Driving the security message home
Written by Admin on Sunday, September 7th, 2008
RSA offers information risk management
Driving the security message home
Jason Pearce: `Move away from the silo’
Jason Pearce: `Move away from the silo’
“Think security in everything you do,” “take an holistic approach” and “be proactive in building a security programme while understanding what data is important to your business and what the right levels of control to put in place, while ensuring that you are managing those controls continuously.”
These are some of the key messages that senior executives at RSA, the security division of EMC, are delivering to CIOs and senior management when it comes to managing the many security risks to data within an organisation. Last week, RSA managing director for Southeast Asia Vincent Goh and other senior RSA executives were in Bangkok for a round-table briefing with key customers here when the other part of their message was that businesses are now using security as a business differentiator and to accelerate their business.
Goh said that RSA’s new strategy was how security could be a business accelerator, noting that for security to be more effective, customers needed to align it with their business.
He said the first thing that was needed was a change of the mindset. “Once you accept that you have to think security in every thing you do, then it becomes a natural thing and you become more familiar with the technology, the market players, the methodology, it gives a comfort zone over time.
“The moment they (customers) start to think of security as a component of every process, it makes it more easy for them. No. 1, they must realise it is pervasive, and accept it. No. 2 is to make sure that they see it as a journey … to continue to revisit it,” he said.
Customers should seek out security vendors who could be strategic partners who could offer solutions that were aligned with their business, he said.
Speaking of security as a business enabler, he cited the example of how a requirement for two-factor authentication for online transactions imposed by Singapore’s monetary authority had increased consumer confidence, leading to a 20 per cent year-on-year growth in online banking.
This, in turn, had saved the banks money because online transactions were much cheaper to manage, Goh noted. This was in contrast to the perception that security was a business inhibitor, rather than a business accellerator.
Speaking in an exclusive group interview, RSA’s regional director for sales engineering Jason Pearce also stressed the need to take a holistic approach across the entire IT department when implementing security.
This would avoid the possibility of the “super-vulnerability”, which was where there were so many different security components in place “that you miss the big picture, and you end up forgetting to secure the most important part of your business, which is your data,” he said.
“The advice is to take a step back, look at what your business is trying to do, pick your top priorities, work out what the business is doing to achieve those technologies and then work out how you are going to secure those parts of the business based on a risk profile you have set,” he suggested.
“Move away from the silo, become more holistic, and make sure that your security counter-measures are centralised, because when they are, everyone is on the same page, making them easier to maintain and it makes it a lot easier to detect incidents when they occur and being able to respond to incidents in a way that everyone knows what their roles are,” Pearce added.
RSA calls its strategy “information risk management,” an approach that is information-centric, risk-based and repeatable, revealing where to invest, as well as why and how security investments map to critical business objectives, according to Goh.
There are four elements to this approach: The discovery and classification of sensitive information across the infrastructure; describing how sensitive policy should be protected; enforcing data controls and access controls, for which RSA has a set of tools; and compliance reporting and auditing.
RSA’s senior manager for solutions marketing Dave Howell explained that for an SME with limited resources, information risk management became even more important, “because it’s all about understanding what data you have, which data is more important to your business than others, and then putting controls that are appropriate based on that data type.
It’s not about encrypting every bit and byte, it’s figuring which ones do need to be encrypted and which don’t and then applying security more consistently, based on business priorities,” he said. Organisations should not be too internally focussed and Howell recommended that IT shops “study external documents such as ISO 27002″ because it would “open their eyes to the different types of policies, procedures and technologies that they should at least be thinking about.
“They should be able to walk up to the buffet of security and say ‘I want this, this and this, but I’m making a conscious decision not to take these others’ versus not even knowing that the latter exists in the first place,” he added.
He also urged IT shops to be proactive in building a security programme if they were in an organisation that might be going with multiple business drivers or complying with the cybercrime law or the PCI standard, referring to payment card industry requirements.
Howell said “it’s all about understanding what data is important to you, what are the right levels of control to put in place, and then to ensure that you’re really managing those controls continuously.
The whole idea is, once you’ve done this, don’t go to the beach on vacation, make sure that you’re continuously working at your environment, improving it, and doing this continuously. That way, you’ll maintain security and compliance and you won’t become one of those companies that is in the news for having a data breach after having been deemed compliant.”
The PCI standard has 12 requirements that include access control, data protection, strong authentication, log management and data leakage protection with penalties starting at $5,000 a month and a deadline in Asia for implementation by December next year.
Already effective in the US, the requirements stipulated by the payment card industry have been a big driver of security, while Thailand’s cybercrime act has also done a lot to raise awareness here, the RSA executives said.
Pearce said that “we must applaud the government for this law” and that Singapore and Australia were now going in the same direction, although cautioned that the government needed to ensure that the act kept up with new developments and said that it would need revising regularly.
