Secure Access to Sensitive Data: Insights from John Bordwine, Public Sector CTO, Symantec
What do these events mean for the financial regulatory agencies - especially in terms of securing access to sensitive data?
John Bordwine, Public Sector CTO at Symantec, tackles this question, discussing:
As the Symantec Public Sector CTO, Bordwine currently serves as a trusted advisor, providing guidance on the development of products and solutions that meet government requirements and certifications specifically focused on the Public Sector markets. His responsibilities also include all technical activities related to Public Sector customers, which includes federal, state, and local government agencies, and education industries. In addition to these responsibilities, he also provides guidance to other Symantec business units around specific requirements to the Public Sector industry.
Previously, Bordwine spent over five years with McAfee as the Public Sector CTO and Senior Director of Security Engineering.
He has spoken at numerous highly-acclaimed security events, including SANS Institute events, FOSE, AFITC, and US Government agency-specific functions. Bordwine holds a Top Secret clearance and served in the US Army Signal Corps where his last assignment was with the White House Communications Agency.
TOM FIELD: What are current trends in secure access to sensitive data? Hi, this is Tom Field, Editorial Director with Information Security Media Group. We are discussing this topic today with John Bordwine, Public Sector CTO with Symantec. John, thanks so much for joining me.
JOHN BORDWINE: Thank you, Tom.
FIELD: John, just to get our conversation started here, why don't you tell us a little bit about yourself and your experience, please.
BORDWINE: Sure, Tom. I have actually been in the security industry for about the past 15 years, very much focused on the public sector environment, so the federal government being a part of the public sector environment. I have managed both security engineers as well as my current role today, having oversight across a multitude of products within Symantec to ensure a high level of security and confidence as delivered to public sector customers, and also meeting these new and emerging federal guidelines around security, and very specifically cybersecurity, as we move forward down the line.
FIELD: Well, it is a big topic here we want to tackle, talking about secure access. In terms of accessing sensitive data, what would you say that the recent economic crisis has showed us?
BORDWINE: Well, Tom, this is really not just an item that is solely associated to economic crisis. I think the economic crisis has brought a little more to light about how information has to have some level of oversight around it, but this is really a business best-practice when you look at secure access to sensitive data.
Sensitive information, it must be protected, but it must be done so that there is a method in place that doesn't lock that information until it has been thrown away and doesn't exist. So there are two-fold areas the way I see it, as around ensuring that you have the best practices for securing your sensitive data, and also how do you allow compliance metrics associated to that data? I think it is very, very key, based around the economic crisis, but also is a good business principle.
FIELD: John, I want to talk with you specifically about regulatory reform. There is a growing sense certainly that financial regulatory reform is coming, and we have talked about that in terms of what it means to financial institutions, but what does this mean for the regulators themselves?
BORDWINE: Well, Tom, I think that based upon the plans I have seen so far on a multitude of initiatives, it will mean that it is more access to more information from the regulators about a very highly sensitive nature that may eventually have to be shared across multiple agencies. So with this information coming in of this very high level of sensitivity, there also needs to be some level of compliance metrics associated and initiated that allows the regulators to know what information they have, where that information is, and being able to do a much better management job around information.
FIELD: You know, what is interesting? When we talk about regulatory agencies, we always talk to the financial institutions in terms of what they can do before a particular -- before a guidance takes place. In this case, what can agencies be doing, even now, before regulatory reform happens and whatever shake-ups come with that?
BORDWINE: Well, I think, Tom, these agencies that will be participating in that reform, they really need to redo their current information policies for any possible changes, and this would really relate to any government agencies in today's more cyber-centric environment. And they really need to look at placing a very heavy emphasis upon securing the information.
A lot has been done in the past and different methods put in place for securing endpoints or securing networks, but this information is very, very key, not only tied to reform, but just in a more cyber-centric world that we all live in today, protecting that information no matter what the level of classification is very, very key.
FIELD: Now again, we always talk with the financial institutions about having to make a business case ,and you talked upfront about the economic crisis and the effects of that. When the agencies have to make their case for these new security measures, what are the business benefits that they can realize and be talking about?
BORDWINE: Great point, Tom. So the way that we look at it is information security has really been more of an add-on over time, based upon how much we digitize our own world and just how important that data is today. So if we look at that parameter saying we have a very information centric environment, we digitized most of our information to today, then we have to look at and develop an information security plan. And these plans have to be associated with policies and have these policies in place and being able to manage both the policies and the information flow so that the agencies can gain better efficiencies on how they better manage that information.
And actually that provides them with a better understanding of where to spend the dollars if you have the policies in place, you have the information flow in place, and you know the classification of the information -- you have a much better idea on where to spend your money.
You really need tangible data to measure compliance and your return on investment. And both within the agencies and the organizations they support, that really has to be one of the metrics; what would be a return on investment? That way you know the level of risk and how you spend your money first to be able to protect information.
FIELD: So, we have talked here about financial services and about the financial regulatory agencies, but this is a topic, securing access, that really crosses boundaries. What are the takeaways for organizations in other industries?
BORDWINE: Another key point, Tom. So there is no surprise, right? I mentioned it a little bit earlier, that we are an information centric generation. Well-managed information is inherently much more secure information. When I speak about, and we have used the term in the past, data in lots of different terms associated to what crosses a network or where that information is going to be and how it resides, it gets a different classification and different name. But really, information is where we live and breathe today. Everything from what you do from online banking to agency-to-agency information as what is part of the plans around the regulatory reform, all this pertains to information. We don't have a lot of huge file folders sitting there with a lot of paper in them anymore.
So we have to look at that information, and we have to manage that information much better, not only from an agency-wide perspective, but really from a general business principle, of better managing information so that we can actually provide better security and access to that information.
FIELD: And that could be happening in healthcare and government to financial services, any industry really.
BORDWINE: Absolutely. If you look at those center items, the healthcare reform and the potentials for where healthcare could be from electronic health records -- that all has to have a very high level of classification, and you have to be able to ensure the right level of security across that information. So you have to know where it is at in order to be able to secure it in the first place.
FIELD: Well, you make a good point because we have seen healthcare reform, certainly in terms of security and privacy, we are likely to see financial reform this year, but with or without legislative action in whatever industry. What would you say are the key points that can be made about secure access to sensitive information?
BORDWINE: So, Tom, really this gets down to some of the key points I think I actually discussed a little bit more earlier on, but this is around knowing where the information is. Too many times you see that, and a lot of us are very, very guilty of it, on having information that should not be stored on your laptop, on your PDA, it might be stored several times on a different backup system, but understanding where that information exists. Because it goes back again to that information management, but knowing where it is allows you first and foremost to know what information you have, and where that information is located.
The second piece is see as a major takeaway here and how we could really focus much more on secure access to sensitive information is who has access to the information. And not only who has access, but why do they have to have access to that information? Is it just a general group policy that somehow has become a default, and the people that really should not have access to information now do? Or is it someone that actually has to work with that information, and they have to make decision based upon that information? They should be authenticated and validated to have access to that information, and it should not just be general open access to information.
And then again another piece that goes back a little bit is how relevant is the information that we are trying to secure? At what level is this old information that we could potentially encrypt and have authentication and validation to get access to it, and reasons that we have to define to get access to that information, or is it current information that we have to work with? Again, data in motion, as it is classified, is always much more susceptible to leakage than information that is stored. Though information that is stored there can have access points to it, but we have to look at how relevant it is. Is it something that we have to keep moving around in our network environment, moving through our cloud, moving through the internet, or is it something we can store and we can encrypt and we can do a little bit better protection of it because it is historical-type of information instead of having a lot of historical information sitting on somebody's laptop that is moving around the country for some reason?
Those I think are really the key elements associated to doing a better job.
FIELD: Well, John, I appreciate your insight and your advice; it has been very timely and very strong.
BORDWINE: All right, well thank you, Tom. I appreciate the opportunity to speak with you.
FIELD: The topics have been security, access and sensitive data. We have been talking with John Bordwine with Symantec.
For Information Security Media Group, I'm Tom Field. Thank you very much.