SAN FRANCISCO -- Symantec Corp. Chairman and CEO John Thompson told a packed house of RSA Conference 2008 attendees Tuesday that they should strive to build security that is information centric, and focus on gaining insight into sensitive data that is produced, where it's stored and how it's used.
"I believe that in five to 10 years we'll get to a system that marries security and information in a more complete and holistic way," Thompson said. "As we enable enterprises to gain knowledge of their content, knowledge of their users and knowledge of all of the devices on their network, we'll see an enterprise rights management system truly emerge."
Thompson stressed that enterprises must work toward greater content awareness, extending that awareness beyond the firewall to mobile devices, and creating policies and implementing technologies that control data and prevent it from being downloaded to memory sticks or emailed to personal email accounts.
"Being content-aware enables you to do more around intelligent archiving, make smarter decisions and control storage costs," he said. "Once you gain that insight, you can set policies to mitigate loss. These policies will guide how organizations use information, where you can set rules for encryption, tiered storage and archiving."
Like his predecessor on the dais this morning, RSA CEO Art Coviello, Thompson called for further alignment of security and business.
"The policy nuances are endless. But what is constant is that these policies must be aligned across the company. Your information security policy needs to be consistent with how you want to run every aspect of your business -- from managing HR records to partner information and customer data," Thompson said. "Business leaders must be more involved in setting these policies; the CFO, COO and everyone else in the executive suite. Executive involvement is critical to fostering a culture of security."
Ultimately, Thompson would like to see a society that understands the value of personal and business data and works together to protect it.
Thompson backed up his points with some numbers culled from the latest Symantec Internet Threat Report, released Tuesday. Most startling was the revelation that 65% of software delivered to users was malicious and going after data either via keyloggers or password-stealing malware.
"We've reached an inflection point," said Steve Trilling, Symantec's VP of security and threat response. "That's worrying."
Trilling said 50 million identities were exposed in the last six months and that nearly 70% of malicious code targeted confidential files or passwords and were sent remotely to an attacker. The black market continues to refine its economy, churning out new processes for handling money transfers or goods bought with stolen accounts. Stolen credit card numbers are sold for as little as 40 cents per number, while a stolen eBay account fetches $8. The online gaming world is not immune, with stolen World of Warcraft accounts worth up to 100 times more than a stolen credit card number.
Thompson called for additional investments in identity management and whitelisting technologies in attempt to better manage user behavior and data. He, like Coviello, called for the development of a national data breach law.
"If ever there was a cry for a change in public policy, that time is now," Thompson said. "What we really need is a federal law that will set very high standards to protect consumers no matter where they live and make business simpler."