Assess Security and Boost Innovation, Says RSA Exec
- By John K. Waters
- 04/14/08
Art Coviello kicked off RSA Conference 2008, his company's namesake information security conference, yesterday (April 8) in San Francisco with a warning.
"We're in a perfect storm," said Coviello, RSA's president.
He described the elements making up that storm. We have technical innovations that are supporting increasingly sophisticated attacks, and those problem areas are showing up as end users are becoming overwhelmed by security protocols and policies.
"Users of every stripe are confronted every day with cryptic dialog boxes that ask, 'Are you sure?'" he said. "It's the technology equivalent of, 'Do you feel lucky today?' One wrong click can jeopardize livelihoods and identities."
Concerns about security are stifling business innovation, he said, as a result of this convergence.
"More than 80 percent of IT, security and business executives surveyed admit that their organizations have shied away from business innovation opportunities because of information security concerns," Coviello told his audience. He pulled those numbers from resent IDG research commissioned by RSA.
We can calm this storm, he said, with a change of mindset, from "no" to "how." Enterprises that view security as a necessary evil -- and that's most of them, Coviello said -- should examine their prejudices and stop viewing security as a business impediment.
"The next time a new idea comes up," he said, "don't start by saying it isn't secure. Start by evaluating exposures, the probability of the exposures being exploited, and the materiality of the consequences. Then put forth a plan to reduce risk in all three areas. Nothing should be done unless it is in the context of risk."
And while you're at it, lose the attitude about your security people. They're not the bad guys, and you need to work with them.
"The recommendations of our research group are clear: Align the [security] practitioner with the business, and align the implementation of security with the risk," he said.
His term for this change of mindset, "thinking security," aims to drive a data-centric approach to security down into the enterprise infrastructure, eliminating the view that IT security is a separate function. It envisions organizations making high-level risk assessments, collecting and analyzing threat data and easing the burden on the end user to adhere to security policies.