RSA president Arthur Coviello Jr. says security is hampering innovation and that shouldn't happen. The fix: Security pros need to think different and that means cooking up technology that acts as information security immune system.
Coviello, who delivered his keynote at the RSA conference in San Francisco, said his company's research along with IDC revealed that more than 80 percent of IT, security and business executives said they have shied away from business innovation opportunities because of information security concerns.
That's a telling statistic on many levels, but the big takeaway is that security is a detriment to doing business. Coviello acknowledged that the security industry is facing headwinds from regulation and sophisticated attacks that occur almost daily.
"If we are to be enablers and not inhibitors of innovation we must have this ability to conjecture, to conceive things as they might be. To do so we must think differently about security," says Coviello. "As practitioners your mission is not to say ‘no', but rather ‘how'."
The next time a new idea comes up don't start by saying that it isn't secure. Start by evaluating exposures, the probability of the exposures being exploited and the materiality of the consequences. Then put forth a plan to reduce risk in all three areas. Nothing should be done unless it is in the context of risk.
That's a notable point, but it's not going to happen overnight. It's not like every corporate security wonk will change his name to Mr. Mashup.
For security folks to become more strategic to the business, security has to be baked in from the beginning with "repeatable processes" and then automated. If that happens, security folks can tackle bigger issues and make themselves so-called innovation enablers.
It's all a bit pie in the sky no? Coviello also saved some ammo for regulators:
One clear challenge is the increasingly complex and cumbersome regulatory environment. Now I am not going to suggest that all regulation is unjustified and that businesses can't profit from the level playing field that regulation can create.
However, any regulation can be interpreted to the extreme and when it comes to security, materiality and risk are not often given their proper weighting.
To fix this regulation freeze, Coviello urged the following:
- Congress should pass a data breach notification law that establishes national standards so there aren't 40 separate state bills.
- The government should invest to produce better trained programmers and security professionals.
- Spend more on cyber security research.
- Pass the cyber-crime bill that's already in the Senate. "Cyber criminals will continue to take advantage of legal blind spots and weak penalties until countries, especially the U.S., update their laws and provide more resources for law enforcement. Let's punish criminals, not businesses,' said Coviello.
In an election year, I seriously doubt Coviello will get anything that he wants. That means the technology fixes need to come first. On that front, Coviello urged more automation.
Recognizing that regulators and practitioners will always develop regulations, policies and security system architectures based on people, process and technology why can't the vendor community create and help implement "Thinking Security " systems that automate these processes to the extent possible with capabilities consisting of monitoring, enforcement and compliance.
We must look beyond tools that blindly lock down data toward mechanisms that can understand information and safeguard it intelligently throughout its lifecycle. From targeted advertising, to internet search, to online book recommendations, our daily activities are empowered by a growing computer understanding of human discourse and behavior. Thinking security is about co-opting this intelligence to bring new flexibility and strength to information protection.
Coviello urged trust-based systems that go beyond the password and share information to establish trust. It almost sounds like Coviello is pitching a security immune system.
We believe that a "Thinking Security" system would be based on the dynamic content and behavior based technologies of today. These technologies will evolve quickly, they have to, and need to be linked. All of them share two things in common. One is obvious. One is not. The obvious benefit is that these technologies don't rely on humans to understand the system in advance, they enable far more dynamic methods of control, and they can be adaptable to threats we have not yet conceived of. The not so obvious benefit is that they all provide incredible visibility and insight into how the infrastructure and assets in that infrastructure are being used.
What will it take for such a system? Coviello said that systems need to be autonomous so they can adapt and only ask for human help as a last resort. These newfangled systems also need to act like a Chief Information Security Officer (CISO).
The system will see the infrastructure, when necessary even the data, tells us how it's being used, who's using it, identify risk, and configure itself accordingly. In this future, the infrastructure itself makes recommendations on policy and the appropriate application of policy. This is a future where a file server sees that one of its folders contains highly sensitive PCI data, so it examines usage patterns and recommends a policy, then enforces that policy appropriately, locking down the asset while still enabling the business process the asset is being used for, to function.
Sounds interesting, but I have one question: What happens when hackers get control of this autonomous "Thinking Security" system?