Subscribe
Blog / Podcast Readers
NEWSGATOR YAHOO
BLOGLINES ITUNES
DEL.ICIO.US DIRECT RSS

Security is Everybody's Job

by Jamie Barnett on 9/18/2007
Topics: E-Security | RSA Conference | Strategy

It was blasphemy at the time. At the 2007 RSA Conference in San Francisco, our President, Art Coviello, made the claim that the standalone security market was not long for this world. Some in the audience must have thought he was Looney Tunes, making a claim like that at a longtime venue dedicated to all things security.

In my role driving integrated solutions of RSA technology and EMC products, I speak with security, IT, and storage professionals regularly to understand their requirements and preferences for integrating security into information infrastructure products. The single biggest common thread between them is this: security seems to be everybody's job these days. These things tie: security-baked-in and security-as-everybody's-job.

It may sound Barney-esque. Group hugs aside, the CISOs we've spoken with are shifting their activities from centralized command-and-control to the dissemination of policy and responsibility onto business owners. We recently spoke with the security leaders at a large government agency who indicated a slow-growing budget and increasing levels of regulatory and internal policy responsibility. The CISO's response? "'Operationalize' security and make one of our primary responsibilities the education of our multi-thousand-person workforce so they can begin enforcing policies themselves."

Gartner explains in its recent note, "Gartner for IT Leaders Overview: The Chief Information Security Officer" (by Tom Scholtz, Sept. 12, 2007) that: "...the more basic security functions are now increasingly 'routinized.' This means that line-of-business managers are empowered to make day-to-day security decisions - and the CISO is free to play a more strategic and visible role within the enterprise."

While these trends require a shift in attitude and lots of collaboration, I don't think we're quite ready for the security group-business unit bonding ropes course just yet.

Cross-checking with our friends on the storage side of the house, administrators to whom "data protection" meant information availability and recovery from disaster until only recently are now finding themselves having to report on things like access violations in their Fibrechannel-connected storage arrays. Huh?

"We have things like 'data spills' that we now have to take very seriously," a senior storage manager at one of our large manufacturing customer companies told us last month (in his world, "data spill" is the accidental copy or transformation of sensitive data previously held in a sensitive location to a less sensitive location). "If we cannot re-classify [the new location accordingly]," he explained, "we have to erase or destroy the disk." That's a pretty expensive proposition, so he and his colleagues are scrambling to understand and implement the proper security controls.

A storage architect customer of ours at another government agency echoed the increasing level of security responsibility, but with a different example: "We have to understand cryptography, as we're now starting to encrypt data on disk, not just the tapes we used to send offsite." He is spending more of his time understanding the choices and tradeoffs of encryption in his SAN, and what it all means to storage functionality decisions he used to make with ease - things like data replication, compression, and search. Like the CISO, his job is changing, too.

Hand-in-hand with this shift in security responsibility is a "baked-in" security model, supported by findings like TheInfoPro's (www.theinfopro.net) Wave 8 Security Study early this year: when asked about storage security functionality, around 80% of respondents found storage access control "extremely" or "very" important - around 70% for storage logging and auditing, and around half for storage disk and tape encryption.

This security-as-part-of-the-infrastructure thing has legs, and is making life crazy for us all. More to come on what this means to our customers and those who serve them... For now, I'm thinking Art might be right: bigwigs - 1; naysayers - 0.

Comments
One vote for Nay

Actually, the truth is in-between. Security should be part of the infrastructure, and finally some of the more commoditized functions are being built in. I'm happy to see EMC improving the security of storage systems by leveraging some of the RSA technology and know-how.

Authentication, access control and applied cryptography should be baked in to the infrastructure and not added on. What is less likely to happen is for the small companies to go away. Due to a number of factors: rapid changes in the technology environment, adaptable attackers, evolving regulatory drivers, and heightened consumer awareness, the threat environment is going to continue to change and the controls needed to counter those threats will change. Much of the innovation (and risk tolerance) needed to address the new threats will come from venture funded startup companies. Most of them will fail. They are our industry's farm league. Typical of minor leagues, they will mostly play in smaller venues.

Only early adopter customers will use their wares, but the ones with the best ideas and the best execution will likely be adopted by the majors -- the larger infrastructure community. Three years from now, the RSA conference will have at least as many small company participants as it did this year, but many of them won't be the same ones. I bet an an espresso on it!

- Tommy Ward
It's all in the implementation

Few security managers these days would dispute the fact that everyone is responsible for security. As Kevin Mitnick points out very well, people are usually the weakest link in the security response - why bother attacking systems when you can convince someone to give you the access you require?

Similarly, the idea that business managers be responsible for security decisions in their area is obviously the right way to go. However, getting to the situation where this really works is often a collosal task. This works well where the CISO is able to set up, and maintain, a framework where the more technical issues are translated into business language and the corporate governance allows for coherent decision making across business lines.

However, where I disagree slightly with the above article is that it tends to be the IT department hat continues to drive most of the day-to-day security issues, which can ften be quite low-level (opening firewall ports, fine-tuning intrusion etection policies, deciding when security patchs are to be mplemented....)precisely because this kind of decision making an easily e built into the control framework. Business managers should be able to rely on this control framework so that they can concentrate on the more strategic issues of information security, which are more likely to affect long term business plans.

- Steve Purser

Post A Comment

Your Name
Your Email Publish email?: Yes No
Your Blog
Subject
Comment
Verification Word
© 2010 RSA Security. All rights reserved | Privacy | Legal | Site Map

RSA, The Security Division of EMC, provides Secure Data, Compliance, SIM, SEM, SIEM, PCI, Consumer Identity, Two-Factor Authentication, Custom Applications, Consulting, Assessment, and other security solutions and services to over 90% of the Fortune 500.
 
Access Control |  Authentication and Identity Assurance |  Credential Management |  Data Loss Prevention |  Data Encryption and Key Management |  Fraud Prevention |  Security Information and Event Management |  Log Management |  IT Compliance |  ISO 27002 Compliance |  Information Risk Management for Financial Services |  Payment Card Industry Data Security Standard | 
 
RSA Access Manager
RSA BSAFE
RSA eFraudNetwork
 RSA Data Loss Prevention
RSA Consumer Solutions
RSA FraudAction
 RSA Digital Certificate Solutions
RSA Encryption/Key Management
RSA Enterprise Data Security
 RSA enVision
RSA SecurID
RSA Smart Cards

 RSA Federated Identity Manager
RSA Adaptive Authentication