RSA Is Not AloneBy Lawrence Walsh | Posted 2008-04-30 Email Print
The game is no longer about keeping the bad guys out. It is about putting risk in a business context.
And RSA’s not the only vendor thinking this way. Hewlett-Packard, a company known more as a platform player than a security company, is pushing its security alliance, allowing for greater integration of security technologies with its heavy hardware and software applications.
“Instead of being a security player and extracting another buck from the customer, we want to give the enterprise back their management and back-end infrastructure with greater efficiency,” says Chris Whitener, chief strategist for HP’s Secure Advantage program.
Even Microsoft—the company most reviled for the security problems in its products—is probing deeper into the security world with its ForeFront line of malware and endpoint defenses that (hold the laughter please) rely on Windows Vista and Windows Server 2008 as a “trusted platform.”
Arguably, these vendors—and the many others mirroring their actions—are looking to achieve relatively the same net result: making security more transparent to the end user and more manageable to the enterprise. But, as Coviello agrees, the problem isn’t just the way technology is deployed and implemented; it’s just as much about how the enterprise views and manages risk.
Security has evolved from the point at which everyone tried to make their enterprises impervious to attack and breaches. Just five years ago, an enterprise would passionately deny suffering even a malware infection on desktops.
Today, there’s open acknowledgement that there’s no such thing as perfect security and that a breach will happen in time. The game is risk mitigation, not risk elimination.
Many security professionals credit regulatory compliance with raising security awareness in the enterprise. But compliance and security are often two different things. The recent security breach at Hannaford supermarkets proved that compliance is no guarantee of breach prevention.
If business is to take advantage of the opportunities created by innovation, the enterprise—not the security or IT vendor—must refocus its security mindset on strategic risk management. That means putting risk into a business context.
Just because you’re at risk doesn’t mean you’ll be breached; just because you’ve been breached doesn’t mean you’ve been compromised; and just because you’ve been compromised doesn’t mean you’ve lost anything of value. Once a value is placed on your enterprise’s data, processes and infrastructure, your security and business executives can make sound decisions on what to protect and what can be sacrificed.
Perhaps then, the 80 percent innovation-avoidance number will start to come down.