International air traffic control systems correlate information to avoid disaster, but there is no equivalent in the information world, RSA executives told the opening session of the RSA Europe 2010 conference in London.
In a joint keynote, Art Coviello, president of RSA, the security division of EMC, and chief operating officer Tom Heiser outlined RSA's vision and strategy for helping organisations manage security across physical, virtual and cloud infrastructures.
Each year, the jobs of information security professionals get more complicated in the face of increased regulation, and the growing volume and sophistication of threats, said Coviello.
But the Security for Business Innovation Council, run by RSA, has suggested a way forward, he said, referring to a new report.
RSA has a vision of how a better system of information security management can be enabled, where compliance is a by-product of good risk management, he said.
Heiser said RSA believes that just as air traffic control systems manage information from hundreds of sources to avert daily disaster in the skies, the security industry needs an equivalent system to integrate people, process and individual security controls.
These need to be managed with the same kind of correlated, contextual and comprehensive view used by the aviation industry, he said.
"Information security management needs to function as a system capable of effectively and efficiently managing our information infrastructures providing visibility, manageability and control across all three domains - physical, virtual and cloud. We need a system that enables us to close the gaps of protection and apply controls in a more holistic, systemic manner, centralising management not just for some vendor controls, but for all," he said.
Heiser also detailed three layers, working in concert required to achieve the vision of a successful "air traffic control system" for information security.
"In the end, the goal is to simplify management and enhance alignment between the security team responsible for defining security policy and the operations team charged with implementing that policy," he said.
By integrating these technologies, systems and feeds, said Heiser, we enable a holistic approach to risk management and compliance; a single view to the most important security and compliance elements across the entire IT environment.
"In effect, we have built our version of air traffic control for the traditional information infrastructure," he said.