years to come – is a broad set of policies and solutions
that can enable a true information-centric approach to security.

The bottom line is: you can’t secure what you don’t manage.


Ensuring information assurance isn’t just about layering on security solutions. We need
to embed information assurance into day-to-day business and that means we all need to
focus on building better software. After all, we rely on software every day for our daily
operations and business processes.

Software vendors have undertaken significant efforts to reduce vulnerabilities, improve
resistance to attack and protect the integrity of the products they sell. These efforts are
often referred to as “software assurance.”

John W. Thompson – IA08 Keynote                                                               6
It’s a concept that is especially important for organizations like yours that are critical to
public safety and national security. Your organizations require a high level of confidence
that commercial software is as secure as possible, something only achieved when
software is created using best practices for secure software development.

While a number of international standards and certification regimes for software
assurance have been issued, I believe that a more successful way forward is through
public-private collaboration.

In the U.S. Symantec is a founding member of a non-profit organization called
SAFECode, which stands for the Software Assurance Forum for Excellence in Code.
The goal of this group is to increase trust in technology products and services by
leveraging proven software assurance methods.

Groups like SAFECode provide an opportunity to share best practices in a manner that
helps vendors and governments better manage risk. We’ve leveraged our involvement
with SAFECode to have dialogues with many of the U.S. federal agencies like the
Department of Homeland Security and Department of Defense to educate them on the
best approach to ensuring the integrity of software so they can have confidence that their
information is secure.

We are doing the same with government here in the UK . As members of the UK
Information Assurance Collaboration Group we’ve been actively working to share best
practices and lessons learned around Information Assurance.

I firmly believe in the notion that sharing is protecting.

As we share information with each other we’ll be in a better position to protect critical
infrastructure and cyberspace. There is more work to be done, but we are moving in the
right direction by meeting at conferences like this.


John W. Thompson – IA08 Keynote                                                              7
As you consider how you implement changes today, you need to also look ahead – to
embark on a longer-term journey that shifts the focus of security from the infrastructure
or devices to the information itself.

While regulations certainly have a role I believe the best approach – and the one that will
be most successful – is one that is more collaborative.

That is, more public-private partnerships that bring together the best ideas from
government agencies, universities and business to tackle these challenges ahead of us.

I know this won’t be easy – change like this never is. But ultimately, the work of
protecting information is everybody’s job.

It’s a challenge all of us must tackle in order for our organizations and our economies to
thrive…to become more agile and high-performing…and to realize the full promise of
the connected world.

Working together I know we can meet this challenge.

Thank you.

John W. Thompson – IA08 Keynote                                                              8

To top