And like most of his peers in the industry, he worries about the level of sophistication of the next security attack and looks at what his team needs to do to fend off the most vicious ones.
But the difference here is that Mather works for Symantec. As chief information security officer at a company known for its antivirus products, he faces challenges particular to his role.
In an interview with CNETAsia, Mather reveals that his company gets inundated with a barrage of hacking attacks simply because of what it is. Some of these attempts have gotten "pretty close," he says.
He also talks about how he copes with these challenges, why he would never hire former hackers, and why today's many compliance regulations are getting in the way of ensuring security.
Q: What is it like being in charge of security for Symantec, a company that depends on it for a living?
Mather: I have responsibilities for the security of our internal networks, all our extranets and our partner connections. Because we're a security company, we also run our security infrastructure based on our own products. My team gets heavily involved with beta testing and actual deployment of those products.
And because of who we are, we get an average of 20 to 30 solicitations, proposals or propositions--whatever you want to call it--from companies on a weekly basis asking us to buy their company, their technology and so on. After the business development people have had an initial look at it, I get called in to see if I would buy the technology as a customer. What's interesting about that is I get to see a lot of small companies, what they're working on. Many of these are very small and very new businesses. Some of them have quite cutting-edge technology.
Another component is with regard to audit compliance, specifically security. So my team is at the forefront of security, the standards, the architecture, the policies and, on a limited basis, some operational aspects of product testing and audit compliance. This includes regulatory compliance, so things like Sarbanes-Oxley fall under my responsibility from the IT side. That is a major drain of my time.
The accounting scandals at the Enrons and
Mather: Absolutely. Regulatory compliance has become a huge issue. It is an enormous investment in time and resources (in terms of people), and at all. Sarbanes-Oxley for Symantec alone is an eight-figure sum. It's an investment worth multiple millions in dollars.
The issue I have with regulations, while they're well-intended, is that you have a real proliferation of them. They've gone from being a good idea to being a distraction, to what it is now which is a diversion on security. The sheer number of them is actually weakening enterprises, many of which have to comply with multiple regulatory compliance guidelines. That's a huge.
So what really needs to happen instead is a harmonization of those requirements...Very rarely do companies operate in a single location anymore. How many banks here in Singapore have to not only comply
Making sure that Enron, WorldCom and all of these others don't happen again is a very good thing. But there's a better way to do that.
Speaking of compliance and security policies, are there any policies at Symantec that might be different from other nonsecurity companies? Anything that's unique to your company, simply because of who you are?
Mather: No, as far as scopewise, I'm sure we're very similar to other companies. As far as granularity, we're probably far tighter than other companies, because security is our business. The possibility of an incident for us is far more serious than it may be for other companies. A security breach for someone in the probably doesn't