The failure of many organizations to include security professionals in major business discussions is not only hampering innovation but also contributing to a fundamental lack of understanding of the value of security and risk assessment inside these companies, according to a new report.
"Too often, people have shied away [from a new project] because they're afraid of the security consequences."
Art Coviello, President RSA
The study, done by research firm IDC on behalf of RSA, the Security Division of EMC, shows that the majority of senior managers believe IT security risk is the largest single obstacle to innovation in their businesses right now. Much of this stems from the belief that security personnel are inclined to simply say no to whatever request they receive from a line of business executive and that even if they do agree to help with a given initiative, the turnaround time will be too long to be of any use, the research shows.
Art Coviello, president of RSA, said in an interview that these problems, while difficult and complex, are ultimately solvable and must be fixed soon in order to spur a new wave of business innovation. Also, bringing the security organization into the discussion early on in the planning stages of a new project should be the rule, rather than the exception, he said.
"Any innovation you do needs to be done n the context of risk, and that's what we're saying here. Too often, people have shied away [from a new project] because they're afraid of the security consequences," Coviello said. "Both sides need to take a more active role. It needs to be more of a board-level discussion. The highest levels are cognizant of the fact that they need initiatives to be secure, but I'm not sure it always translates well down into the organization. The C-level has to do a better job insisting on it. You have to have right mindset in the beginning. Too often the security guys are viewed as 'Dr. Nos.' The stereotype is that they're the guys who say no and not 'Here's how.' They need to know the business and partner with the business people and not sit off in isolation and wait for them to come to them."
Adding to the problem right now, Coviello said, is the terrific speed at which the business world is moving and changing these days. He pointed to the current chaos in the financial industry as an example of the problem: How are security and risk-management personnel supposed to assess the risks of moves such as large acquisitions or the decision to buy up huge pools of mortgages when they haven't been part of the conversations from the beginning?
"A big part of the reason for these problems is the dynamic nature and speed with which business happens these days. The trading of derivatives is one example. You have very complex financial instruments that to me you need a PhD in applied mathematics to understand, and you have 25 and 30-year-old guys trading them in real time. That's never happened before," Coviello said. "You don't have time to pause and deliberate. There's no current organizational model that I know of that reflects the significant change in the nature of business in last 20 years. It's part and parcel of the speed of business today and the sheer overload of information. We're wringing more and more productivity out of everything we do. You have to have the ability on a real-time basis to assess that risk."
The IDC survey found that while some companies still are taking on significant risks, many have backed away from potential risks because of security concerns. More than 80% of the senior managers that IDC surveyed said their companies had passed on some innovative business idea because of security worries. To help counteract this trend, a council of CISOs that RSA convened to discuss and analyze the issues recommended that companies not only bring security into major business discussions from the beginning, but also that companies develop a formal process for assessing risk in various contexts.
RSA is releasing the IDC white paper and the report from the CISO council on security and innovation today.
Some large organizations, particularly in the financial services and insurance industries, already have formal risk-management committees or chief risk officers, but these functions are less common in smaller companies. However it's structured, Coviello said, risk assessment must be a part of major business decisions.
"Increasingly, whole area of risk needs to be a boardroom issue. It's an acknowledgement that business has changed radically in the last 20 to 30 years and it moves too fast," he said. "Innovation can't be implemented out of context of risk or we'll suffer the consequences that we have in the last 12 months. If you have chief risk officer, it makes it a lot easier. The CISO is a good function, but not broad enough to address all the issues of risk. A stellar example is what we've just seen in the meltdown of financial markets. That's a colossal failure to do risk analysis. The structure depends on the CEO. I'd have a chief risk officer report to me potentially. In any organizational structure, reporting relationships have to be based on who's going to provide the most value rather than having it up in the organization so it's perceived to be important."