Symantec’s Art Gilliland: ‘Crime has followed our lives digitally’

10 May 2019

Art Gilliland. Image: Symantec

Symantec’s Art Gilliland says the future of cybersecurity will be a balancing act between diversity and zero-trust rules.

Art Gilliland is executive vice-president and general manager of enterprise products at Symantec, overseeing the enterprise security product and engineering teams, the security technology and response (STAR) research team, and the enterprise security customer support organisation.

‘If we are going to step up and win, you have to have more than just one way of thinking, otherwise we will lose’

Gilliland previously served as a senior vice-president and general manager of the infosec group at Symantec, as well as senior vice-president of HP software enterprise security products. In the latter role, he led efforts to maximise opportunities for selling security solutions and services, and helped enterprise customers manage risk and compliance requirements.

He also served as vice-president of products and marketing at IMlogic, which was acquired by Symantec in 2006, and as president and CEO of Skyport Systems, which was acquired by Cisco Systems in 2017.

How does diversity inform product development policy at Symantec and in general across the tech world?

I think you have to bake it into the culture. With security in general, when you bring a bunch of ideas together you get more answers. Sometimes the process is more messy because of it, but I think it is worth it because what you get out of it on the other end is a much broader perspective on how to solve the problems.

I think with security in particular it is critical because different cultures, different races, different genders all think and approach problems differently. Having that kind of diversity and the thinking behind what you are trying to build lets you solve the problems against your adversaries. Our adversaries are coming at us from all different directions and so, if we are going to step up and win, you have to have more than just one way of thinking, otherwise we will lose.

What are your views on the skills shortage in the infosec space, and how do we ensure greater participation by women in this rapidly growing skills area?

Some of the estimates are that by 2022 there will be a shortage of 1.8m security professionals. And so, if you think about trying to solve that from an industry perspective, I think what it tells you is that you have to source the skillsets from a bunch of different places. In tech, women are massively underrepresented and, while there are a lot of projects and programmes that companies like Symantec have put in place, the challenge remains that this space has become much different than it was in the beginning.

If you think back 20 years, it was literally the network admin, the guy that used to do the firewalls, who was the head of security. What we are seeing now is that so much of our lives is digital. Crime has followed our lives digitally. Because of privacy, business leaders are being pulled into the security space. A lot of the people in those senior jobs are not just technologists, they are now business operators who have been asked to take over. If your brand is damaged because of a cyber issue, you could lose your company.

What we are seeing is not just diversity in terms of gender and ethnicity, but also diversity in terms of background being pulled in – but we are going to have to make up that gap.

In terms of the defence posture of the enterprise today, what are your thoughts on how IT leaders can provide HR and workers with cutting-edge tools, but at the same time defend the organisation?

You hit on the core challenge that companies are talking about right now and trying to deal with, and that is the fact that they are actually in transition. The reality is, they are still in transition between having a lot of the infrastructure that they own and manage, but they are also moving massively into distributed mobile services and SaaS, and cloud and the remote workforce. And, because they have both of those environments, they are stretched super-thin.

I’ll give you Symantec’s complete position about what that shift is, but that shift is essentially a move towards zero trust. What that means in basic terms is … whenever there is an interaction between two different parties, you have to treat it like you don’t trust the other person, validate where it is coming from, verify that it is true in some way before you allow it to do something – and what you allow is it to do that one specific thing and nothing beyond what it needs to accomplish.

And that theory of zero trust and privilege is the way companies have to think about their infrastructure as we go into this massively distributed world.

Because if you think of the world we came from … [it was] I own all of the systems from where my services are delivered from and to, but in the future services are going to be delivered from SaaS providers, my own apps are going to be run inside Azure or inside Amazon’s data centre, and my users’ systems may be their own devices. So now, my company is running on infrastructure I don’t own, and by definition don’t trust.

It doesn’t mean those systems aren’t trustworthy, I just can’t trust them. The reality is, I don’t know for sure, and need to validate and ensure that those interactions are allowed and only do what they are allowed to do. And so, the architecture that Symantec is building is to try to help enable that zero-trust world.

Stephen Trilling, senior VP and GM of security analytics and research at Symantec, will be speaking in Dublin next week at Inspirefest 2019. Inspirefest is Silicon Republic’s international event celebrating the point where science, technology and the arts collide. Tickets are available now.

Want stories like this and more direct to your inbox? Sign up for Tech Trends, Silicon Republic’s weekly digest of need-to-know tech news.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years