Viewpoint: Symantec's David Thompson on the Brave New World of Web 2.0

By Debra D'Agostino  |  Posted 09-11-2006

As CIO of Symantec Corp., one of the world's leading IT security vendors, David Thompson has a lot to live up to. He's in charge of the Cupertino, Calif.-based firm's enterprise architecture, internal business systems and, of course, security. Senior Reporter Debra D'Agostino spoke with Thompson about the new threats Web 2.0 creates for the enterprise—and how they can be mitigated. What follows is an edited transcript of his remarks.

CIO Insight: How do Web 2.0 technologies affect the way companies address security?

Thompson: As companies adopt more consumer-oriented technologies, such as wikis and blogs, they have to remember that these technologies are fairly new, and there is no shortage of people out there who want to hack into these new programs and find vulnerabilities. As a CIO, I obviously want to stay ahead of these threats. That's what keeps me awake at night. I want to deliver an end-to-end security system that links up with the Web 2.0 world. That's the idea of what we call Security 2.0.

What's different about Security 2.0?

It all boils down to building trust online. You want to provide an environment where the end user feels confident about their security and privacy. For example, authenticating certain sites so you know who you are transacting with, blocking known phishing sites, and protecting users against crimeware, things like key loggers and spyware. You need end-to-end security that's automatic, baked right in. People don't want to operate in an online world they can't trust.

What does that mean for the enterprise?

First of all, you want to make sure there's good authorization around your data. Make sure your people understand they are custodians of your company's proprietary information. As such, it might not be appropriate to have access to sites like blogs and MySpace in their day-to-day operations. Some firms block those sites because it's not a business function.

Isn't that a bit extreme?

Not really. Let's say you're a financial firm, and your analysts are working with confidential information. But then they go on their lunch break and they're writing on their blogs, or looking at MySpace. There is a risk of data being exposed. There could be a phishing attack, for example, which could open a door to the financial files the analysts are working on. Some social-networking firms provide mobile access for their users, and that creates an unknown vulnerability in the enterprise. If people are using mobile devices, like Treos, that have Web access, they could potentially expose confidential data. Sometimes CIOs have to make unpopular policies that will protect us from legal risk and damage to our company's reputation.

Also, CIOs have to remember that employees are also consumers. It's unlikely that, as consumers, they won't do some kind of commerce or Web surfing while on the job. So protection is important, and you can't put your head in the sand.