Regulations Not Making Data Safer, Says RSA Chief

An increasingly complex and cumbersome regulatory environment may be forcing many companies to focus their information security efforts purely on meeting compliance and audit goals rather than on understanding and addressing business requirements, warned Art Coviello, president of EMC Corp's RSA security group.

Delivering the inaugural keynote at the annual RSA Conference in San Francisco this week, Coviello called on regulators and policy makers to create regulations that focus on outcomes, rather than laying out a prescriptive list of controls.

Regulators need to make sure that any regulations they mandate do not end up "actually weakening a business by enforcement actions that drive companies to spend unnecessarily on perceived but not genuine security risks," Coviello said. Such "make-work projects" add little material value to a company's overall security stance. "Instead of passing regulation that creates a climate of 'what's the least I can do to get a check mark,' drive regulation that focuses on outcomes," Coviello said.

An example of a properly functioning regulation is California's SB 1386 bill, which focuses on requiring companies to notify consumers of data breaches involving their private data rather than on telling them how to protect that data, Coviello said.

One step that regulators can take to reduce the current complexity is to create a national baseline standard for protecting sensitive data -- passing one federal data breach notification law that preempts the 40 separate state laws with which companies have to currently contend, he said. More effort also needs to be put on punishing cyber-criminals, Coviello added, urging Congress to ratify a national cyber-crime bill already passed by the U.S. Senate in late 2007.

At the same time, security practitioners themselves need to start thinking more about information-centric security strategies, as opposed to mere information security strategies, he said.

"We must look beyond tools that blindly lock down data, [and] toward mechanisms that can understand information and safeguard it intelligently throughout its lifecycle," Coviello said.

Instead of implementing products for dealing with specific security threats, the goal really should be on making security an indistinguishable part of the infrastructure, he said, Processes for monitoring and enforcing security need to be automated as far as possible and companies need to get away from static controls that are focused simply on controlling access to data, he said.

"Many security products force people to think the way the tool wants, resulting in a sea of complex, static, and inflexible mechanisms," Coviello said. Effort should instead be directed toward implementing tools that are capable of making dynamic decision based on an understanding of how the network, users and content normally behaves, he said.

The vendors who will enable these sort of capabilities are not going to be today's vendor's of standalone security products, Coviello predicted. Rather, the technologies will be developed and integrated by large IT infrastructure vendors. Independent vendors will continue to provide components of this infrastructure, Coviello said, but he predicted there will eventually be no need for an independent security industry.