The global CTO speaks to Computerworld Australia about government security trends, off-shoring data and the top three issues facing security professionals in 2012.
I understand that you work particularly in the government sector. What kinds of security trends are you seeing in the government space?
Cloud computing is a ‘no, no’ for government customers. It is pretty funny when they discuss it because the rules and regulations haven’t been made for this — it’s the wild, wild west.
What is interesting in government is that they have said 'don’t bring any private devices'. Consumerisation is happening, even in the government space, and people want to use their preferred mobile phone and they don’t want to be forced into using one device. It isn’t only happening in the private industry but also in the government sector.
Do you think these trends are global or local? What have you noticed particularly about Australia?
Some countries are stricter about interchanging data with other countries but trends are mainly global. Especially with Trend Micro, we work more and more with law enforcement around the globe. They see things that we don’t see and we see things they don’t see, and [we] put this together.
I think we have international cooperation but you have local laws, and they apply to the internet and how we use computers and these override it. I see this in Europe where you have the eurozone and there is always debate, and it’s always decided case by case. You never know how decisions are made and this makes international co-operation very difficult. We are working with Interpol and when you talk with these guys, you realise how difficult it is because cyber crime knows no boundaries.
What do you think will the top three issues be in the security space for 2012?
There is mobile malware and people are ignoring it and denying it...at the moment we see around 700 [pieces of] mobile malware, and next year we calculate that this will rise to 120,000 and next year we’re scaling up our systems to be able to handle that. It is a big increase, and the first mobile malware for Android happened last year — it was within one year that it went from 1 to 700 [pieces] and if it continues, it will hit 120,000 [pieces] next year.
The second issue is virtualization security, and that’s a big thing because technology hasn’t been tuned to work within a virtualized environment, because virus scanning and content security is resource intense. There will be more and more demand for specific solutions.
Botnets and other threats will be more targeted and more local and [cyber criminals] will make more money with it.
Does Cloud computing pose a security threat?
I think it’s a hyped topic and public Clouds have been much hyped. According to Gartner, they have been hyped around their lifecycle and analysts are guilty as well. The term was first used by Eric Schmidt in 2006 I think, and it was used way before but not in the same way we use it now. Everybody was thinking that it was about saving costs, they were testing it and then realised that it wouldn’t be that easy. If you didn’t rewrite your data for an application, you would be doomed. There was the Sony outage in April and so many people’s data was lost. It isn’t that easy.
Working in the government space, what do you think of off-shoring government data?
I don’t know if it could be done but people should look inside, because under the US Patriot Act, certain things are possible which people don’t know about. For example, if you select an ISP in Australia which is owned by a US company or if a US company has a minority share, the Patriot Act [can be] applied.
What’s the vibe around mandatory data breach laws and are we any closer to implementing them?
That’s a difficult question to answer. When you look at the data breaches and so on, there are a number of things that could go wrong. Normally, it’s a network, or a human. When someone clicks on a link that they aren’t meant to, it is very tightly related to social engineering, and it has nothing to do with a specific country except companies believe in what the security industry have told them. I openly say that we are guilty by stating 100 per cent [security success is possible]. We haven’t stated this for the past 10 years, but a lot of other companies still do this. So companies invest in security and think that nothing could go wrong. What I call it is risk management. You reduce the risk but you never guarantee 100 per cent.
Follow Lisa Banks on Twitter: @CapricaStar
Follow Computerworld Australia on Twitter: @ComputerworldAU