In the security hot seat

Symantec's network security chief, Tim Mather, talks about attacks on his company, the folly of regulations and why he'd never hire a hacker.

Like most information security professionals, Tim Mather focuses on keeping hackers out of his company's network and ensuring all systems are updated with the latest patch.

And like most of his peers in the industry, he worries about the level of sophistication of the next security attack and looks at what his team needs to do to fend off the most vicious ones.

But the difference here is that Mather works for Symantec. As chief information security officer at a company known for its antivirus products, he faces challenges particular to his role.

In an interview with CNETAsia, Mather reveals that his company gets inundated with a barrage of hacking attacks simply because of what it is. Some of these attempts have gotten "pretty close," he says.

He also talks about how he copes with these challenges, why he would never hire former hackers, and why today's many compliance regulations are getting in the way of ensuring security.

Q: What is it like being in charge of security for Symantec, a company that depends on it for a living?
Mather: I have responsibilities for the security of our internal networks, all our extranets and our partner connections. Because we're a security company, we also run our security infrastructure based on our own products. My team gets heavily involved with beta testing and actual deployment of those products.

And because of who we are, we get an average of 20 to 30 solicitations, proposals or propositions--whatever you want to call it--from companies on a weekly basis asking us to buy their company, their technology and so on. After the business development people have had an initial look at it, I get called in to see if I would buy the technology as a customer. What's interesting about that is I get to see a lot of small companies, what they're working on. Many of these are very small and very new businesses. Some of them have quite cutting-edge technology.

The sheer number of regulations is actually weakening enterprises.

Another component is with regard to audit compliance, specifically security. So my team is at the forefront of security, the standards, the architecture, the policies and, on a limited basis, some operational aspects of product testing and audit compliance. This includes regulatory compliance, so things like Sarbanes-Oxley fall under my responsibility from the IT side. That is a major drain of my time.

The accounting scandals at the Enrons and WorldComs gave rise to regulations such as the Sarbanes-Oxley Act (SOX). Besides Symantec, has regulatory compliance become a big focus for other companies, too, in terms of security?
Mather: Absolutely. Regulatory compliance has become a huge issue. It is an enormous investment in time and resources (in terms of people), and the cost is not insignificant at all. Sarbanes-Oxley for Symantec alone is an eight-figure sum. It's an investment worth multiple millions in dollars.

The issue I have with regulations, while they're well-intended, is that you have a real proliferation of them. They've gone from being a good idea to being a distraction, to what it is now which is a diversion on security. The sheer number of them is actually weakening enterprises, many of which have to comply with multiple regulatory compliance guidelines. That's a huge burden on companies.

So what really needs to happen instead is a harmonization of those requirements...Very rarely do companies operate in a single location anymore. How many banks here in Singapore have to not only comply

with the (local) monetary authority's regulations, but also have operations overseas that are subject to Basel II, SOX in the United States, and probably the European Union Privacy Directive requirements if they operate in Europe? How many different regimes are they subjected to?

Making sure that Enron, WorldCom and all of these others don't happen again is a very good thing. But there's a better way to do that.

Speaking of compliance and security policies, are there any policies at Symantec that might be different from other nonsecurity companies? Anything that's unique to your company, simply because of who you are?
Mather: No, as far as scopewise, I'm sure we're very similar to other companies. As far as granularity, we're probably far tighter than other companies, because security is our business. The possibility of an incident for us is far more serious than it may be for other companies. A security breach for someone in the retail industry probably doesn't

Featured Video

Apple TV stretches Siri voice search in beta update

A developer preview of an Apple TV software update reveals new perks. Meanwhile, Twitter puts video ads on top of your feed and assembles a new troll-fighting task force.

by Bridget Carey