SAN FRANCISCO--Security professionals should spend less time looking for ways to shoot down new ideas within their organizations and look for opportunities to help their businesses stay a step ahead of the competition, Art Coviello said in his opening keynote at the RSA Conference here Tuesday.
Security should be used as a tool, not a roadblock, Coviello said.
Speaking to a standing-room only crowd, Coviello, president of the RSA division of EMC Corp., said the time is long past for security specialists to start acting as enablers rather than hindrances to innovation and creativity within their companies.
"The next time a new idea comes up don't start by saying that it isn't secure. Start by evaluating exposures, the probability of the exposures being exploited and the materiality of the consequences. Then put forth a plan to reduce risk in all three areas. Nothing should be done unless it is in the context of risk," Coviello said. "Your ability to be effective here, will be based on your knowledge of the business, the relationships you have developed within and outside the IT organization and how quick you are to recognize and seize opportunities to add value."
The theme of security as an enabler and engine for innovation within organizations has been a favorite one of Coviello's of late, and he stressed to the security practitioners in the audience that thinking of security technologies as a wall around their organizations is a mistake.
"If we are to be enablers and not inhibitors of innovation we must have this ability to conjecture, to conceive things as they might be. To do so we must think differently about security," he said.
Coviello also had plenty of advice for others involved in the security industry, particularly legislators, regulators and vendors. He has long been an advocate for stronger federal legislation on cybercrime and data breaches and he took the opportunity on Tuesday to call on lawmakers in Washington to address the problems of identity theft and data breaches as soon as possible by passing a strong national breach-notification bill. Coviello also cited research RSA had done, speaking to about 1,000 security professionals on a number of topics, and said that these practitioners are tired of seeing projects driven solely by regulatory requirements and not sound business needs.
"So to the regulators, make sure you don't reap the unintended consequence of actually weakening a business by enforcement actions that drive companies to spend unnecessarily on perceived but not genuine security risks, creating make-work projects with little material value," he said. "Policy makers you can prevent some of these unintended consequences. Instead of passing regulation that creates a climate of 'What's the least I can do to get a check mark?', drive regulation that focuses on outcomes. An example is California senate bill 1386 which requires organizations to tell everyone if they lose data. So, focus on the result rather than a prescriptive list of controls."
Coviello will be followed later today on the stage by Michael Chertoff, secretary of the Department of Homeland Security, a speech that will mark the first talk by a high-level DHS official at the RSA Conference. Coviello lauded Chertoff for showing up at the conference, but also said that the federal government can do much more on the security front, especially in the areas of education and research.
"We need more government investment in education to produce better trained programmers and security professionals, the human resources we are in dire need of," he said. "And if we want to enable innovation with more innovative security we need to spend more on research. When you consider the stakes, cyber-security research should be a high priority."
And, in a reprise of a remark he made in his keynote last year, Coviello said he believes the innovation in the industry must come from IT infrastructure vendors, and that security should be just one element of that larger infrastructure.
"For this very reason I am prepared to double down on the prediction I made last year. There is no need for an independent security industry," he said.