RSA 2007: CA's Swainson probes the mystery of security
John Swainson, president and CEO of CA, started off his RSA 2007 keynote by quoting Gregory Treverton, a senior analyst at the Rand Corporation and former vice chair of the National Intelligence Council, on the difference between mysteries and puzzles. Treverton concluded that the national security challenge of the 21st century, for example, is less about solving puzzles than illuminating the mysteries in front of us.
Swainson extrapolated that computer security has a lot of puzzles to solve and number of critical mysteries to think about, which he listed as follows:
- Understanding the potential for even small changes to affect our lives
- Determining the effects of disruptive technologies
- Placing a value on IT for enterprises beyond the sum of systems and networks
- Measuring risk when we can’t know the boundaries of our infrastructures
To puzzles and mysteries, Swainson threw a paradox to the mix.
...we have addressed the issue of security as though it were a puzzle with a finite solution. But maybe it’s not a puzzle. Maybe it’s a mystery—with a paradox. Let me start with the paradox. We need to have sufficient security to ensure that only the right people have access to the information to which they are entitled. But we cannot make security procedures so difficult that it will lead to a decline in the use of the system or force people to look for ways to go around the security measures. And that leads to the mystery.
His keynote itself was a big puzzle (you have to hook all pieces of his talk into single image to get the point), a mystery (what is his main point?), and a paradox (his intellectually-oriented speech, about illuminating a "mystery" was a mystery).
In trying to probe the mysteries of his speech, here are some quotes, pieces of the puzzle, that might add up to main point and perhaps illuminate a paradox or even a mystery:
... we have to evolve security services to the point where they are available to every part of the infrastructure, so they become an inherent part of the application. We need to make it impossible for a company to roll out an insecure application. In other words, we need to make security implicit.
We’ve allowed security to become fragmented. And as a result, we are in danger of failing the great test of security.
The real question is can we bring security to the IT environment and still allow people to access what they need? ....The heart of the problem we face in making IT work for our customers is dealing with the complexity we’ve created.
It’s not about using point technologies; it is about aggregating those technologies to solve real data center problems. It isn’t about crypto key lengths and virus samples; it’s about risk and compliance management and understanding IT’s relationship to business processes.
Here, Swainson finally gets to the main point for his speech:
At CA, we have a particular point of view on addressing the security mystery. We believe that it is critical for our customers to have an end-to-end view of their ever-more-complex IT systems, applications and security, that will allow them to relate these IT services back to their business priorities. But our greatest challenge comes at the intersection of technology and human psychology—the grand mystery of security: how to make it all work together seamlessly. How to ensure that once the human elements are introduced everything still works as it should.
He goes on to conclude:
The vendor who comes up with a way to make using IT security intuitive will find the greatest success in the marketplace and by extension the greatest reward for us all—because that vendor will enable Rainn Wilson [Swainson showed some hilarious videos with the actor on the subject of security] to Google at will; access his bank account, shop online and do all the other things he wants—without going crazy.
The pieces of the puzzle put together suggest that Swainson has created keynote mystery, avoiding any mention of CA and how it deals with security problems (not puzzles, mysteries or paradoxes) until the end of his speech, and even avoiding making a pitch that CA can provide de-fragmented, implicit, simpler, and eventually intuitive and seamless security, which is the hidden in plain view main point of his talk. You have to give credit for trying not to do an overt company, but sometimes it's better just to get to the point.