To Art Coviello, president of EMC‘s RSAsecurity division, security is inextricably linked to innovation in the business world. Innovation requires understanding risk, and for security initiatives to support business instead of acting as digital stop signs for business initiatives.
Saying all that is the easy part; getting there can be more difficult. A recent report by RSA listed a number of suggestions from security pros, such as becoming a risk-reward expert and focusing on establishing repeatable processes. In a recent discussion, Coviello spoke with eWEEK’s Brian Prince about the challenge of making security an enabler of business.
I would like to pick up where you left off at the RSA Conference when you were talking about what role security can play in innovation. How is security key to innovation for businesses?
I think that it’s more around whether or if people are willing to take risks. I mentioned in my keynote that in research that we commissioned IDC came up with the pretty startling factoid that 80 percent of the corporate executives, CIOs [and] CSOs, were reluctant to go out with a business initiative because of security concerns. That’s just the wrong message to have.
Another thing is that security is some kind of a tax or impediment to getting things done. I think it’s our job-and part of the reason why I think the security industry needs to go away-it’s our job as an infrastructure vendor, now I’m talking as EMC, to make security as painless as possible. Painless in terms of how it works; it only gets invoked when an anomaly is detected, otherwise people are allowed to get on with their business. [Security should be] done in a fashion [so] that people have confidence that they can take a risk, and the way to do that is to understand the risk of any initiative … in the context of what the vulnerability might be [caused] by opening the network or the application of some initiative up to other people who all might else potentially get access.
So it’s about understanding the vulnerability up front, but it’s also about understanding the probability that that vulnerability will be somehow exploited, and we need to mitigate it and then look at the reality of what the consequence might be. So it’s just a different way of thinking about security where you have a problem, you react and you fix it. It just causes a spiraling effect, and you’re always attempting to solve yesterday’s problem. So if you get ahead of it, you understand the risk up front and you can take that risk with a lot more confidence because you’ve done things to mitigate it. Then if the infrastructure vendors do their jobs, they’re putting security as much into the infrastructure as possible so it’s seamless.
You touched on a couple interesting things. In the typical business, are you seeing a disconnect between the security personnel on one hand and the remainder of the business on the other? Is that part of the problem organizations have when they’re assessing risk?
Well, it varies from organization to organization, and it varies depending upon the security talent. I think there are a lot of security people who aren’t always the most pragmatic people in the world. I mentioned in my [RSA] keynote we went out and talked to a bunch of Global 1000 key security officers about how they can change the stereotype of the security guy as the guy who says no … [and] essentially what they were saying is-because these were forwarding-looking guys-is that instead of saying no, they should be talking to their business colleagues about how they should get things done. But you can’t do that if you’re the security guy if you don’t have a thorough understanding of the business and if you’re not building relationships that enable you to have these conversations in the first place.
So in the more mature-type industries, like financial services, there’s very good collaboration; in less more mature, more old-line manufacturing firms, or maybe health care, where security budgets or IT infrastructure budgets are tight, it might be a whole different standpoint.
What are the key challenges that enterprises are facing right now when it comes to developing a strategy to deal with risk?
People generally are doing a reasonable job understanding risk, but then it’s [a question of] quantifying the probability of the vulnerability being exploited. That’s what I get all the time. ‘Well, all right, it’s all well and good for you to say figure out what your vulnerabilities are and understand the probability of the vulnerability getting exploited.’ … People struggle to do that. It’s not a very easy task.
At some point you’ve got to make some business decisions, and maybe you don’t get digital pinpoint accuracy on probability but maybe you can get it to the small probability, medium probability, high probability. I know, myself, I have made some business decisions based on that, and that gets to business judgment, but at least you are doing it in some level of context as opposed to either not looking at this at all or being afraid to go ahead with an initiative because you are just concerned about the inability to define what it is.
Baking In Security
Do you think that vendors should be doing a better job of baking security into the products as opposed to security being a separate industry?
Take EMC, for example, we are building our encryption technology into our PowerPath storage management software. So it will come with the software. If you want to encrypt your disk and storage arrays you’ll be able to do that. We’re also doing something … for tape, we’ve got partnerships with Cisco [Systems] that we’re developing and with Brocade to do encryption in the SAN [storage area network] switch itself and things like data loss prevention technology where we have discovery and classification technologies for finding out what your critical and most confidential information is.
Well, that same discovery/classification engine can be used in a content management space for things like legal discovery. So you can repurpose these technologies and have them [be] infrastructure. This isn’t one of those things that it’s going to happen overnight, but over time. Even stand-alone security applications are going to need to get more and more absorbed into the infrastructure.
Some people say the security industry is dead because of that, or that it is going to die. Do you agree with that?
Well, there’ll always be a requirement for security applications, but those applications will get embedded into the infrastructure. So it’s not like security technology is going to go away, or security people are going to go away, but all of this stuff needs to be automated and worked more cost-effectively within the environment itself.
Another thing that I didn’t talk about in the keynote but in other research we have seen is that the percentage of spending on security products and services as a percentage of overall IT spending was 1.5 percent in 2001. By 2006, on a much higher IT spending number, that percentage had grown to 3 percent, and at its current trajectory, that percentage will be 5 percent by the end of next year. And generally, I’ll ask an audience, do you feel safer in 2008 than you did in 2001, and they’ll say no.
So here we are spending more and more as a percentage of our IT spend, and we’re not necessarily feeling any safer. So what’s wrong with this picture? It’s because we keep doing security reactively, we keep trying to bolt on security after the initiative has been started, and as a result, we’re a day late and a dollar short. We’re solving yesterday’s problems and it’s costing more and more to do it.
From RSA/EMC‘s perspective, what are some of the ways you guys see this playing out, and how does this affect your road map?
Well, I think for the foreseeable future we’ll still have a lot of stand-alone product, but what you’ll see is our professional services practice getting more and more absorbed into EMC’s business risk practice, which is more broad-based than just security. You’ll see things like discovery classification not only being used in security applications but also being used across the entire enterprise. You’ll see things like virtualization be more and more of a factor in IT infrastructure, and you’ll see things like, and we’re already doing this, SecurID is already qualified for virtual desktop applications. So if you want to download a virtual image of your desktop you can authenticate to get that virtual image with SecurID. We have that qualified with VMware software. You see what I mean? I don’t know if you remember that Prego spaghetti commercial about the ingredients-‘It’s in there’? It will just be there.