PALO ALTO, Calif. — How big is the security threat facing IT? It depends who you ask.
At an event here at the Churchill Club, a panel of security vendors agreed it’s serious, but emphasized different aspects of the challenges ahead.
SonicWall (NASDAQ: SNWL) CEO Matt Medeiros offered a cautionary note, warning that IT security is “not going to get better in 2011 and probably a bit worse. We don’t know when the strike will come, because so much of this is done in stealth.”
But Ken Silva, CTO of VeriSign (NASDAQ: VRSN), was far more explicit.
“Security threats today are less like a disease or a cancer — it’s more like a sniper shooting you in the head as you come out the door,” he said. “Malware is slipping through our most protected systems and we can’t even see the threat coming.”
Overall, the panelists painted a bleak picture of IT security, warning about the increasing number of entry points into corporate networks, and urging businesses to codify policies governing the use of consumer technologies at work.
Dan Glassner, vice president of enterprise marketing at Trend Micro, argued that malware is the biggest security threat facing IT.
“The acceleration of malware is phenomenal. There’s a new threat created every second,” Glassner said. “Even companies with hundreds of people working on security are challenged because these are criminal organizations writing these [malware] programs and they’re good at it.”
Adrian Turner, CEO of Mocana, a company that focuses on “the 20 billion non-PC devices” increasingly being connected to computer networks, said the two biggest security threats are the consumerization of the enterprise and the shift to cloud computing.
From left: Dan Glessner, Trend Micro; Willie Jow, Sybase; Matt Medeiros, SonicWall; Ken Silva, VeriSign; Adrian Turner, Mocana.
Several other panelists also touched on the issue of consumerization, which includes the popularity of consumer devices like the iPhone and social media services like Facebook and Twitter that are finding a home in the enterprise.
“Companies need to get ahead of the curve by setting policies for what devices can be used and how,” Turner said. He also noted that printers are a prime access point for bringing malware into the network. Silva agreed.
“Printers are a highly overlooked threat,” Silva said. “Today’s printers are really computers, and they are one of the top five ways malware is finding its way onto the network.”
But several panelists also emphasized that vendors have to do more to secure their products out of the box, and it shouldn’t be left up to end users to deal with.
Time for a security checkup?
Glassner suggested it would be helpful to think of security like one’s personal health.
“Every once in a while you need to do a checkup and an assessment of things. Also, it’s very important to educate employees,” he said. “If security is only viewed as an IT problem it will fail.”
But Medeiros said a majority, perhaps a vast majority, of security threats could be mitigated if IT made sure antivirus software scans everything coming into the network.
“If you’re tagged in Facebook with a .WAV file with a botnet that gets distributed over the network, did the user do anything wrong? We have to do a better job of scanning everything. It can’t be selective,” Medeiros said.
For Silva, scanning “everything” may be a laudable goal but in practice is “too complicated” and unlikely to be implemented by most companies. But he didn’t disagree with Medeiros’ assessment of the kind of threats posed by employees’ use of social networks and other consumer activity on corporate networks.
“The biggest threat is between the keyboard and the back of the chair,” Silva said. “The user gets something bad on their device and they drag it into the network.”
“How about just coming to work to do work,” he added, drawing a few laughs. “You look at the Web logs of what people are doing, it’ll blow your mind.”
Panelists agreed that if companies only had to deal with a set number of business applications, security would be a lot easier, but most conceded that era has come and gone. “I guarantee you if you take access to those personal applications away, productivity will go,” Medeiros said.
Looking ahead, Silva said every device that entertains or communicates will be connected to the Internet, and they all need to be secured now.
Willie Jow, vice president of mobility products at Sybase (NYSE: SY), said trying to anticipate security threats in 2011 is a fool’s errand. “The risk is today, we’re already losing the war,” he said. “If we don’t start preparing now, we’ll be that much farther behind.”
Added Silva, “Any company not preparing for a data breach is making a mistake.”