Security Needs Holistic Approach
IS should become business accelerator
By Margo McCall
A more holistic approach to computer security is needed to spur business innovation, make life easier for end users, and respond to tomorrow's rather than yesterday's threats. "We continue to see a lot of dancing across the entire security industry and we still haven't hit our stride," Arthur Coviello, EMC executive vice president and RSA president said during this year's RSA Conference. "When it comes to security impact on business performance, it's clear we haven't hit our stride."
Coviello advocated a "thinking security" approach that would help security become a business accelerator rather than an inhibitor. According to recent IDC research, more than 80 percent of technology executives admitted that their organizations have shied away from business opportunities because of security concerns.
A thinking security approach would also address the knowledge gap that plagues users. "Security is viewed at best as a necessary evil," Coviello said. "Security practitioners are viewed as people preventing the business from doing what the business needs to do."
Security officers must learn to manage, instead of eliminate, risk. He recommended adopting a strategy of evaluating exposures and the probability of those exposures being exploited and the consequences, then come up with a plan to reduce risk. "That's what the business is looking for so that's what you need to provide them," he said.
Dealing with today's problems
Besides being less costly, that type of approach would also prove more effective. "If you focus on security as an end to itself, or as the threat du jour, costs will skyrocket and you will deal with the problems of yesterday," he warned.
Thinking systems should be autonomous, automated, and able to understand and safeguard data throughout the life cycle. And security professionals should come up with tools that behave as users do rather than forcing people to think the way the tool thinks.
And rather than being conceived by security professionals, they should be developed in collaboration with practitioners and business executives and be either intuitive or seamless and transparent, he said.
Laptops biggest security hole
According to Symantec Chairman and CEO John Thompson, in today's distributed and mobile environment, lost and stolen laptops, BlackBerrries, and thumb drives are responsible for the biggest losses of confidential data. "We need to move quickly to protect information. Too many organizations are leaking information just like a rusty bucket," he said.
And with a US $200 price tag for each compromised record and more than US $6 million for a breach, not plugging those leaks is a costly prospect.
Thompson expects whitelisting to become more important if the growth of malicious software continues to outpace the growth of good software. There's also a need to expand beyond the enterprise to make sure consumers are protected. And he predicted that digital rights management for the enterprise will become "a true reality."
New approach needed
Thompson called for what he called an "information-centric approach to security," which he described as taking a risk-based approach to protecting confidential information.
Information-security processes also need to be consistent across the business, and data should be protected whether it's at rest, in motion, or in use. "We need to be able to protect information wherever it may be," he said.
And controlling the mobile environment is crucial. "Some are still focused on protecting the network to keep a given threat at bay. But they're fighting yesterday's threat," he said.
Craig Mundie, chief research and strategy office at Microsoft, talked about his company's end-to-end trust proposal. "You can't look at one piece. We really need to stitch these things together in one complete way," he said.
In such an environment, you have to trust not only the operating system, but devices, applications, and people too. Mundie invited security professionals to help develop the strategy. "This end-to-end trust model is the place where we'd like to get people to go to begin the dialogue. We can't do this by ourselves." CW (April 2008)