Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Corporate Responsibility in Action

I am the difference between "at risk" and "at ease"

Created: 01 Nov 2012 • Updated: 01 Nov 2012 • 1 comment
Patricia Titus's picture
+1 1 Vote
Login to vote

Symantec’s 2012 Corporate Responsibility Report explores our commitments to our employees, the world, and your information. Over the next several weeks, we’ll be featuring blogs from Symantec employees and partners that focus on how they are making a difference. This week, we hear from Patricia Titus, Symantec Vice President & Chief Information Security Officer.


Symantec's mission to inspire confidence in a connected world requires that we ensure both our own operations and those of our customers are safe and secure. As the leading global information security company, this is not an easy task. In our tech-based society, cyber criminals are now harder to track and companies are more vulnerable than ever. At Symantec, we see every kind of cyber attack on our operations, ranging from malicious attacks aimed at doing deep infrastructure harm to hacktivism.

As Chief Information Security Officer (CISO), it is my job to manage Symantec's global information security and ensure that we have information protection at all levels within company. What may be news to many is that I simply cannot be successful without the awareness and assistance of every single employee, partner, and third party we work with.

Specifically, employees are one of the most vulnerable entry points for cyber criminals these days. Who me? Yes you!

In all fairness, our employees are the front-line, the primary target of phishing attacks, and the primary target of social engineering. They are on the inside of the world’s largest security company and the natural targets of attack. Also they can be well-intended insiders and often don't realize that they are engaging in risky behavior. For example, there are malware attacks because people are going to suspicious websites, or attacks stemming from employees that delay downloading critical patches or antivirus updates because it caused a disruption to their workday. Additionally, well-intended insiders are often the point of entry for large-scale nation-state attacks known as Advanced Persistent Threats (or APTs). Lastly, the bring-your-own-device trend has made it harder for CISOs or CIOs to effectively track all entry points all the time.

CISOs are very effective at putting up perimeter defenses, but in truth we need our employees to be the first line of defense. That is why we've focused so heavily on cyber security training and building awareness among our employees, partners and vendors. In 2012 Symantec mandated annual security awareness training and has increased communications from the CISO Organization. But it needs to be more than just training, so we go beyond this to continually educate employees about threat vectors and how they are a part of the attack surface. But more has to be done and we need more awareness campaigns, more threat briefings and more brown bag learning sessions discussing how to identify threats, risky behaviors and ensuring employees are up to date on the latest threat trends. Organizations must tap those people willing to offer this education to fellow employees. Those of us "in the know" often assume that because we all work for the largest security company in the world we’re all security experts – unfortunately that’s not always the case.  Everyone needs to be reminded!

So what else can companies do to stay secure?

1. Be aware. Too often companies, including our clients, will take a plausible deniability stance. If we don't know about it, it can't be happening. But this mentality will only exacerbate the problem. Data has become the business, and companies rely much more heavily on technology for business operations and efficiencies. Everyone needs a strategy, and although it may seem a daunting task, a straightforward solution is to base your security strategy on a well-known framework such as ISO 27001 or the National Institute of Standards and Technology (NIST).  

As part of our strategy at Symantec, we have created a feedback loop for the CISO organization to share threat information with our product development teams and employees. As one of the largest customers of Symantec products, we have unique insight into how they are helping, and how we can make our offerings even stronger. By having open dialog with our business units we’re able to offer valuable insight from an operational information security perspective about the integration of our products and services as well as helping share the knowledge we have from daily attacks.

2. Define your risk tolerance, and manage your risk according to this. Some industries can afford to take on more risk and others can't. Decdie how much risk your business is willing to assume.

As a CISO for the last decade I have seen the information security landscape change drastically, and with it, my role. While the role of CISO was originally created to provide visibility into security threats, it has grown to be an integral part of the executive leadership team, reporting to the CEO and the board of directors and driving change in company processes and policies. Additionally, part of a company's responsibility is to ensure their employees’ and customers’ information is safe and secure. Therefore we view our cyber security strategy as an integral part of our responsibility to all stakeholders and shareholders.


For more information about Symantec's approach to information protection, cybercrime, online safety, and privacy, visit the Your Information section of the corporate responsibility website.


Comments 1 CommentJump to latest comment

Robert Shaker's picture

Can't agree with you more Patti. Focusing on people and making the awareness program a true program and not juts a once a year event is key to ensuring that people think security in everything they do. Taking a risk based approach is a must for every organization. Without it when you meet with the other executives you never appear to have direction or strategy. You might end up buying "cool" technology that really doesn't solve your problems.

We believe so much in this prioritized approach that we give away at no cost our Security Program Review, to help customers understand where they are in the maturity of their security program and then we help by giving them a prioritized list of actions they need to take to improve. For the customers we have done this for we are seeing a need to improve awareness and a lack of risk-based focus.

Question for you. How does someone who might not be doing these things today make changes to their program to better it in these areas?

Bob is a Senior Leader on the Symantec Managed Incident Response Service team. He can be found online at LinkedIn or Twitter

Login to vote