Security - Necessary Evil for Businesses
Discussions taking place at the RSA 2008 Conference held in San Francisco point out that security concerns are more and more of a drag on business innovations. According to RSA president Art Coviello, quoted by Dark Reading, this results in holding back companies’ creative thinking.
Coviello backed his opinion with statistics from research conducted by IDG and commissioned by RSA:
“More than 80 percent of IT, security, and business executives surveyed admit that their organizations have shied away from business innovation opportunities because of information security concerns,” he told the RSA audience in a keynote address Tuesday morning.”
Security policies place quite a significant pressure on users who are always told one click can lead to disaster and are always faced with cryptic dialogs boxes that aren’t at all helpful.
Worse, in most organizations security is viewed at best as a necessary evil, due to IT’s primary focus on trying to constrain behavior and prevent some desktop mishap, “Although well-intentioned, the inevitable result is that security practitioners are not viewed as enablers but people preventing the business from doing what it needs to do,” said Bill Boni, corporate vice president of information security and protection for Motorola, and one of the IDG survey respondents quoted by the RSA exec.
After identifying the negative effects of security on business innovation, Coviello also came with a solution. The best way to address downsides is a change in security mentality, a switch from saying “no” to potentially harmful actions to showing how they should be safely performed.
“The next time a new idea comes up, don’t start by saying it isn’t secure — start by evaluating exposures, the probability of the exposures being exploited, and the materiality of the consequences. Then put forth a plan to reduce risk in all three areas. Nothing should be done unless it is in the context of risk.”
This situation fully applies to Endpoint Security. There’s been a lot of buzz on how portable storage devices, such as USB sticks, smart phones and iPods can cause the ugliest virus infections, how they enable data theft and how loosing one with sensitive data can endanger the identities of millions. This leads to restrictive measures such as cutting all access to these devices. The negative result is less mobility of employees, less space for them to work and innovate, less effectiveness on their side.
The actual response to ongoing threats is learning how to handle portable storage devices safely, so as to benefit from all their advantages without overlooking their embedded threats.
Staffers to Protect Information
Last year in November, UK’s HM Revenue and Customs lost the personal records of 25 million people. In order to prevent future such losses, they will rely on 37 employees who’s role would be to protect data. According to a parliamentary written answer by Jane Kennedy, financial secretary to the Treasury, quoted by the Register, the goal for the data guardian appointed to each business unit “to strengthen the management of the department’s data assets”.
The information was lost while being transfer through postal services on unencrypted computer disks. How about portable storage devices with encryption? Wouldn’t that be cheaper than paying the salaries of 37 people?
As we can tell from the article published by the Register, other governmental agencies also rely on work force to protect data:
In response to another written question connected to the child benefit data loss, the Department for Work and Pensions said it provides data to the National Audit Office using “rigorous courier arrangements and a requirement that physical transfers of data must have the specific authority of a member of the senior civil service”, according to Anne McGuire, minister for disabled people.
