Assess Security and Boost Innovation, Says RSA Exec

• By John K. Waters
• 04/14/08

"We're in a perfect storm," said Coviello, RSA's president.

He described the elements making up that storm. We have technical innovations that are supporting increasingly sophisticated attacks, and those problem areas are showing up as end users are becoming overwhelmed by security protocols and policies.

"Users of every stripe are confronted every day with cryptic dialog boxes that ask, 'Are you sure?'" he said. "It's the technology equivalent of, 'Do you feel lucky today?' One wrong click can jeopardize livelihoods and identities."

Concerns about security are stifling business innovation, he said, as a result of this convergence.

"More than 80 percent of IT, security and business executives surveyed admit that their organizations have shied away from business innovation opportunities because of information security concerns," Coviello told his audience. He pulled those numbers from resent IDG research commissioned by RSA.

We can calm this storm, he said, with a change of mindset, from "no" to "how." Enterprises that view security as a necessary evil -- and that's most of them, Coviello said -- should examine their prejudices and stop viewing security as a business impediment.

"The next time a new idea comes up," he said, "don't start by saying it isn't secure. Start by evaluating exposures, the probability of the exposures being exploited, and the materiality of the consequences. Then put forth a plan to reduce risk in all three areas. Nothing should be done unless it is in the context of risk."

And while you're at it, lose the attitude about your security people. They're not the bad guys, and you need to work with them.

"The recommendations of our research group are clear: Align the [security] practitioner with the business, and align the implementation of security with the risk," he said.

His term for this change of mindset, "thinking security," aims to drive a data-centric approach to security down into the enterprise infrastructure, eliminating the view that IT security is a separate function. It envisions organizations making high-level risk assessments, collecting and analyzing threat data and easing the burden on the end user to adhere to security policies.

This change of mindset would "catapult" security to "a new plane," Coviello said, "where [security] is widely seen as an accelerator of innovation."

Coviello called on the U.S. Congress to spend more on education to produce better-trained developers and IT workers, and to establish a "breach notification" law that creates a single federal standard, and a national standard, for safeguarding sensitive information. He added his hope that the House of Representatives would pass the cyber-crime bill that was passed by the House in 2007.

"Cyber criminals will continue to take advantage of legal blind spots and weak penalties until countries, especially the United States, update their laws and provide more resources for law enforcement," he said. "Let's punish criminals, not businesses."

Coviello led a lineup of keynote speakers, among them Michael Chertoff, secretary of the Department of Homeland Security (DHS), as well as former Vice President Al Gore, who is scheduled to speak on Friday.

Chertoff, the first DHS official ever to speak at the conference, finished off the morning program on Tuesday. He talked about the potential danger of cyber threats in the modern world, saying that they are now "on a par" with the terrorist attacks of 9/11. A cyber attack could have "cascading effects across the country and the world," he said.

"We take threats to the cyber world as seriously as we take threats to the material world," he said.

To support his assertion, Chertoff cited the cyber attacks on the Baltic nation of Estonia last April. Malicious hackers bombarded Estonia's computer systems after the controversial decision to move the "Bronze Soldier" Soviet-era war memorial. The large and sustained denial-of-service attack that followed targeted government Web sites and public services.  

"Imagine, if you will, a sophisticated attack on our financial systems that caused them to be paralyzed," Chertoff told his audience. "It would shake the foundation of trust on which our financial system works."

Chertoff appealed to attendees to pitch in and "send some of your brightest and best to do service in the government." It would be "the best thing you can do for your country."

The annual RSA security conference has grown from a small gathering of security geeks and cryptographers to a sprawling event that fills two wings of San Francisco's Moscone Center. RSA 2008 featured 240 sessions, 500 speakers and more than 350 exhibitors, organizers said.