Security fears stifle business innovation

Most organizations believe creating an environment ideal for innovation is critical to gain competitive advantage, but a new survey released Tuesday has revealed that IT security concerns are impeding business innovation.

The Innovation and Security: Collaborative or Combative survey conducted by IDC, showed 80 percent of some 200 senior business executives and security professionals polled, admitted their organizations had backed away from new innovation opportunities due to information security concerns.

Commissioned by security firm RSA, the study also found that while 80 percent of CEOs believe their security teams were accountable for their contributions to business growth and innovation, only 44 percent of security leaders believe they are being measured on their contributions to innovation.

This finding indicated a "surprising" lack of alignment between the expectations of c-level management and the priorities of security professionals, according to RSA, now the security division of EMC.

IDC's vice president, Chris Christiansen, said it is evident that in spite of some progress, the relationship between innovation and security is still strained. "The reality is that innovation and security don't need to be competing priorities; they are in fact complementary," Christiansen said in the media release.

"We believe organizations that demand early IT involvement in business innovation efforts and lay out explicit business innovation metrics for their security teams, have a much better chance of advancing their overall organizational goals," he noted.

The survey, conducted online in the second quarter of 2008, polled executives with direct involvement in IT security. Some 73 percent of respondents were vice president-level executives or above. At least 80 percent worked at companies with revenues of at least US$1 billion, while 60 percent came from companies with 5,000 employees or more.

Geographically, 73 percent of respondents were based in North America, 14 percent in the United Kingdom, 2 percent from India, 6 percent from Australia, and 5 percent from other countries.

Narrowing the gap
RSA also released Tuesday findings from a separate study aimed at closing the gap between innovation and security, through a collection of information risk management best practices recommended by an elite group of security executives.

The report, conducted by the Security for Business Innovation Council, offers a blueprint for making risk-and-reward calculations that help drive business value, and ensure these measures are executed and governed for enterprise success. RSA is a member of the security council, which comprises 10 major players in information security including JP Morgan Chase's risk management managing director Anish Bhimani, Motorola's corporate vice president of information security and protection Bill Boni, and Time Warner's information security and privacy vice president Renee Guttmann.

The blueprint also recommends key shifts in organizational thinking and behavior, including:

• Move the security team's focus from "information security" to "information risk management", to signal that the goal is to achieve an acceptable level of risk;
• Use a cross-organizational approach to understand and formalize the enterprise's risk appetite;
• Build a risk assumption model to delineate where, and with whom, risk decision responsibilities lie; and
• Create a repeatable, step by step process, for making risk-and-reward calculations for new business initiatives and ensure it is rolled out across the organization.