Security Becomes a Business Enabler

RSA's Art Coviello says the days of security as a digital stop sign are past and heralds the impending decline of stand-alone security.

To Art Coviello, president of EMC's RSAsecurity division, security is inextricably linked to innovation in the business world. Innovation requires understanding risk, and for security initiatives to support business instead of acting as digital stop signs for business initiatives.

Saying all that is the easy part; getting there can be more difficult. A recent report by RSA listed a number of suggestions from security pros, such as becoming a risk-reward expert and focusing on establishing repeatable processes. In a recent discussion, Coviello spoke with eWEEK's Brian Prince about the challenge of making security an enabler of business.

I would like to pick up where you left off at the RSA Conference when you were talking about what role security can play in innovation. How is security key to innovation for businesses?

I think that it's more around whether or if people are willing to take risks. I mentioned in my keynote that in research that we commissioned IDC came up with the pretty startling factoid that 80 percent of the corporate executives, CIOs [and] CSOs, were reluctant to go out with a business initiative because of security concerns. That's just the wrong message to have.

Another thing is that security is some kind of a tax or impediment to getting things done. I think it's our job-and part of the reason why I think the security industry needs to go away-it's our job as an infrastructure vendor, now I'm talking as EMC, to make security as painless as possible. Painless in terms of how it works; it only gets invoked when an anomaly is detected, otherwise people are allowed to get on with their business. [Security should be] done in a fashion [so] that people have confidence that they can take a risk, and the way to do that is to understand the risk of any initiative ... in the context of what the vulnerability might be [caused] by opening the network or the application of some initiative up to other people who all might else potentially get access.

So it's about understanding the vulnerability up front, but it's also about understanding the probability that that vulnerability will be somehow exploited, and we need to mitigate it and then look at the reality of what the consequence might be. So it's just a different way of thinking about security where you have a problem, you react and you fix it. It just causes a spiraling effect, and you're always attempting to solve yesterday's problem. So if you get ahead of it, you understand the risk up front and you can take that risk with a lot more confidence because you've done things to mitigate it. Then if the infrastructure vendors do their jobs, they're putting security as much into the infrastructure as possible so it's seamless.

You touched on a couple interesting things. In the typical business, are you seeing a disconnect between the security personnel on one hand and the remainder of the business on the other? Is that part of the problem organizations have when they're assessing risk?

Well, it varies from organization to organization, and it varies depending upon the security talent. I think there are a lot of security people who aren't always the most pragmatic people in the world. I mentioned in my [RSA] keynote we went out and talked to a bunch of Global 1000 key security officers about how they can change the stereotype of the security guy as the guy who says no ... [and] essentially what they were saying is-because these were forwarding-looking guys-is that instead of saying no, they should be talking to their business colleagues about how they should get things done. But you can't do that if you're the security guy if you don't have a thorough understanding of the business and if you're not building relationships that enable you to have these conversations in the first place.

So in the more mature-type industries, like financial services, there's very good collaboration; in less more mature, more old-line manufacturing firms, or maybe health care, where security budgets or IT infrastructure budgets are tight, it might be a whole different standpoint.

What are the key challenges that enterprises are facing right now when it comes to developing a strategy to deal with risk?

People generally are doing a reasonable job understanding risk, but then it's [a question of] quantifying the probability of the vulnerability being exploited. That's what I get all the time. 'Well, all right, it's all well and good for you to say figure out what your vulnerabilities are and understand the probability of the vulnerability getting exploited.' ... People struggle to do that. It's not a very easy task.

At some point you've got to make some business decisions, and maybe you don't get digital pinpoint accuracy on probability but maybe you can get it to the small probability, medium probability, high probability. I know, myself, I have made some business decisions based on that, and that gets to business judgment, but at least you are doing it in some level of context as opposed to either not looking at this at all or being afraid to go ahead with an initiative because you are just concerned about the inability to define what it is.