[ISN] Down To Business: It's Past Time To Elevate The Infosec Conversation

From: InfoSec News (alerts@private)
Date: Mon Apr 14 2008 - 00:39:52 PDT


http://www.informationweek.com/news/security/client/showArticle.jhtml?articleID=207100989

By Rob Preston
InformationWeek
April 12, 2008 
(From the April 14, 2008 issue)

The RSA Conference, the annual security fest hosted by EMC (NYSE: EMC) 
unit RSA, is to the information security industry what the New Hampshire 
primary is to the presidential election process: the first major venue 
for the leading players to set the tone and frame the discussion for the 
coming year.

Last year, RSA chief Art Coviello championed industry consolidation, 
arguing that as a handful of major vendors (EMC, Cisco, IBM, Microsoft) 
built security into their infrastructure platforms, standalone security 
challengers would fall by the wayside--all within three years. "If I'm 
proven wrong about the timing," Coviello said last year, "I won't be 
proven wrong in the need for this." The likes of Symantec and McAfee 
begged to differ, and the industry continues to debate the strengths and 
weaknesses of all-in-one security architectures.

RSA, as host vendor, sought to exploit its home turf advantage again 
last week, when Coviello struck a different tone. Instead of focusing on 
industry restructuring and technology architectures, he elevated the 
security discussion to one about helping customers innovate and deliver 
business value.

More than 80% of the IT, security, and business executives RSA recently 
surveyed with IDC "admit that their organizations have shied away from 
business innovation opportunities because of information security 
concerns," Coviello told the RSA audience. The main challenge: Move the 
internal conversation about security away from fear mongering and 
worst-case scenarios toward how security can augment new products and 
services. Or at least don't get in the way. It's tantamount to the 
security pro's Hippocratic oath: First, do no harm.

While RSA offers no elixir for making security a "business enabler," it 
has created a Security for Business Innovation Council to get security 
pros talking about the issue. RSA quotes member David Kent, VP of 
security for biotech company Genzyme: "If you are doing your job, you 
shouldn't even sound like a security person. The business doesn't care 
how many viruses you stopped. ... 'How are you helping me meet my 
business objectives?'"

Likewise, InformationWeek contributor Greg Shipley, CTO of security 
consultancy Neohapsis, urges security pros to integrate risk management 
into all processes. They also need to get better at understanding and 
relating to their internal audiences, assessing which data to assign the 
most protection, and picking their battles and technologies more 
carefully. "For some organizations," Shipley writes, "this will require 
a wholesale transformation."(See Risk Management: Do It Now, Do It 
Right.)

It's still early in this evolution. When asked last year how their 
companies measure the value of their security investments, the 1,100 
U.S. respondents to InformationWeek's Global Information Security Survey 
offered a stew of mostly operational criteria: 43% said they measured 
value in terms of reduced worker hours spent on security; 33% measured 
it in reduced breaches; 33% in reduced network downtime; and 24% in 
reduced incident response times. With the exception of improving 
intellectual property protection (27%) and honing risk management 
strategies (25%), none of the criteria selected relates to business 
value. In fact, 24% of the respondents didn't measure the value of their 
security investments at all.

The sooner security pros can converse in the language of risk mitigation 
and business opportunity, the more they'll be involved in strategic 
planning and the less they'll be considered a cost center.

Compare Coviello's nuanced approach to the classic fire and brimstone of 
Homeland Security Secretary Michael Chertoff, who at RSA last week 
warned that a large-scale cyberattack on the United States could inflict 
damage comparable to the Sept. 11, 2001, terrorist attacks. Chertoff 
likened U.S. government efforts to improve cybersecurity to the 
Manhattan Project, which developed the atomic bomb.

Chertoff has his own unique war to fight; enterprise security pros may 
want to use Manhattan Project metaphors sparingly.

Rob Preston, 
VP and Editor in Chief


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 



This archive was generated by hypermail 2.1.3 : Mon Apr 14 2008 - 00:53:25 PDT