The hacking of US retailer Target’s point-of-sale cash register network last year resulted in the theft of 40 million credit card numbers and 70 million addresses, phone numbers and other personal information. It was the largest ever loss of credit-card data in US history – so far.
“We have three new threats now, on average, every second,” says Michael Sentonas, who is Vice President and Worldwide Chief Technology Officer for McAffee’s Security Connected business. The CFO, he adds, has a key role to play in protecting the company from those threats.
“They’re the people who understand the cost of the risks and they understand the concept of how much needs to be invested to protect assets,” he argues. “That’s why they’re really well-placed to work on security and why they should work hand-in-hand with the CIO.”
Sentonas (pictured) spoke to CFO Innovation’s Cesar Bacani about the rising security threats to the enterprise, the rise of the ‘security-obligated executive’ – the CEO, CFO and other top executives – who is held accountable for security breaches, not just the CIO, and other issues. Edited excerpts:
What are you seeing among your clients, particularly in Asia, in terms of their attitude towards IT and online security?
What has changed over the last couple of years is that businesses across Asia and across the world, really, are starting to understand the seriousness of the risk landscape. What I’m finding now is that people are understanding that this is a business problem.
It’s not a technology problem, it’s a business problem. It’s something that they need to tackle from the head of the organization down.
There are different concerns. In Asia, especially, there’s a lot of regulatory compliance requirements. So from the security perspective, people need to make sure that they’re compliant in a lot of different standards and frameworks.
But in a changing threats landscape, people also worry about their organization being compromised, losing track of the data, losing intellectual property, having an outage and so on.
Does ownership of security solutions still lie with the Chief Information Officer?
It is still the CIO who is responsible for security. But the CFO also plays a really significant role in making sure that the organization is protected.
What we’re seeing in the last couple of years is the emergence of what we’re calling the “security-obligated executive.” What that means is that everyone from the CEO down is responsible for security.
Meaning that if anything goes wrong, the security-obligated executives are accountable?
It’s the people that are accountable; it’s the people that need to be aware of what’s going on. If you think of some of the most major customer-records breaches that happened in the last couple of months, it’s not only a CIO issue; it’s the CEO down that’s responsible to make sure that people are safe and secure.
So is McAfee involved at all in Target’s anti-hacking security arrangements?
We don’t typically talk about customers unless our customers openly talk about it themselves. We don’t share any customer data with anyone regardless of who they are . . . That being said, many of our customers do openly talk about what they are doing with us as well.
It’s really up to them to disclose their success in what they’re doing with us. [Editor’s Note: Media reports say Target’s antivirus system was provided by Symantec.]
Has any one of your clients experienced hacking and data theft?
All our customers are facing an increase in cyber security threat landscape and are dealing with issues every day. We’re dealing with them very actively every day.
We’ve worked with many organizations that have detected an issue on the desktop, [viruses that] bypassed their firewall, bypassed the other lines of defense.
And McAfee itself, have you had any hacking or data theft incidents as an organization?
We are an incredibly targeted network, as you can imagine. Our internal IT team has an amazingly tough job where we are hit by a lot of malware . . . but they do an amazing job [protecting the company]. Attacking security technology companies that prevent your networks from being compromised is always attractive to hackers.
Do you find these days that CFOs are more open to championing spend on security solutions because of incidents like Target?
If you think about CFOs, they’re the people who understand the cost of the risks and they understand the concept of how much needs to be invested to protect assets and make sure they mitigate risks. So that’s why they’re really well-placed to work on security and why they work hand in hand with the CIO.
Many years ago, there would be a line-item discussion. Someone from the technology department would say: I want to buy this, this is the budget, there’s a good business case for approval.
Now what’s different is people need to understand what is their most valuable corporate asset, what is the critical part of the organization that they can’t risk losing. And the person in the best place to understand that is the CFO.
Brian Dye, Symantec’s senior vice president for information security, told the Wall Street Journal that antivirus is no longer “a moneymaker in any way.” Rather than work to keep the hackers out, the new approach is to assume they will get in, so the aim is to spot them and minimize the damage they can cause. Is antivirus software really dead?
Absolutely not. I don’t think for a moment that Symantec was making a bold statement telling all of their customers to stop using antivirus. If anything, that will be a silly piece of advice.
What I think they’re suggesting is two things. One is that some of the newer, more targeted threats can make it very hard for traditional virus software to [catch them], so you need a more comprehensive strategy.
That’s actually no revelation to anyone in the industry. You may have different approaches when you have different types of detection technology in your organization.
The second part of what they meant is a potential scenario that [anti-virus software] is not as financially lucrative for them. So they’re changing their business model.
But we [at McAffee] had amazing growth in that particular area. So clearly people still need that part of technology, it’s still extremely effective and it’s got a role to play. The market is quite significant. If you have a good technology, you still have a very financially viable business.
But is it true that anti-virus software can actually protect the user from just 45% of the threats that are out there?
No, I don’t agree with that. I don’t know how that was calculated.
We have three new threats now, on average, every second. So if you’re thinking about the sheer volume of malicious software, you can make it very hard for antivirus software to keep up. And there are also categories of malicious software that can bypass antivirus.
That being said, there’s a massive amount of malware that is effectively fought with antivirus technology and it works exceptionally well. It’s an effective mechanism.
Obviously no system can protect you 100%, though.
No single technology or approach is going to solve every problem. A lot of technology can be bypassed, can be circumvented. So security is all about different approaches, layers.
The most important layer or the most important component of security is the organization themselves and the people within that organization. Because they are the ones that need to make sure that they pull all of this strategy together. It only takes an attacker one break in the chain, one weakest link and then they’ll win.
Other vendors have talked about other approaches. For example, Juniper says that customer should place fake data inside their firewalls to distract hackers. Another start-up says just make the passport and credit card numbers so difficult to use once they’re pilfered. Are these approaches that McAfee is also looking at?
Yes and no. There are many different ways to approach security. And obviously one is just to create a honey pot. That sort of assumes that you’re getting to let people come in or they’re going to get in anyway, so direct them somewhere where they get a little bit confused, instead of keeping them out in the first place.
Our focus is more on prevention, stopping the attackers from getting into [our customers’ network] – that’s our core value proposition.
One of the big challenges that people face from a security perspective today is visibility and hacking awareness of what’s going on inside the network. In some of the largest [incidents] in the last 12 months, a lot of times those organizations spend almost three to six months trying to work out what happened and they find out that their network has been compromised over a 2, 3, 4-year period.
So a lot of the work that we’re doing with organizations now is to give them a platform to help them become aware that they’re being compromised, to help them understand that their network is under attack or that it is safe and secure. We’re doing a lot of work around situational awareness, around security incident and event management.
So a honey pot is not something you would recommend or implement?
We have done a number of honey pot and honey net projects in the research perspective. We don’t typically install them for our customers because it’s something that requires a significant amount of skill. And potentially not everybody has that.
Can you give us an idea about the cost of protecting an organization from viruses, malware and other threats these days?
It’s a hard question to answer. There are so many variables. From a business perspective, it depends on the size of your organization – Are you a small business, are you a large business, are you a government, are you a bank?
Would the cost for a large enterprise come to, say, US$10 million?
It can be.