The evolving role of the Chief Security Officer
Timothy “Tim” Fitzgerald has been the Chief Security Officer (CSO) of security software company Symantec since 2014. He drives innovation and thought leadership on all of Symantec’s security initiatives, sets the vision and strategy for the Global Security Office, and leads the company’s Security Council, an executive board that reviews and sets policy on security issues. In this exclusive interview, Tim shares his compelling view of industry trends, his perspective on how to best protect, monitor, analyze and respond to security threats and issues, as well as the evolving role of the Chief Security Officer.
Let’s talk a bit about what Symantec has been up to. You guys were early movers in the industry—how has the transition been from that era?
Over the last seven to eight years, the security industry’s gone gangbusters. It's gone from merely working in a data center and putting some antivirus on your device, to a whole suite of solutions that cover every aspect of every potential loss scenario.
Symantec has been incredibly dominant in the antivirus space, from which it derives the vast majority of its revenue. Because of this 800-pound gorilla, Symantec did not focus as much as we should on our organic growth and innovation. But you’re starting to see that that rectified a couple of years ago—we’ve rounded out our portfolio to provide a full suite of security solutions. While there was a bit of a blip there—and I'm sure nobody likes me saying that out loud—but the reality is there was.
It also didn’t help that our competitors were very successful at marketing us as a legacy platform—even when that was not necessarily true. So I think you are seeing Symantec in the last little while come out swinging, saying “Hey, not only are we driving real organic innovation and growth but we’re competitive in every space that we play, and all those folks who try to brand us as legacy better watch out.” And rightfully so, because we have some of the absolute best products in the marketplace, and when you think about what Symantec brings to bear, we can go feature for feature against all of these niche players and be as good as or better than all of them.
You have an unusual history in security. You come from KPMG, with more of a market analysis and general business-oriented background. How has this informed your CSO post?
The CSO position has evolved. Five to six years ago, the CSO was typically the smartest technical guy in the room, with the main task of making the security work. But when you look at the skill-set of CSOs today, they’re generally quite diverse—you have to be an excellent business manager, an excellent communicator in terms of how you talk to your board and you often have to do media interviews and all these other things that do not necessarily go hand-in-hand with technical acumen and technical depth.
The other thing is that security now has to be business aligned—it’s no longer you're going to do it this way because security says so, business be damned, but it’s now more on what the business is trying to achieve and how I am aligning our capabilities and risk posture with what the business needs. It’s now more a risk management function than a technical function.
When I was at KPMG, I had the opportunity to do a lot of security controls evaluation as part of my job, and in particular around electronic medical record systems which was a really emerging technology at that time. There weren’t a lot of people who knew that work, and it became sort of a specialty that allowed me to expand my general security skill-set while researching and learning on those systems. When I moved over to Symantec, the opportunity was to come in and take a role, relatively low on the totem pole actually, in terms of managing the security department and the risk and governance function. Looking back, it was a terrific decision because I didn’t know at that point that security was going to be the field that it is today.
Over the next four years, Symantec had a bit of a rotating suite of security executives and with each of those executives’ departures, I got an opportunity to take on a bigger and bigger role and I took that as an opportunity to really move around every functional area of the security organization. By the time we had the fourth security executive departure, Symantec was looking at who might be next, and I put my hand up and said “Look, nobody knows this better than I do. You should take a shot on me as an individual and give me a chance to run this.”
Speaking of the revolving door of executives five to eight years ago, was that part of the transition phase of Symantec going from the traditional antivirus company to the modern security company?
I was specifically referencing the CSO position. We did have some executive turnover then, and there was a point we changed direction a couple of times during the transition era, but the turnovers of the CSO position was for a variety of reasons. In some cases, it wasn't the right person doing the job; in another, it was that the person didn't want to do the job. The other thing is, it's a hard job—you saw during that period, 2010 to 2014 or so, that a pretty normal CSO lifespan at the company was around 18 months on average. People were flaming out and they were often the guys who came up from the technical track and couldn't communicate properly and ended up going bust. The job has changed a lot in the last five years.
Could you tell us about how the innovation strategies of Symantec have evolved? What is the exact change in Symantec’s innovation strategy to deal with this security landscape that’s emerging?
There’s a couple of things. Firstly, we have and will continue to pursue an acquisition strategy in terms of gaining innovation.
The other thing is, innovation isn’t just about a smart guy being creative in a room. It’s a discipline and you have to invest in it, foster it, and grow that culture. From a top-down perspective, our executives looked at some of those folks in the industry who were quite good at it, and they started creating within each business unit some incubator-like functions that allow people to try and work on something that does not necessary have an immediate commercial benefit or meet our revenue criteria within a set period time.
Our previous CEO Mike Brown put a lot into that, and our new CEO Greg Clark is a very impressive guy all around. What they've already been able to do in terms of looking for integrated, innovative ways to make our individual solutions better together within a two-month timeframe is extremely impressive. The way that they are pointing is not only highly aligned with where the industry is going, towards cloud and all of these kind of things, but they are thinking about product security in a way that I’ve not heard many people talk about. It’s extremely encouraging to me what's on the horizon for us.