Q You describe the recent high-profile cyber attack on Google as a “watershed”, why is this so different?
A It’s a watershed less for the malware itself and more because it’s a targeted attack on 20 companies – and it will end up being more than that – and the fact it’s coordinated. I haven’t seen a company as big as Google openly say they’ve had a security breach like this before.

These threats happen all the time, so that’s not the news part. What we want to call attention to is the fact that it’s moved from targetting the government to the commercial world – and that’s bad news.  

It’s also taken it to the executive level. Typically, some folks just think this won’t happen to them, but now customers are ringing us at weekends for advice, concerned about the issue. A lot of company executives are asking three questions: did we have a breach, was any data stolen and if so what was it and where did it go? But if there’s no body, people believe there isn’t a crime and with data loss there is no body.

Malware creators are not only using sophisticated tools, but targeting them for each company. With this targeted approach there’s a lot of upfront work needed to understand and map out an organisation. A few years ago it we saw mass random attacks, now there’s much more upfront work in ‘social footprinting” to social engineer the attack.

Q So what can CIOs do to protect themselves?
A They need multiple layers of defence to both prevent and detect attacks. One area where we’re seeing a shift is in preventing zero day attack exposure through whitelisting. The anti-virus industry is all about blacklisting, but when you go through airport security they have to look for the bad guy through a sea of good guys. But with whitelisting you only get through if you’re on the list.

Q Is social networking a new area of vulnerability for companies then?
A Interactions on Facebook, LinkedIn and other sites are all increasingly being used to gain access. Information that people make freely available can be used against them to get into the company. I don’t think this has really hit the public conscious yet, but if you can get to one person, everything else falls.

A McAfee started in anti-virus, now you cover the whole security stack from end-point to network security. Where next?
A We started in anti-virus but now we’re focused on connecting into the cloud. We’ve got different technologies but our strength is their interconnectedness. So if you see a threat on an email gateway, then you can get a check with the cloud and see if it’s been seen anywhere else in milliseconds. This ability to share security insights through McAfee Global Threat Intelligence is a big differentiator. If you think about viruses, the majority have gone from the floppy into the cloud. That’s where threats are propagating and we need to learn about them as quickly as possible.

We spend a tremendous amount of time developing technology to secure the virtual environment and we will be front and centre of taking advantage of VDI [virtual desktop infrastructure] and we’ll put in the R&D effort into security services and desktop VDIs.

Q What about outsourcing of security, is that growing in popularity?
A  In October, we acquired MX Logic which is a cloud provider in email and web filtering. We think certain services lend themselves to be outsourced and email is a great one for reducing complexity and cost for organisations. Security is going to be on-demand and over the next three or four years we will see more and more on-demand security.

Q Should government become more involved in security issues?
A Government can play a role in critical infrastructure security. If you look at critical infrastructure in the US, 80-90% is privately owned. So government needs to understand what’s being done to hold people accountable – that’s the biggest role they can play. Secondly, crime on the Internet is a costing a staggering amount of money and the risk of getting caught is infinitesimally small, so governments need to work together to make a crime more expensive. Other than that, they should stay out of it.