Federal IT managers often look to leading technology suppliers to discover what they have learned to protect their own enterprises. Breaking Gov sat down with Symantec Corp.’s Vice President and General Manager for Public Sector, Gigi Schumm, to discuss what federal IT managers can learn from Symantec’s own approach to security and how those lessons are incorporated into the company’s products.
Breaking Gov: If federal IT managers wanted to look inside Symantec to see how security is managed and baked into your products, what would they see?
Gigi Schumm: We get asked that question a lot. We do have a program we call ‘Eat Your Own Cooking.’ As you can imagine, with Symantec’s name and brand we take protecting that very seriously. But we also have the same pressures as every other IT organization, like our government customers. But as they look at things like mobility and employees that want to use iPhones, iPads and Droids, we deal with those same issues.
At Symantec, iPhones are now supported and we have a pilot project for iPads, for about 100 employees and I’m one of them. It’s a company device and I’m allowed to have personal apps on there and access to personal email and calendar.
Recently, we released a new version of our flagship endpoint protection product. We did not ship a single copy of that until more than 10,000 employees at Symantec had that new version on their machines. Symantec has 18,000 employees. So 10,000 goes way beyond the developers. You have HR, legal, finance and sales people using the product and battle testing it.
How Does Symantec approach the insider threat, where people with authorized access steal or deliberately disclose sensitive and proprietary data?
We have a variety of different technologies, including our own Data Loss Prevention (DLP) technology that we us internally and a lot of government customers use as well. We also have encryption technology from companies we purchased like Guardian Edge and PGP.
You talk about a shift from a systems-centric to an information-centric security model. Can you explain what you mean by that and how it translates to practical advice for CIOs and CISOs?
In the old days the way we used to think about security was you had a perimeter and you would build fences around the perimeter. It was thought that if you could protect the perimeter then all was good. Well, as our supply chains became more integrated and we had to allow our partners into our networks it quickly was understood that that wasn’t good enough. So then we worried a lot about protecting systems – putting security on a given system or protecting the network with intrusion detection systems.
The truth is that today with IT being so interconnected and the proliferation of new devices like smart phones and tablets, and people moving to virtual environments, you have to step back and expand your definition of security. Really, you have to focus on the information. And you have to make sure you are protecting it appropriately no matter where it sits.
Practically speaking, we have a product that’s called Data Insight. It identifies the data in your environment, who owns it, who’s accessing it, and how often do they access it. That helps you set policies around where your data should live, how often you should back it up, as well as what kinds of protections you should have in place. That product wouldn’t even have been thought of if we weren’t focused on protecting the information instead of the system.
What should federal IT managers who are reluctant to embrace the idea of a mobile workforce – telework – know about the security options for a mobile employee?
The most secure system is one that nobody ever needs to get into to, but that’s not practical. And what’s also not practical is saying ‘we won’t ever support a mobile workforce.’ You’re trying to recruit the best and brightest talent, including younger people who have different expectations about work-life balance and also different expectations around using iPhones or iPads or Droid devices for work. So if the government wants to recruit those people, it’s not a question of will you or should you support a mobile workforce, it’s really you have to.
There are also cost savings to be derived if you allow people to work remotely and mobile. But here’s the key. You want to make sure that the same rigor that you apply for any IT asset within your four walls is applied to anything outside those walls. There are precautions you have to take and in some cases there may be additional technologies you need to deploy. But more than anything it’s probably a cultural shift.