Balancing Computer Security and Innovation—A Talk with RSA’s Art Coviello
(Page 3 of 3)
amorphous. I think it breaks down between business, operational, and information risk. EMC puts its stake in the ground around information governance, risk, and compliance. But we will do everything we can to link that with the operational risk guys and the business risk guys.
If you look at this entire financial meltdown, I think it’s extraordinary that technology has enabled us to create these incredible financial instruments and trade them at warp speed in volumes that were unimaginable 10 years ago. But then I’d ask you, with all of this improved productivity for delivering these instruments, has business risk management evolved as quickly? And the answer is obviously no. So business risk management has not kept up with the technology—and yet technology is the means with which we can keep up. It’s just so ironic to me.
Here’s my other view about GRC. The C is last, and it should be last. But the problem is that people are doing compliance first, because governance and risk are just too freaking hard. As much as everyone hates regulation, they will take the regulations and say, “tick, tick, tick—I’m complying so I can ignore the governance and risk part.” So that’s why you get people who pass the PCI audits and then wonder why they have breaches of their credit-card databases. [PCI stands for payment card industry; the PCI Security Standards Council sets standards for credit card account protection.---Editors] That doesn’t mean that the companies that focus on compliance and reporting aren’t helpful, but that ought to be the means by which you prove out what you’re doing on governance and risk.
AC: We applaud the Obama Administration for deciding to put an executive in charge of cyber security, even though he didn’t quite match his campaign promise of having that person report directly to the President. I never thought it would or should. But the fact that there will be central coordination for cyber security is a good thing. There are too many elements within the government—Justice, the intelligence agencies, homeland security, the civilian agencies that need to protect consumer information. There is way too much to be done. You should have someone coordinating that out of the White House, so we applaud that.
X: What about the conclusions of the 60-day review of cyber security plans that was carried out this spring by Melissa Hathaway at President Obama’s direction—do you think it went far enough?
AC: I think it’s solid. It’s got a number of good recommendations. But quite frankly, in 2003, Dick Clarke presented the “Strategy to Secure Cyberspace” for President Bush’s signature, and had we been actively implementing that strategy, we would be way ahead of the game. Six years later, we have not executed on that strategy one iota. And shame on the government, because industry—including myself—was ready to do that.
There has been sustained study of the problem, including a recent study by the Center for Strategic and International Studies, which I think Melissa Hathaway’s report borrowed liberally from—she took the substance of that to heart, and used a lot of that content, as well as other policies, in developing her 60-day report. All of that is good stuff, provided it is acted upon. I think we’ve got an administration that is making it a priority.
X: President Obama says he will name a cyber security czar to coordinate federal action. Hathaway herself is mentioned as one of the potential candidates. Do you think she’s the right person for the job?
AC: Hathaway would be okay. I would hope that we could get a vastly more experienced and higher-powered individual, but at least she knows the topic.
X: Do you have somebody better in mind?
AC: I actually think John Thompson [the chairman of the board of Symantec] is the best candidate. I would love to see a guy from the industry named. Tom Noonan, who ran ISS [Internet Security Systems, acquired by IBM in 2006], would be a great bipartisan appointment and a terrific candidate.