With over 25 years' experience in the security business, almost exclusively in Fortune 500 companies, Symantec's chief technology officer Robert Clyde currently serves as treasurer on the executive committee of the IT industry's Information Sharing and Analysis Center (IT-ISAC), of which he is a founding member.
What are going to be the biggest drivers for the security industry in the year ahead?
Virus threats will continue to drive the business of security. Viruses attacked 92 per cent of businesses last year, and the other eight per cent probably were [also hit] and just didn't notice it.
The number of malware attacks has also increased and continues to rise, as do network intrusion attempts. Attacks are becoming more complex, and that's the most troubling aspect.
Are traditional security methods going to help beat the virus threat?
Reactive, signature-based protection is becoming less effective. The time from software patch to exploit is dropping below the time needed for companies to install the patch. Even if you start when the patch is released, most IT departments will take 30 days to test and patch a system and hackers are faster than that now.
Therefore we need more proactive security. We'll still need signatures, but a new, predictive approach is needed.
What kind of technologies will this proactive approach use?
Behaviour blocking looks promising. This mimics how biology deals with viruses, by identifying anomalies before they get serious. For example, it's very unusual for a normal email message to contain an email program; in fact it's almost 100 per cent viruses that do, so why not quarantine them?
Client compliancy is another. When you connect into the network it can check if your system's hardware and software is properly protected. If it's not, you can block off or limit access. Corporates will get this first, but it will gradually extend to consumers.
Is security best handled at the hardware or software level?
Hardware is not enough. Since the security industry's birth, people have been saying that you should build security into the hardware and solve it once and for all. But that doesn't work; you'll always need to update and that comes from software. Updating hardware is not an option for most end users.
Aren't software companies to blame, then, for writing vulnerable code?
We see 53 vulnerabilities in software products discovered every week; 80 per cent are high severity. This figure of 50 or so a week has hit a steady state and could be an equilibrium point. Personally I think we're at a knee in the vulnerability curve and the numbers will continue to rise as new, more feature-rich operating systems come on the market.
Will initiatives like Microsoft's Trusted Computing help this?
Trusted Computing has had an impact, but the question is if it can reverse the trends. That's not something that's borne out by the numbers. Vulnerability scanners [for checking code security] are useful for writing secure code but there are a lot of false positives as these tools are in their infancy. They still miss a lot [of] the real problems; there are design issues that some scanners can't find. I don't think the vulnerability problem will be solved for the next couple of decades.
So who is better at patching holes: commercial software companies or the open source community?
With open source, if an individual cares about a code flaw they'll fix it fast; if it's an obscure piece of code it could languish for years untouched. Commercial companies will try and fix all problems within a fixed timescale. Most commercial vendors are really behind reporting problems honestly and trying to fix them. I don't know of a single vendor who will sit on a vulnerability - maybe five years ago but not now.
Is outsourcing the best option?
It varies for different industries. Manufacturing loves to outsource, for example. Even industries like the banking sector that you'd think would do security themselves outsource some functions, like monitoring and incident management.
Most experts suggest that you never outsource policy development. It makes a lot of sense for smaller companies to outsource everything, but there's a job of education to be done first. Potentially that's a huge market - any security operation that involves more than one person could be outsourced.
Why do different companies come up with different names for viruses?
We all start to standardise on a name after a few days. If you are trying to respond very quickly to a new virus and at the same time if you're trying to have a naming conference you've got to have priorities, and ours is to stop the threat.
Any advice for IT manager interested in the security business?
If people are looking for a long-term lucrative career, security is where to go. There are very few computer security PhDs coming out these days - 17 in the US last year, for example. We didn't get any of those; most stay in academia.
Part of the problem is that this is a new area. Until recently you couldn't get a degree in computer security.
And, yep, it'll run Android rather than RiscOS
US engineering giant's cost-cutting outsourcing plan is on the rocks, according to insiders
HP Envy X2 laptop only affordable if you've got loadsamoney
Counterfeit code-signing certificates enabling hackers to hide malware being sold by cyber criminals
Certificates can be used as part of layered obfuscation to evade detection by anti-virus software