RSA's Art Coviello says the days of security as a digital stop sign are past and heralds the impending decline of stand-alone security.
To Art Coviello, president of EMC's RSA
security division, security is inextricably linked to innovation in the
business world. Innovation requires understanding risk, and for security
initiatives to support business instead of acting as digital stop signs for
Saying all that is the easy part; getting
there can be more difficult. A recent report
by RSA listed a number of suggestions from
security pros, such as becoming a risk-reward expert and focusing on
establishing repeatable processes. In a recent discussion, Coviello spoke with
eWEEK's Brian Prince about the challenge of making security an enabler of
I would like to pick up where you
left off at the RSA Conference when you were talking about
what role security can play in innovation. How is security key to innovation
I think that it's more around whether or if people are willing to take
risks. I mentioned in my keynote that in research that we commissioned IDC
came up with the pretty startling factoid that 80 percent of the corporate
executives, CIOs [and] CSOs, were reluctant to go out with a business
initiative because of security concerns. That's just the wrong message to have.
Another thing is that security is some kind of a tax or impediment to
getting things done. I think it's our job-and part of the reason why I think
the security industry needs to go away-it's our job as an infrastructure
vendor, now I'm talking as EMC, to make
security as painless as possible. Painless in terms of how it works; it only
gets invoked when an anomaly is detected, otherwise people are allowed to get
on with their business. [Security should be] done in a fashion [so] that people
have confidence that they can take a risk, and the way to do that is to
understand the risk of any initiative ... in the context of what the
vulnerability might be [caused] by opening the network or the application of
some initiative up to other people who all might else potentially get access.
So it's about understanding the vulnerability up front, but it's also about
understanding the probability that that vulnerability will be somehow
exploited, and we need to mitigate it and then look at the reality of what the
consequence might be. So it's just a different way of thinking about security
where you have a problem, you react and you fix it. It just causes a spiraling
effect, and you're always attempting to solve yesterday's problem. So if you
get ahead of it, you understand the risk up front and you can take that risk
with a lot more confidence because you've done things to mitigate it. Then if
the infrastructure vendors do their jobs, they're putting security as much into
the infrastructure as possible so it's seamless.
You touched on a couple interesting
things. In the typical business, are you seeing a disconnect between the
security personnel on one hand and the remainder of the business on the other?
Is that part of the problem organizations have when they're assessing risk?
Well, it varies from organization to organization, and it varies depending
upon the security talent. I think there are a lot of security people who aren't
always the most pragmatic people in the world. I mentioned in my [RSA]
keynote we went out and talked to a bunch of Global 1000 key security officers
about how they can change the stereotype of the security guy as the guy who
says no ... [and] essentially what they were saying is-because these were
forwarding-looking guys-is that instead of saying no, they should be talking to
their business colleagues about how they should get things done. But you can't
do that if you're the security guy if you don't have a thorough understanding
of the business and if you're not building relationships that enable you to
have these conversations in the first place.
So in the more mature-type industries, like financial services, there's very
good collaboration; in less more mature, more old-line manufacturing firms, or
maybe health care, where security budgets or IT infrastructure budgets are
tight, it might be a whole different standpoint.
What are the key challenges that
enterprises are facing right now when it comes to developing a strategy to deal
People generally are doing a reasonable job understanding risk, but then
it's [a question of] quantifying the probability of the vulnerability being
exploited. That's what I get all the time. 'Well, all right, it's all well and
good for you to say figure out what your vulnerabilities are and understand the
probability of the vulnerability getting exploited.' ... People struggle to do
that. It's not a very easy task.
At some point you've got to make some business
decisions, and maybe you don't get digital pinpoint accuracy on probability but
maybe you can get it to the small probability, medium probability, high
probability. I know, myself, I have made some business decisions based on that,
and that gets to business judgment, but at least you are doing it in some level
of context as opposed to either not looking at this at all or being afraid to
go ahead with an initiative because you are just concerned about the inability
to define what it is.