Global Security Chiefs Offer Five Recommendations to Overhaul Outdated Information Security Processes

RSA Releases New Report from the Security for Business Innovation Council


  • RSA released a new Security for Business Innovation Council (SBIC) report on transforming outdated security processes to help neutralize cyber risks and threats.
  • The Council’s report reveals how stronger collaboration between business process owners and security teams to identify and evaluate cyber risks can become a new source of competitive advantage.

BEDFORD, MA, DECEMBER 10, 2013 - RSA, The Security Division of EMC (NYSE:EMC), today released the latest Security for Business Innovation Council (SBIC) report, providing guidance for how organizations can enable new competitive advantages in their business by transforming outdated and inflexible processes that govern the use and protection of information assets. The report highlights key challenges, upgraded techniques and actionable recommendations that can be used to plan and build new processes to help organizations gain business advantage and more effectively manage cyber risks.

In this latest report titled Transforming Information Security: Future-Proofing Processes, the Council observes that business groups within organizations are taking greater ownership of information risk management; however outdated security processes are hindering business innovation and make it difficult to combat new cybersecurity risks. The Council offers guidance calling for information security teams to collaborate more closely with functional business groups to establish new systems and processes to help identify, evaluate, and track cyber risks faster and with greater accuracy.

The new report spotlights areas ripe for security process improvement including risk measurement, business engagement, control assessments, third-party risk assessments, and threat detection. The Council also offers five recommendations for how to move information security programs forward to help business groups exploit risk for competitive advantage:

  • Shift Focus from Technical Assets to Critical Business Processes
    Expand beyond a technical, myopic view of protecting information assets and get a broader picture of how the business uses information by working with business units to document critical business processes.
  • Institute Business Estimates of Cybersecurity Risks
    Describe cybersecurity risks in hard-hitting, quantified business terms and integrate these business impact estimates into the risk-advisory process.
  • Establish Business-centric Risk Assessments
    Adopt automated tools for tracking information risks so business units can take an active hand in identifying danger and mitigating risks and thus assume greater responsibility for security.
  • Set a Course for Evidence-based Controls Assurance
    Develop and document capabilities to amass data that proves the efficacy of controls on a continuous basis.
  • Develop Informed Data Collection Techniques
    Set a course for data architecture that can enhance visibility and enrich analytics. Consider the types of questions data analytics can answer in order to identify relevant sources of data.


Art Coviello, Executive Vice President, EMC, Executive Chairman, RSA, The Security Division of EMC

“For the enterprise to successfully innovate in today’s digital world, security teams must re-evaluate cyber risk management efforts, steering away from reactive, perimeter-based approaches that are inflexible and focus instead on proactive collaboration with the business. Updated processes as described by the Council can help organizations achieve a greater visibility of risk that can be harnessed to benefit the business.”

Dave Martin, Vice President and Chief Information Security Officer, EMC Corporation

“Documenting business processes has to be a collaborative effort, to accurately reflect what the risks are to the system. We’ll never understand the business value of the information to the same degree as the business owner, and they’ll never understand the threats to the same degree as the security team.”


The Security for Business Innovation Council is a group of top security leaders from Global 1000 enterprises committed to advancing information security worldwide by sharing their diverse professional experiences and insights. The Council produces periodic reports exploring information security’s central role in enabling business innovation. This report is the second in a three-part series on building a next-generation information security program. The first report was titled Transforming Information Security: How to Build a State-of-the Art Extended Team.

Contributors to this report include 19 security leaders from some of the largest global enterprises:

ABN Amro FedEx Corp. Nokia
ADP, Inc. Fidelity Investments SAP AG
Airtel HDFC Bank Ltd. TELUS
AstraZeneca HSBC Holdings plc. T-Mobile USA
Coca-Cola Intel Walmart
eBay Johnson & Johnson  
EMC Corp. JPMorgan Chase  



RSA, The Security Division of EMC, is the premier provider of security, risk, and compliance- management solutions for business acceleration. RSA helps the world's leading organizations succeed by solving their most complex and sensitive security challenges. These challenges include managing organizational risk, safeguarding mobile access and collaboration, proving compliance, and securing virtual and cloud environments.

Combining business-critical controls in identity assurance, encryption & key management, SIEM, Data Loss Prevention, and Fraud Protection with industry-leading GRC capabilities and robust consulting services, RSA brings visibility and trust to millions of user identities, the transactions that they perform, and the data that is generated. For more information, please visit


EMC Corporation is a global leader in enabling businesses and service providers to transform their operations and deliver IT as a service. Fundamental to this transformation is cloud computing. Through innovative products and services, EMC accelerates the journey to cloud computing, helping IT departments to store, manage, protect and analyze their most valuable asset – information – in a more agile, trusted and cost-efficient way. Additional information about EMC can be found at