RSA President Emphasizes 'Thinking Security" Model
During his keynote speech that launched the RSA Conference 2008, Coviello underscored to hundreds of security professionals that rethinking security means adopting a "thinking security," strategy -- an info-centric model which includes reevaluating and implementing solutions based on risk.
"If we are to be enablers, and not inhibitors of innovation, we must have this ability to conjecture, to conceive things as they might be. To do so we must think differently about security," said Coviello to hundreds of security vendors, regulators, and researchers at San Francisco's Moscone Center on Tuesday. "Today I plan to turn a long standing stereotype of information security on its head and who how information centric security can be an accelerator -- and not an inhibitor -- of business innovation and growth."
Kicking off his speech, Coviello said that more than 80 percent of IT and business executives admitted that their organizations have shied away from technological innovation because of increased security concerns—concerns which include sophisticated attacks and highly organized criminal networks and strict compliance regulations.
"And it's no wonder, "said Coviello. "A perfect storm has developed around you."
Ultimately, Coviello said that businesses will be required to rethink and reprioritize their security strategy to keep up with a constantly changing and permeable security perimeter.
"The static perimeter defenses and the rigid rules of hard-and-fast security policy are crumbling," he said. "Something more organized and intelligent is already taking root in their place. I call this approach "thinking security' and technology path to implementation of information-centric security."
For one, Coviello advised security practitioners to approach security more strategically by assessing their IT environment, evaluating the probability of attack and then implementing a plan to reduce the risk of exploitation.
"As you do this effectively, you can build repeatable processes which will in turn free you up to implement yet another recommendation—making the time to be strategic," said Coviello. "Nothing should be done unless it is in the context of risk," he added.
However, tackling malware and other cyber threats are only part of challenge, Coviello said. Businesses will face increased pressure from auditory and regulatory agencies as compliance regulations become more stringent.
Among other things, Coviello recommended that Congress should pass a breach disclosure law that creates one federal standard for consumer notification when personal or identifying information is exposed or otherwise compromised. He also suggested that government agencies invest further in education to produce highly skilled programmers and security professionals to better respond to incidents when they occur, as well as to spend more on research in order to fully understand the current security threatscape.
"This leadership should be extended internationally because the problems we face are global and the threat is to innovation and the global economy," said Coviello. "Understanding the challenges of regulation and the need for strong leadership, we can turn to the technology itself."
Altogether, "thinking security" will require content and behavior-based technologies—adaptable technologies that allow for the inevitable factor of human error, he said. It will also require a comprehensive risk profile, incredible visibility and insight into how the infrastructure and assets are being used. In addition, "thinking security" should ease the burden on the users while being interdependent on and with the IT infrastructure, Coviello said.
"So yes, we can inspire confidence to enable innovation, but it requires a whole new mindset, a new way of thinking about security," he said. "The rise of thinking security will mean that information centric security is a reality that will catapult security to a new plane where it is widely seen as an accelerator of innovation."