Computerworld
Quick Menu
Search



Ads by TechWords

See your link here


Subscribe to our e-mail newsletters
For more info on a specific newsletter, click the title. Details will be displayed in a new window.
Finance
Security
Computerworld Daily News (First Look and Wrap-Up)
Computerworld Blogs Newsletter
The Weekly Top 10
More E-Mail Newsletters 

Computerworld 2007Subscribe to Computerworld
40 years of the most authoritative source of news and information for IT leaders.

Regulations not making data safer, says RSA chief

And by the way, security's dying as an independent industry

By Jaikumar Vijayan
Comments
3
Recommended
218

Active Comments

Anonymous says: At least the regulations are forcing companies to focus on security, rather than just business. Recent history shows companies will...
Read the rest | Reply
Marco says: Regulation makes for an even playing ground for all companies, thus disencouraging companies to make shortcuts in security on behalf...
Read the rest | Reply
All Comments (3) | Post New


Zone

Featured Zone
The Security Zone

With the mobility of employees and the ease with which external devices can be brought in and out of a network, continuing to build your security plan for network servers and clients is a must. Fortunately, there is much that organizations can do to protect themselves from attacks - internal and external. Having the right policies, procedures and server configurations is critical...

Learn more in The Security Zone
See All Zones

April 8, 2008 (Computerworld) An increasingly complex and cumbersome regulatory environment may be forcing many companies to focus their information security efforts purely on meeting compliance and audit goals rather than on understanding and addressing business requirements, warned Art Coviello, president of EMC Corp.'s RSA security group.

Delivering the inaugural keynote at the annual RSA Conference in San Francisco this week, Coviello called on regulators and policymakers to create regulations that focus on outcomes, rather than laying out a prescriptive list of controls.

Regulators need to make sure that any regulations they mandate do not end up "actually weakening a business by enforcement actions that drive companies to spend unnecessarily on perceived but not genuine security risks," Coviello said. Such "make-work projects" add little material value to a company's overall security stance. "Instead of passing regulation that creates a climate of 'what's the least I can do to get a check mark,' drive regulation that focuses on outcomes," Coviello said.

An example of a properly functioning regulation is California's SB 1386 bill, which focuses on requiring companies to notify consumers of data breaches involving their private data rather than on telling them how to protect that data, Coviello said.

One step that regulators can take to reduce the current complexity is to create a national baseline standard for protecting sensitive data — passing one federal data breach notification law that preempts the 40 separate state laws with which companies have to currently contend, he said. More effort also needs to be put on punishing cybercriminals, Coviello added, urging Congress to ratify a national cybercrime bill already passed by the U.S. Senate in late 2007.

At the same time, security practitioners themselves need to start thinking more about information-centric security strategies, as opposed to mere information security strategies, he said.

"We must look beyond tools that blindly lock down data [and] toward mechanisms that can understand information and safeguard it intelligently throughout its life cycle," Coviello said.

Instead of implementing products for dealing with specific security threats, the goal really should be on making security an indistinguishable part of the infrastructure, he said, Processes for monitoring and enforcing security need to be automated as far as possible, and companies need to get away from static controls that are focused simply on controlling access to data, he said.

"Many security products force people to think the way the tool wants, resulting in a sea of complex, static and inflexible mechanisms," Coviello said. Effort should instead be directed toward implementing tools that are capable of making dynamic decisions based on an understanding of how the network, users and content normally behave, he said.

The vendors that will enable these sorts of capabilities are not going to be today's vendors of stand-alone security products, Coviello predicted. Rather, the technologies will be developed and integrated by large IT infrastructure vendors. Independent vendors will continue to provide components of this infrastructure, Coviello said, but he predicted that there will eventually be no need for an independent security industry.



Make a Comment Recommend Story Slashdot this Digg this
Print Story Send Feedback Email this Reprints

Related Content

Webcast: Dynamic Data Center and Virtualization Drives Operational Excellence at Emory Healthcare
Whitepaper: Learn How to Think Ahead of Attacks and Protect your Data For the Future

CW Report: An Apple for Your Enterprise?
RSA: Vendors showcase new security tools
Privacy watch: Two passwords double your privacy
EMC officials stress end-to-end security
EMC aims package at business continuity
EMC/Dell partnership to focus on lower costs, disaster recovery

Today's Top Stories

Virtually every Windows PC at risk, says Secunia
Moving to a start-up? Fasten your seatbelt
License server glitch exposes SonicWall users to e-mail security threats
In high-tech schools of the future, Facebook in class is boosted -- not banned
Transmitting data from the middle of nowhere
Clues point to Jan. 13 release of Windows 7 beta

What People Are Saying

See comments | Add new
See comments | Add new

Resource Alerts

to receive Security Resource Alerts

Webcasts

Web Threats Don't Discriminate

The Secure Web Gateway. Mission Critical For Business

Dynamic Data Center and Virtualization Drives Operational Excellence at Emory Healthcare

Whitepapers

Fast and Simple Recovery of Your Critical Microsoft® Applications with Symantec Backup Exec"

Converging System and Data Protection for Complete Disaster Recovery

Learn How to Think Ahead of Attacks and Protect your Data For the Future

Computerworld Reports

Compterworld Technology Briefing: Intelligent Users Use Business Intelligence

Computerworld Report- Large Enterprises Pay More for IPAM

An Apple for Your Enterprise?

Editor's Picks

Virtually every Windows PC at risk, says Secunia

Moving to a start-up? Fasten your seatbelt

License server glitch exposes SonicWall users to e-mail security threats

In high-tech schools of the future, Facebook in class is boosted -- not banned

Transmitting data from the middle of nowhere

Clues point to Jan. 13 release of Windows 7 beta

Shark Bait
View Shark BaitFired up about IT? Join Sharkbait and share your true tales of IT. SharkBait is the place for you to sound off about everything IT – the good, the bad, and the rest of the weird stuff you deal with every day.

New baits
Shark Bait
Webcast

Turning information into a Competitive Advantage "Turning information into a Competitive Advantage"

Companies today are realizing that competitive advantage is harder to sustain when based solely on gains in productivity and cost efficiency. The focus is shifting to invest more in business optimization initiatives which rely on trusted information to develop new insights that deliver better business results. But how can this be done efficiently in a business environment across multiple applications and processes. The answer is an Information Agenda - an innovative approach to transforming business information into a strategic asset for competitive advantage.

View this webcast now! more

See more Webcasts more
TODAY'S TOP BLOG
Dan Tynan Dan Tynan
Today's Internet has been brought to you by porn
YouTube and Ning are trying to shed adult-oriented content to appeal to mainstream advertisers. Will it work? ... [more]
White Papers
Read up on the latest ideas and technologies from companies that sell hardware, software and services.
The Importance of Application Management
Dell Client Migration and Deployment Services
Windows� Enterprise Data Protection with Symantec Backup Exec"
View more whitepapers 
 


Webcast: The Automation of IT Compliance Programs: Reducing Risk, Cost and Complexity of Corporate Compliance
To meet the growing number of industry and federal regulations, businesses spend significant time, effort, and budget determining how to best meet continuously evolving IT compliance requirements this new Forrester Research and Juniper Networks Webcast led by industry experts who examine global IT security and compliance trends, common IT compliance issues and challenges, and best practices for successful IT compliance programs.

View this webcast 
Whitepaper: Tackling the Top Five Network Access Control Challenges
The major challenge enterprises face today is how to create innovative business models and to increase productivity by opening the network to a dynamic workforce, while at the same time protecting critical assets from the vulnerabilities that openness and user mobility bring. In addition, to comply with industry and governmental regulations, enterprises must prove that they have stringent controls in place to restrict access to sensitive data. This paper describes the top five networking access control challenges that companies like yours are facing and solutions that they are deploying today.

Download this white paper 
Whitepaper: Addressing PCI Compliance with a Comprehensive Network Access Control Solution
The Payment Card Industry (PCI) is one of the most comprehensive data security standards in a cluster of regulations that have emerged over the past decade. Meeting its requirements is both complicated and expensive for many companies. Learn how a comprehensive access control solution allows retailers and consumer organizations adhere to the core tenets of PCI, and delivering the necessary information and reports needed for compliance audits.
Download this white paper 
Whitepaper: Control System Cyber Vulnerabilities and Mitigation of Risk for Utilities
Today's global industrial infrastructure includes thousands of electric utilities, water/wastewater management companies, oil and gas suppliers, chemical manufacturers and other facilities critical to daily functioning. Learn why relying on off-the-shelf operating systems and Internet-based remote access control to carry out production tasks, traditional control networks can leave today's global industrial infrastructures vulnerable to hackers, extortionists, worms, viruses and application-level attacks. Deploying network-based security can protect these at-risk systems–without requiring infrastructure replacement.
Download this white paper 
About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map
CIO Computerworld CSO DEMO GamePro Games.net IDG Connect IDG World Expo Infoworld
The Industry Standard ITworld JavaWorld LinuxWorld MacUser Macworld Network World PC World Playlist
Copyright © 2008 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.