Government agencies and private companies need to move their focus away from single-point security solutions to more holistic, information-based security, Symantec officials advised.
"Clearly we've moved to a point in time where our customers have to be much more focused on protecting the information itself, as opposed to protecting the PC or protecting the network," John Thompson, Symantec's chairman and CEO, said Thursday at the company's government symposium in Washington, D.C. "While those are necessary components of a protection strategy, they're not the end all. More has to be done."
In recent years, U.S. lawmakers have focused their attention on data breaches and lost laptops, and federal agencies have scrambled to meet requirements for encrypting information on laptops and other mobile devices. On Monday, the U.S. Government Accountability Office released a report saying that only 30 percent of sensitive data on mobile devices at 24 major agencies had been encrypted as of last September.
Encryption can be an important piece of a cybersecurity strategy, but it's just one piece, Thompson and John McCumber, Symantec's strategic programs manager for the federal public sector, said in interviews Thursday.
Encryption isn't "the solution" to data-loss prevention, Thompson said. "Good data-loss policies start with the understanding of, what is the critical data that I have and where is it?" he said. "In many instances, there is some critical and sensitive information on every laptop. But not all information that's on that laptop is critical and sensitive."
McCumber recently had lunch with a member of the U.S. Congress who suggested that better encryption technology would solve the government's data-loss problems. But McCumber told the lawmaker that encryption can't protect data that's being processed.
"If you think cryptography is the solution to this problem, you don't understand the problem and you don't understand cryptography," said McCumber, a former encryption expert at the U.S. National Security Agency.
Instead of focusing on single-point security solutions, Symantec has been encouraging U.S. agencies to look at the information they hold. The security vendor recommends agencies create "thoughtful" data classification and retention policies, Thompson said. Such policies will make it easier to manage and find data in the long term, he said.
"You've got to look at what value you place on the information," added McCumber. "Nobody wants to pay [US]$500 to protect a $50 asset."
Agencies looking at cybersecurity from that information-centric perspective may find that adopting industry best practices -- what other agencies or private companies are doing -- may not work for them, McCumber said. Each organization needs to look at its own security challenges and risk, and work toward a data protection plan that works best for it, he said.
Organizations need tools to understand and manage their risks, McCumber added.
If best practices aren't the answer, that means technology mandates from Congress or regulatory agencies will no longer work, he said. "Technology always changes," McCumber said. "They've had to learn the hard way. You can't solve technology problems with policies, and you can't solve policy problems with technology."