Blog of Intellectual Capital

Data breaches and Internet of Things risks are among cybersecurity executives’ top concerns

As the RSA security conference in San Francisco nears, security executives are thinking about risks from breaches and Internet of Things devices. Photographer: Daniel Acker/Bloomberg

With the annual RSA security conference in San Francisco on the horizon, CEOs and other security executives are thinking about breaches, Internet of Things devices and the need for government support in fighting cybersecurity threats.

This year will be an important year for technology, as Section 215 of the Patriot Act, which covers government surveillance, expires at the end of May. The stakes have also risen from data breaches, which have now become fireable offenses for CEOs.

Big companies like Google Inc., Facebook Inc. and LinkedIn Corp. have all signed a letter asking for Section 215 of the Patriot Act to be amended to reform this section, as security is on their minds. Edward Snowden’s revelation two years ago about the National Security Agency’s practices also drew people into the security scene who had no idea the government had a pipe going from your cloud provider to the NSA.

Still, many prominent tech executives chose not to attend President Barack Obama’s cybersecurity summit at Stanford University this year.

Data breaches by attackers have taken the spotlight because of various states’ new data breach notification laws that have come about in the past decade, and companies needed to start notifying clients when a breach has occurred. High-profile breaches like those at Target Corp., Home Depot, Sony Pictures Entertainment Inc. and others have grabbed consumers’ attention.

We sat down with some of the top executives at security companies in the Valley, separately, and compiled their answers into one article. Here are some of their thoughts on top issues in security today:

Who we talked to:
Gary Davis, chief consumer security evangelist at Intel Security Group. Previously known as McAfee Inc., Intel Security is a Santa Clara software security company.

Kevin Haley, director of Symantec Corp. security response. The Mountain View company handles security software and storage.

Pravin Kothari, founder and CEO of San Jose-based CipherCloud, a cloud security company.

Dave DeWalt, CEO of FireEye, a Milpitas startup with a malware protection system. It also does the forensics after breaches happen, including helping Sony Pictures Entertainment after its massive hack last year.

David Goeckeler, senior vice president of Cisco Security Group. He just celebrated his sixth anniversary in this role, but he’s been with Cisco for 15 years.

Top concerns

1. Breaches
Symantec’s Haley said the No. 1 issue in security for businesses is data breaches, how to prevent them and how to handle them when they happen. Most of these breaches are caused by attackers, he said.

“It was an IT (information technology) to CISO (chief information security officer) issue to a board issue,” he said. “Execs are getting fired, brands are being hurt, and revenue is being lost.”

FireEye’s DeWalt notes that this is a community problem.

“The problem isn’t headed in the right direction,” Haley said. “How do we get ahead of this set of problems and what are we going to do about it as a nation? The level of danger has elevated pretty dramatically year over year. What we feared could come true a year ago at RSA has largely come true.”

2. Risks with iOT devices
New Internet of Things devices, like thermostats and wearables, pose new security challenges. A 2014 Hewlett-Packard Company study found the top IoT devices averaged 25 vulnerabilities per product and 75 percent of IoT devices contain vulnerabilities.

“People are not spending time thinking about opening up Pandora’s box of security challenges,” said Intel’s Davis. “The challenge is, you see all of these devices coming online at a rapid clip, without robust security. … Trying to apply a patch to a thermostat in the home is going to be much more challenging.”

New research from the market research firm Park Associates shows 47 percent of households have privacy or security concerns about smart-home devices.

Devices often are made without consideration of security and should have security built into them, he said. Not requiring a complex password or not requiring changing a password are dangerous things.

3. Changing business models
A shift to the cloud and digitization in enterprise can increase risk for companies, said Cisco’s Goeckeler.

“As business models change, it makes the security job a lot more difficult,” he said.

4. Need for government support
DeWalt says companies need more support from the government when it comes to Internet safety.

“In many cases the government is the problem, too,” he said. “For example, Russia’s offensive activities in cyberspace. They (various governments) could also be a big part of the solutions.”

Hacktivism, cybercrime, espionage, cyberterrorism and cybersabotage have all grown over the past decade, DeWalt said.

5. Thoughts on Patriot Act
The Patriot Act is not working well for international customers, said CipherCloud’s Kothari.

“We are always in favor of data privacy and consumer rights,” he said. “Right now, the Patriot law is too deep into security. It’s the typical security-versus-privacy debate that started after 9/11 — and in the process, privacy has taken the backseat.”