ASPEN, Colo.—For corporations, the cybersecurity landscape has changed. The threats are coming from new places. They’re aiming at different targets. The executives tasked with stopping them? The strategies—internally and externally—are evolving.
At the Fortune Brainstorm Tech conference on Wednesday, executives from Symantec (SYMC), Good Technology, and DARPA—the U.S. Department of Defense’s research arm—explored (in sobering detail) how to identify and defend against today’s threats.
“The landscape has changed,” said Stephen Gillett, Symantec’s chief operating officer. “It used to be we had a perimeter we need to defend against the perimeter. Now the active opponents, as we call them—they’re usually much more organized, much more funded. They’re tiered by incentives.”
There are three types of threats, Gillett said.
“You have the young student—we call them ‘script kiddies.’ They want to hack their alumni website, and they want notoriety,” he said. “Then you have digital arms of organized crime. They have org designs, journeymen charts, pay scales. People make a career out of that. Their incentive is primarily economic: they want money, they want access to cash. Then you have what is ultimately the most dangerous and sophisticated [group], which is not in it for notoriety, not in it for economics, and that’s state-sponsored. It’s very sophisticated. It’s probably the second-most talked about topic in [Washington] D.C. in terms of its threat.”
What’s truly scary is that many employees don’t understand how much they are at risk, said Christy Wyatt, chief executive at Good Technology.
“The question is not who is the enemy, the question is where are the vulnerabilities?” she said. It’s more likely that an employee doesn’t realize the value of the data access they have, even if they’re a low-profile employee. “It’s figuring out the weak links,” she said.
Ditto executives, who underestimate how much their companies are at risk.
“A number of companies that I speak to say, ‘I don’t know that what we have all that much that’s valuable’ or the end users that say, ‘I’m an admin or I’m a controller or I’m in marketing, what do I possibly have? It’s not like I’m filing patents.’ ” Wyatt said. “The path in is probably not as obvious as you’re carrying around top secret information on your device. It’s that’s a stepping stone to the next point where they can kind of get into the network and start to do the really naughty things when they get in.”
And they’ve been doing that at an increasing rate. A number of Fortune 500 companies, such as Target (TGT), have experienced major breaches this year. Others, such as Starbucks (SBUX), discovered vulnerabilities that left personal data at risk.
Senior executives may not be aware of the weakest link in their organization, Gillett said.
“One of the big retailers was compromised through the heating and ventilation contractor,” he said. “So the subcontractor would come in—no matter how much that big retailer had purchased in terms of security, point solutions, network gateways, devices, encryption—the lowest common-denominator was a heating and ventilation cooling technician who had access.”
He added: “That’s where the bad guys are going. They’re not going after the COO or the CEO. In 2013, we saw that they’re going after the PR—the person traveling with [the senior executive]—and the administrative assistant. We’re relatively hardened as executives, but our PR and our assistant are not.”
So how to defend against all this? Dan Kaufman, the director of DARPA’s Information Innovation Office, said that companies need to rethink the way they approach security.
“People are always searching for the silver bullet. I don’t think it exists,” he said. “There’s a speed and a need to adapt that’s often much faster than corporate policy can do.”
Worse, corporations often try to put the burden on the user, requiring multiple pass phrases or elaborate access flows. That’s not sustainable, Kaufman said. “I actually think it falls on us as technologists. I think that has to be invisible to the user. I think we need to build devices in an intelligent manner so that you use them the way you want to use them and we’ll do the protection.”
He added: “Machine learning will play a much, much larger role. The scope of this is so large, the idea of a person at a keyboard defending your network is extremely antiquated.”
It all rolls up to the chief security officer (CSO) or chief information security officer (CISO), who needs to work differently with his peers to counter these threats, the panelists said.
“They’re increasingly having to step up their game and truly be the security thought leader, and the partner for their CEOs and their boards,” Gillett said. “You see chief security officers and chief information security officers moving out of the office of the CIO and reporting to CEOs. But that comes with responsibility.”
Wyatt concurred. “There are so many conflicting voices in the enterprise today: the users want one thing, the CISO wants something else, line of businesses in the middle, board of directors is being held accountable,” she said. “It’s not so much that they don’t know, it’s being able to sort of travel the path to get what they need.”
The days of the CISO telling employees that they can’t use a certain device or have access to certain data are over, she added. Today, employees know how to access the data anyway, or they’ll move it to the cloud. There’s a balance that a security officer must strike, and it needs to align with—not slow—a company’s normal operations, Wyatt said.
“It’s a business requirement that’s going to drive value for the business,” she said. “The CISO has to find some way to get comfortable with the risk that that opens up.”
Correction, July 17, 2014: An earlier version of this article incorrectly stated that Starbucks experienced a “major breach.” The company instead found (and fixed) a vulnerability in its mobile application. “No customer data was stolen whatsoever,” said Linda Mills, a company spokeswoman.