RSA Europe: New intelligence-led security model needed

A new model of security makes sense as nation states, criminals and hacktivists continue to take obscene advantage of the way things are, says Art Coviello, executive chairman of RSA

A new model of security makes sense as nation states, criminals and hacktivists continue to take obscene advantage of the way things are, says Art Coviello, executive chairman of RSA.

Falling short of his stirring call to arms to the security industry in San Francisco in February, he reiterated his view that intelligence-led security is the way of the future to open RSA Conference Europe 2012.

“As Einstein observed, 'insanity is doing the same thing over and over again and expecting a different outcome,' yet that is what many companies are doing in terms of IT defences,” said Coviello.

Research commissioned by RSA shows that many companies are still spending 80% of the IT security budget on prevention, 15% on detection and 5% on response.

“In an age of openness, where breaches are to be expected, the balance must shift,” said Coviello.

In the face of new threats, where sophisticated tools are falling into the hands of a wider group of actors, he said organisations need the ability to detect and the capability to respond fast enough to avoid, or limit, loss and damage.

RSA – the security division of EMC – believes that a new order of threats requires a new approach that makes use of multiple sources of internal and external information.

This information, delivered to analytical engines that enables information-sharing is at the heart of a new model of intelligence-led security that is risk-based, agile and contextual.

While advocating a move from static, perimeter-based defences, Coviello said the new model is not just about technology. “We also need the right skill set to translate intelligence into action,” he said.

After budget constraints, Coviello said organisations are facing a serious lack of skills. Analysts estimate that the number of security professionals will need to more than double from 2010 levels by 2015, but it is not clear how that will be achieved.

A third factor holding back the transition to a new model of information security is not understanding the problems and adversaries organisations are facing, said Coviello.

“The media may be sensationalising some aspects of cyber threats, but the issue is not being over-hyped from what we and law enforcement officers are seeing,” he said.

Few people have a proper understanding of the true depth of the problem, said Coviello. They are seeing only the tip of the iceberg because most organisations being hit do not want to tell anyone about it.

There is a serious gap between perception and reality, he said, mainly because there is a lack of effective ways to share information, exacerbated by the fact that privacy laws and regulations restrict the degree to which organisations can monitor what is going on in their networks.

Coviello said there is work to be done to by governments, privacy organisations and security suppliers to find ways of safeguarding privacy, while enabling effective monitoring capabilities.

There is also work to be done in improving the maturity of information security within organisations, he said, with many still stuck in an elementary approach that focuses on static controls or compliance-based approach that is all about ticking boxes rather than protecting data.

“Organisations should be aiming to move to more mature approaches that are based on IT-risk and ultimately on business-risk,” said Coviello.

The most mature approaches to IT security, he said, see an opportunity to change business models based on technologies such as cloud and moving security in tandem with those changes,” he said.

Coviello emphasised that organisations that fall into the less mature categories are not just the small and medium-sized enterprises (SMEs). 

“From what I am seeing, some are quite large – and even form part of critical infrastructure,” he said.

In summary, Coviello said, in an increasingly interconnected and inter-dependent world, an attack on one is an attack on all because an attack on one company can also be used against its partners.

He praised the UK government for recently issuing guidance on helping all businesses to improve their information security capabilities.

“Everyone who uses information technology needs an appropriate understanding of the threats to work with one another, to create a more trusted online community,” he said.


Read more on Security policy and user awareness