RSA defines progressive risk management strategies
ConvergenceAsia staff
06/10/2008

RSA, the Security Division of EMC, has released the results of two new research initiatives that explore the volatile relationship between information security and business innovation.

The first survey — conducted by global market intelligence firm IDC — reveals a growing chasm between security and innovation and examines the business impact of this disconnect on leading companies around the globe. The second study taps an elite group of security executives to define the industry’s first portfolio of advanced information risk management strategies aimed at closing this gap.

“The inextricable link between security and innovation is clear, but organisations are still really struggling with how to strike the right balance between driving new innovations to market and instituting effective IT security practices,” said RSA President Art Coviello.

“Security has long been a global business issue and this research tells us it is a top priority for today’s senior management teams. There has never been a better time for companies to make the cultural, philosophical and technological shifts required to better align their security and business innovation strategies.”

Commissioned by RSA, an IDC survey of nearly 200 top business executives and security professionals titled, “Innovation and Security: Collaborative or Combative,” showed that the majority of organisations believe creating an environment ideal for innovation is critical to staying ahead of the competition. However, survey respondents revealed that in spite of their best intentions, IT security risk is impeding business innovation. In fact, 80 per cent of those surveyed, admitted that their organisations have backed away from new innovation opportunities because of information security concerns.

IDC also found that although 80 per cent of CEOs believe their security teams are being held formally accountable for their contributions to business growth and innovation, only 44 per cent of security leaders believe they are being measured on their contributions to innovation.

This finding points to a surprising lack of alignment between the expectations of C-level management and the priorities of security professionals. And while the need to link IT security strategies directly to business goals is a widely-recognised imperative, only 21 per cent of respondents believe their organisations have successfully made the transition to an approach that is proactive and business-aligned, and enables rather than impedes innovation.

RSA also released the latest report from the Security for Business Innovation Council, which is comprised of 10 of the top minds in information security from some of the largest companies in the world.

This report, “Mastering the Risk/Reward Equation: Optimising Information Risks to Maximise Business Innovation Rewards,” explores why legacy methods of evaluating information security risk don’t work in today’s connected world, in which any new business innovation inherently carries some level of risk to information.

Based on the collective best practices of these leading security executives, the report offers a blueprint for making risk/reward calculations that help drive business value, and ensure they are executed and governed for enterprise success.

As a critical starting point, the Council report recommends some key shifts in organisational thinking and behaviour including:

- Move the security team’s focus from “Information Security” to “Information Risk Management” to signal that the goal is to achieve an acceptable level of risk;
- Use a cross-organisational approach to understand and formalise the enterprise’s risk appetite;
- Build a risk assumption model to delineate where and with whom risk decision responsibilities lie; and
- Create a repeatable, step by step process, for making risk/reward calculations for new business initiatives and ensure it is rolled out across the organisation.

As enterprises attempt to look at risk management more holistically, processes for assessing information risks must be integrated into these overall risk assessment efforts.

advertisement