'We just call it security': Symantec's global CSO on merging cyber, physical and employee security
- 29 August, 2016 15:59
When terrorists attacked central Paris in November last year, the city was plunged into a state of panic and confusion.
Symantec, which has an office in Avenue de l'Arche office just 12 kilometres from the Bataclan concert hall where the most deadly of the attacks took place, immediately feared for the safety of its employees.
Thanks to a global security policy, headed by CSO Tim Fitzgerald, the firm was able to account for every worker within three hours of the attacks. For those that needed it, transport was arranged to take employees and their families away from the affected areas. In the days following communication was maintained and counselling provided if needed.
It’s a security policy that has provided evacuation plans and emergency lodging to Symantec employees following the mass shooting in San Bernardino, California, the major fires in Dubai, and terror threats at Munich train stations.
Cyber security, physical security and employee safety are as one for Symantec. As Fitzgerald puts it: “We just call it security”.
The result is hugely beneficial for employees in times of need. But it’s proved a win for Fitzgerald and his team too.
Whether it’s being fooled by phishing emails, being sucked in by scams or not changing passwords, employees are often seen as the weakest link in any company’s cyber security defenses. Telstra’s CISO Mike Burgess and ANZ bank's global head of information security Steve Glynn call workers the “human firewall”.
“When we talk about the human element in security,” explains Fitzgerald who has been, in his words, ‘defending the defender’ since 2014, “I think we still talk about humans at the control point as opposed to the human experience. We’re trying to take this a step further and make this about a relationship that we have.
“My job is primarily cyber but it’s a space where CSOs and CISOs often overlook the human element. We over rotate on the technical part of the job, we forget ultimately it’s people and their ideas that we’re protecting. The one human error is generally more damaging to us than systemic failure and control.”
Although part of the reason Fitzgerald has taken on physical security and employee safety is because it ‘landed on his desk’, he nevertheless saw the 'opportunity and potential'.
“Security can be viewed, to its detriment, as people who set rules, things to be avoided and not followed. We tried very hard culturally to make sure we are not viewed that way. Part of the way we do that is by trying to interact with people on a personal basis. The physical security space gives us an opportunity to do that in a way that cyber doesn’t always.”
Let’s get physical
Symantec has turned facilities managers, security guards and receptionists into bona fide members of its security team. Their physical presence means cyber security messages can be better communicated.
“I have physical security people all over the world in every facility that we do business and they have the opportunity to have this real personal relationship with people that my cyber team, often centrally located, cannot do,” says Fitzgerald.
“We’re asking a set of people who have historically been kind of door-minders – it’s facilities and badges and guards – to play a different role. We’ve asked them to significantly up-level their skills set and knowledge around core fundamentals of cyber security so that they can be on the floor ambassadors for us that walk around on site.”
The result has been a win for Fitzgerald, the workforce and the company at large.
“[We’re] taking folks who are making typically minimum wage, and in a relatively uninteresting job, and giving them opportunity and access to training in ways that we’re now starting to see some of these individuals put their hand up for larger cyber security jobs,” Fitzgerald says. “They’re starting to help us fill the junior pipeline where we currently have pretty significant challenges in hiring the appropriate skillset.”
Champions in the field
Bringing cyber, employee and physical security together is a growing trend in Silicon Valley, Fitzgerald says.
That trend is taking hold in Australia too. Darren Kane, CSO of NBN Co is responsible for the security of facilities and personnel as well as information systems. Vodafone Australia's recently appoint CSO, Peter Tari, has a remit to secure not just the company’s data but its assets and personnel as well.
Being there to assist employees in need, like in the wake of the Paris attacks, means those employees are more than willing to return the favour when it comes to cyber security matters, says Fitzgerald.
“Better believe that if my teams were to call those individuals [in Paris] again in relation to anything to do with our security programme, or pretty much anything else for that matter, we’ve got real champions now, in the field.
“It’s sort of capitalising perhaps on unfortunate scenarios, but we are providing a real service and benefit to these employees. It allows us to form a personal relationship which also engenders trust and ultimately means that we have advocates for our security.”