Re-Building the Infosec TeamSymantec's CISO on Redefining Security's Role
Among Patricia Titus' first priorities as CISO at Symantec: re-focusing the company's security team.
Titus, formerly chief information security officer at Unisys and the Transportation Security Administration, joined Symantec in November 2011. Immediately arriving on the job, she began to look at ways to develop the information security team.
"It was really stretching what they have thought of before as being the traditional IT security organization," Titus says in an interview with Information Security Media Group's Tom Field [transcript below].
"Governance, risk and compliance is so much broader than just how we're protecting the internal data for the company," she acknowledges.
Her team right now is at about 35 people, and Titus has made efforts to develop leadership roles to improve areas such as GRC, risk management and security engineering. Another area - threat response - required a qualified individual that had the forensics and investigation components necessary for the position. "So we looked within the company actually and within our own team, and we promoted from within to fill that," Titus says.
"Having the qualified set within all the security disciplines has been critical to the success of the team up to this point," Titus says.
As far as accomplishments, Titus says her security team has moved from being reactive to predictive when addressing risks and threats to the company. "The objective is you're never going to be able to completely eradicate attacks and hackers," she says. "But what you can do is become more predictive in looking at where and at what times you're at the most risk."
Looking ahead, Titus hopes to continue increasing her team's heightened predictive analysis capabilities. "What we want to do is get more in-depth in our basic security hygiene and ensure that we're covering the areas where we may not have as much visibility," she says.
In an exclusive interview, Titus discusses the do's and don't of building an effective security team, as well as:
- The impact of Symantec's pcAnywhere data breach;
- Her goals under the leadership of new CEO Bennett;
- Responding to the security challenges of BYOD and the cloud.
Titus is the vice president and chief information security officer at Symantec, responsible for IT information security risk management, threat response and governance functions. she plays a strategic role in protecting Symantec's IT resources, infrastructure and information assets, as well as drives internal security initiatives.
Previously, Titus was vice president and global CISO for Unisys Corp., a global information technology company. At Unisys, she was responsible for enhancing network security and policies supporting global employees while ensuring the continued protection of sensitive corporate and customer data. Earlier, Titus was CISO at the Transportation Security Administration within the Department of Homeland Security, where she focused on creating, implementing and maintaining a robust IT security program. Titus also worked overseas for several years in various positions within the U.S. Department of Defense, the U.S. State Department and various private sector firms.
TOM FIELD: You've been on the job now for several months. What would you say to date has been your single most important accomplishment at Symantec?
PATRICIA TITUS: There's been so many but I think one of the most important accomplishments has been the alignment of my organization from a structural perspective to be able to meet the demands and the needs of the business in which Symantec is in. It's a bit different from my other job, but it's critical that the security office is aligned with the business needs to enable and empower on our employees to be as innovative and as effective as possible.
FIELD: When you took the job in 2011, what did you expect to be your biggest challenges?
TITUS: That's a really good question. One of the most important things for me and one of the biggest challenges I was going to have is I work in a company where there are so many security experts and convincing them that I was actually at par with them was a great opportunity to be successful. I used the famous line, "I work in a company where 80 percent of the people are smarter than I am and 20 percent think they are." It's a challenge to get people to realize that you bring to the table a little bit of a different perspective on security. Our employees are building security tools and they're innovating new security ideas for the protection of data, and so getting those individuals to start to think slightly differently about how we react every day within the company has been a big challenge, but I think the Symantec team and the Symantec family has recognized that together we're a very powerful entity and that they're really my front line of defense.
FIELD: How would you say reality has matched or not matched your expectations in the months you've had on the job?
TITUS: Reality is always a bit different than what you think, and looking at a company as large as Symantec and how we've grown over the years through the mergers and acquisitions, it really has been a growth opportunity from a career perspective for myself. The other thing that I think is really great is the reality of what's happening in cyberspace really becomes clearer when you work for a company like Symantec and you have access to even more information than as a public servant I had when I was in the public sector. The reality is that there are truly things happening in cyberspace that the general public isn't aware of. We're getting better visibility into the situation, but there's so much more need to be able to find technologies and capabilities to protect people and their data, and I think the important part for myself as a CISO for this company is what are those technologies that I need to implement to enable our employees to be as productive as possible. But on the flip side of that, what are the inputs that my team has into our consumer branding and some of the products that are sold for consumer use, such as our Norton products? It's been a great career challenge for me and it's been a great career move.
Growing the Infosec Team
FIELD: Let's talk about your team now. I know you had to place some members when you came aboard. What would you say were your objectives for growing and developing your infosec team when you stepped in?
TITUS: It's important to align your IT security team to meet the needs and the demands of the company. One of the areas that we found we could have a big impact into has been in our product development side. We're one of the biggest customers of Symantec products and services, and so it was important for us to feel that we had a voice-active product team such the same that our customers do but slightly different in that we're part of the Symantec family. Perhaps I felt like we could be a little bit more unfiltered with our feedback.
As we looked at growing the organization and developing the team, it was really stretching what they have thought of before as being the traditional IT security organization where governance, risk and compliance is so much broader than just how we're protecting the internal data for the company. But it was broader in that we were able to expand into our products side as well as the data protection for our customers and our consumers. It's an opportunity really to develop the information security team to think broader than just a typical security office where you're so focused internally versus the external part. That has been a bit of a challenge in getting traditional security professionals to think much broader, but it seems to be working fairly well for us. We've had great interactions with the product team on the positives as well as the negatives of where we see innovation and technology going for ourselves as a company.
FIELD: Just a couple quick follow-up questions. What's the size of your information security team?
TITUS: Right now we're at about 35 people, but honestly I like to think that everyone in Symantec is really part of our security team. They're on the front line of defense, and as you know when it comes to phishing, social engineering and some of the tactics that are being used today by attackers and hackers, if you don't view all of your employees as part of that front line and extension of your office you've got a huge challenge to overcome. But as far as the actual numbers, there are about 35 of us.
FIELD: What are the different types of skills that you need from this team now that you're trying to make them a little closer to the customers and products?
TITUS: The really important part was the type of leadership skills that we had within the organization. We had a couple of areas where we needed to fill some positions. We needed a different type of individual running our governance, risk and compliance. We have a great team in our risk management team and they do really great, but I felt like we needed a different level of qualification to head up that whole GRC organization. Our threat response team, you need the qualified people that have the forensics and investigation component. So we looked within the company actually and within our own team and we actually promoted from within to fill the leadership role for that.
Then I think the other part of the company where we really felt that we had a bit of a devoid, funny as it seems, was our security engineering team. We have a lot of security engineers within Symantec, but [we were] actually looking at a group that was focused on the engineering needs for inside the company for our infrastructure, a little bit different than what has traditionally happened in the organization previously.
Really having the qualified set within all the security disciplines has been critical to the success of the team up to this point, and I think going forward is even going to become more critical. The other piece of that is making sure that they get a full breadth of exposure of our products and services that we offer as well as how we ingest those in the company. Having them train on the products has been really important for us in growing their understanding of the depth of the products and how we use them today in our environment.
FIELD: You've been in the public and private sectors. What would you say works and doesn't work when you're trying to grow a team as you are now?
TITUS: The most important part is that you're looking at what your business or your mission needs and determining where you're prioritizing your critical resources and the limited number of funding that you might have. The unfortunate part is we don't have an open checkbook and we don't have the ability to just go hire at will, and we have to ask our people to do more with less. And prioritizing what's important for your mission, what's important for your corporation is critical to your success and to the growth and protection of the data. I think what people often get hung up on is they look at the entire infrastructure or the entire enterprise and it looks exceedingly overwhelming and they say, "Wow, I'm not sure where to even start." I call that the "boil the ocean" and if you try to boil the ocean you might do a lot of things kind of well, but you're going to miss what you can do really well and that's determining what your critical data is, applying the right security controls to that data and then that's where you focus your critical resources and assets.
We have a tendency as security professionals to want to solve all of the security problems when in fact what we've been doing previously hasn't been working. We've done a very poor job of implementing basic technology or basic cybersecurity hygiene and I think in some instances you have to go back to the basics. Look at how you're doing patch management, how you're applying antivirus and how you're doing your basic protections for an endpoint. Once you do that in an organization and figure out what your assets are that you need to protect, then you can start to look at adding on to the deeper technologies to give you different levels of intelligence and insight, but I think as organizations in security we have a tendency to push the patch management off for someone else to do and we don't pay attention to those basics, when in fact 80 percent of the attacks are exploiting simple known vulnerabilities that we're not patching for. If we can take care of that 80 percent, then we can focus on the 20 percent that really is the areas where you need to focus your attention and your monitoring and your advanced technologies.
FIELD: How would you say your team is different now than when you took over, and where would you still like it to go going forward?
TITUS: The team was focused very much on reactive. What we've gotten to just in the short nine months that I've been there is to a more predictive state, and the objective is you're never going to be able to completely eradicate attacks, hackers, the well-intended insider. But what you can do is you become more predictive in looking at where and at what times you're at the most or heightened risk. We believe that during acquisitions we're at a more heightened risk, and that's a point in time where we need to apply a different level of security monitoring.
Where I would like to take us even further in the near future is to get us even to a more heightened predictive analysis capability where we're really pulling in intelligence feeds and looking at a corrective action that we can do on that 20 percent. What we want to do, as most organizations, is we even want to get more in-depth in our basic security hygiene and ensure that we're covering the areas where we may not have as much visibility as we would like to have. That's actually expanding the infrastructure into areas where we may not have had as much visibility as necessary in order to gain more intelligence information about what's happening within the infrastructure.
FIELD: You've been there just nine months, but it has been a busy nine months and there have been challenges to Symantec that no doubt have impacted you and your team. I want to ask you about a couple of those. And the first would be the pcAnywhere data breach. How did that impact you and your team?
TITUS: There are always investigations that have to happen, so that was a deep pull on my threat and investigation team, going back and analyzing information, looking at what happened and then ensuring that we've got the right level of feedback into the product teams. The impact that I think a lot of folks would have thought is that the company would have made a knee-jerk decision to throw money at a security problem and rush off to try to fix something, when in fact the company has been doing several things since 2006 to enhance the security posture.
What didn't happen and actually what's not my MO is to have an incident happen and make a knee-jerk reaction. What we did do is analyze the situation and look at areas where we need to go back and make sure that we've plugged that hole. Back in 2006 it was a different time. There were a lot of different things happening in that period and then we made sure over the course of the next six years from that initial database that we've done everything that we could have done to ensure that it doesn't happen again. There are things that have taken place as protective, going back and analyzing our source-code repositories. We've done a lot of audit-type activities to validate that we do in fact have the right level of security controls in place. It was a bit of a pull on my staff, but something we would have done in the future anyway. It just moved it up in the life cycle.
CISO Challenges around Breaches
FIELD: For you as a CISO, is it a different kind of challenge to be talking about a security breach that happens within your own organization?
TITUS: No one wants to have a security breach regardless of if you're in a security company or within a public-sector entity. Breaches do happen and I don't also want to sound like some of my colleagues who had said, "Well if a data breach happens, it's going to happen." We're going to do what we can to make sure it doesn't happen again, but I think any organization that has suffered a data breach is always subject to go back and rethink the way they've done things.
And honestly, I think any sort of a data breach gives you a chance to have a look at your processes and where the failures or weaknesses are. Often times, we as security professionals feel that we need more technology. Technology is an important enabler but when you really start to analyze any sort of a data breach or event that happens in your infrastructure, often times - at least what I have found - it's more people in process then it actually is technology. The technology enables you to see the events sometimes in real-time, or allows you to cap some of the predictive analysis capabilities that you need, but I think the important part is, are you doing enough to educate your people and keeping them aware of the threats and what's coming at the company itself?
Then, are you looking at your processes? It's an old term but it's one that we used a lot in the 90s and that's "business process reengineering." Are you actually reengineering your business processes to meet the changing threats and the actual threat surface, which changes very frequently based on the technologies your employees are using? Consumerization of IT, BYOD, all of that brings a new threat surface that you have to look at and determine how you're protecting it.
To go back to your original question, I don't think anybody wants to have a data breach regardless of if you're in a security company or not. I think there's probably more heightened visibility from protecting our branding that comes when there's a data breach. To our defense, a data breach happened several years ago and we've done an awful lot since then to enhance our security as we will continue to as we move forward.
FIELD: Even more recently - just last week, in fact - you had a change at the top of the organization. How does such a change, a seismic change really, impact you and your security organization?
TITUS: I think the board of directors actually has been on board with my team and the developments that I've been briefing them on. This is certainly a change. It's always a change when you have a change at the top like that, but I don't think it's really changed the course of action too drastically other than there's a renewed focus on the security component for the company and the protection of the brand and reputation. But I think that the leadership, if it was the previous CEO or the current CEO, has always been focused on security first, and security first being in the company and the feedback the IT security organization, my organization, can give directly to the product teams and the product development. So it hasn't been a huge change. There's always a ripple effect and you want to make sure that you're doing all the right things that your new leader is looking for and I think Steve Bennett and I are aligned 100 percent heading in the right direction. He has taken a very deep look at the organization and if we're meeting the needs of the company, and so we have a very strong relationship similar to the relationship that I had with our previous CEO.
Main Challenges Ahead
FIELD: You've got a first anniversary coming up. What do you see as the main challenges for your second year at Symantec?
TITUS: I'm sure there are going to be tons of them, but I would say that one of the biggest impacts right now that we're facing as we move forward is pushing forward rapidly with our BYOD program as well as our movement to the cloud. As a company, we're looking at consolidating our infrastructure and allowing us to focus on critical data protection. I think that's going to be a challenge.
Bringing your own device to work is on the tip of everyone's tongue. We're actually moving forward with pilots already and the same with the cloud. How can we better enable our employees to utilize cloud-based services and gain the efficiencies? If it's Salesforce automation, if it's access to our human resources system, how can we allow people to use mobile technology and access those in a secure fashion? We've paused a bit in the company while our product teams have been innovating, and we're moving very quickly to adopt those technologies in our own environment. But I think the challenges moving forward are going to be, are we giving the right level of access to our employees so that they can be as productive and as effective as possible, yet allow that level of security, visibility and oversight that we need for technologies like data loss prevention and our compliance requirements? All of those challenges are going to continue, but I think BYOD is probably going to be one of those challenges that we have to overcome quickly, as well as the movement to the cloud.
FIELD: You live on the east coast and work on the west coast. How many devices do you use?
TITUS: I actually have a smart phone. I also have a tablet PC and I have a laptop. I do have three and I'll tell you - to be honest with you personally - I'm a digital immigrant. I'm not a digital native, so I integrated into this digital world of mobility. I will say that my children are definitely digital natives. They're more into the "give me a single device." I'm okay with having a couple of different ones. It makes me feel like I'm separating my personas slightly, my personal persona from my business persona, but I can see that the two of them are quickly converging as much as I try to resist. It's coming together regardless.
Advice for Building the Team
FIELD: Based on your experiences so far at Symantec, what advice would you offer to other CISOs regarding stepping into a high-profile role such as yours and building an effective team as you've been striving to do?
TITUS: One of the most important parts that I promised to my team I would do, similar to what our CEO is doing, is I went into listening mode for a few months, where I came into the organization and said, "I need to understand the business, what we've been doing, the capabilities that we have and then where the gaps are."
I came in and I did go into listening and learning mode with the organization, and I think that gave me a couple of opportunities. One, it allowed me to look at what my strategy would be organizationally because I think that's critical. You have to get your organizational structure right. Once you get your organizational structure right and hire good people into those positions, it will start to fall into place as it has been for us. Getting those leadership roles filled with the right level of expertise is important, and often times when you go into a new position as I did at Symantec, it was looking at the right level of expertise and not just reaching back to people I knew in the industry and bringing them along with me, which CISOs have a tendency to do. You get comfortable with a particular type of person and you want to bring them along, when in fact if you look at what you're trying to do that person may not fit the needs of what you have to do. You really have to think at a leadership level of bringing the right level of expertise and it often times is not people that you may have worked with in the past. It often times is looking for a completely different skill set and you have to be able to recognize that and hire the right people to help you achieve success.