Symantec’s regional security boss has said that in order to protect a business from cyber threats, you must first understand it.
“I would say that in the end, we are protecting businesses so we have to understand their business,” said Symantec senior director cyber security services Asia Pacific and Japan, Peter Sparkes.
“We need to understand what’s important to their business and therefore, how to protect that business.”
Sparkes said that in the modern threat landscape, to defend everything is to defend nothing.
“Protecting everything is long gone. It is protecting the core assets and capabilities in a business. Having that communication is critical,” he said
When asked if companies were still reactive to cyber threats or becoming proactive, Sparkes said it was a mix.
"Certainly there are some companies that get breached and all hell breaks loose. Then there are a lot of companies where the board is starting to discuss it with the C-suite," he said.
Sparkes explained that board members who also sit on other boards where security discussions are common are bringing it to into the discussion at meetings.
“We are seeing at the board level, a lot more understanding of the long term risk to the company of these types of risks."
Symantec senior vice-president Asia Pacific and Japan, Sanjay Rohatgi, said many companies were paying more attention to how security breaches could affect public image.
“The reality is that no company wants to be on the front page of the newspaper for the wrong reasons. The discussion is moving from the CIO and CISO to the board level because enterprise risk and technology risk is fundamental to protecting the brand and making sure they are well covered.”
Sparkes agreed and said that for banks, more than any other organisation it is about public perception.
“If you look at the banks, one of the reasons they built those huge sandstone buildings in Martin Place and other locations was to show that they were secure and trustworthy,” he said.
“Now in the online world, they are still having to prove that to customers that they are trustworthy and secure, it’s the same as the buildings. They have to have those controls in place to show that.”
Sparkes said that one of the things that the firm was finding with organisations is that they were increasingly taking the view that it is not a matter of if but when they will be breached.
“Often it is not only their organisation that might be breached but a third party supplier that they are working with where the breach actually happens. The tide is changing from a it will never happen to me mentality to a it’s not a matter of if but when,” he said.
“That’s why we are seeing a move from purchasing the standard protection to technology that aligns more to the detection and response mentality.
Sparkes emphasised the importance of partnerships to protecting organisations of all sizes.
“I don’t think any government or organisation can do it all. So everyone needs to partner or to have organisations to assist them, bring in expertise in some areas and then focus on other areas they are better equipped to deal with,” he said.
“That’s generally how organisations are working these days. Get someone to out-task what is difficult for them to do internally and then build up what is really important to them to have, that changes depending on the type of business.
“For some businesses it may be the forensic side that’s more important because that’s the business model, while for others, keeping the lights on is the most important so it is more about quick remediation and incident response. It’s up to us to figure out how we can work with those companies.”
Sparkes went on to say that increased security did not necessarily mean decreased agility anymore.
“It is not the case anymore. Some of the most secure organisations are also the most flexible,” he said.
“There are different ways of doing security. There is the government or compliance based security where you have to meet standards and make sure all the boxes are ticked. Then there is that other type of organisation that has more ability to spend more on response capability and detection capabilities so then a hole opens up when they are able to respond to them more quickly than the traditional model.”
Sparkes said he did not believe there would be one approach to security that would become dominant over others.
“There will be horses for courses. Governments will still need to have a much more compliance-based approach and other organisations, such as gaming companies, need a more agile model and so the security aspects change,” he said.
“It is all about what controls you can put in depending on what model you have. Sometimes it is more industry specific as well.
“There is room for both approaches, in the security industry, we have always tried to have one approach that suits everyone. That is not the case anymore, the security now has to be layered on top of the business.”
Sparkes identified health as an area for growth in the security space, particularly in Australia and New Zealand.
“Health is a really surprising one, I think that is certainly going to be a driver. In this region it has been a bit more backward, the reason is that it is more a public institution space compared to the US and other regions where it is controlled by private organisations,” he said.
“Certainly with the emergence of IoT [The Internet of Things], when organisations begin to hook up devices and other connected devices. Health will certainly be an area of growth but I wouldn’t say that is the only area.
“Any organisation going down the IoT path needs to take a built-in not bolt-on approach to security.
“Energy, power, media is a big one now with boxes that have two way communications in your house, content providers as well. From a security perspective, that opens up what we call the attack surface area.
“Your security changes with IoT it is impossible to harden those sort of devices so you concentrate on the security controls on the entry points into datacentres and gateways, so that is where the security mechanisms change.
“I have been in security since 1993,” Sparkes said, “and all that time I have searched for the silver bullet technology, I still haven’t found one.
“In my view, there will need to be multiple controls in place, there will be controls on the router, on the endpoint, on the device itself. There will also be a whole lot of controls all the way back upstream to where the data is being transported from as well,” he said.
“There will not be one approach there will be multiple approaches.
“With security, once a mechanism is in place you will have people working on how to get around it straight away.
“I think the most important thing when dealing with devices is the data, how do you control the data that is flowing through them. What do you do with the data, how do you look at it and how quickly you can respond is more important than protecting devices.”