SecurityCurve Weblog

Innovate or Die!

So, did you hear? RSA has decided that "...IT security risk is the largest single obstacle to innovation in... businesses". Well, OK - to be fair, they didn't declare it by fiat - instead, these are the results of a poll (IDC conducted it). And - that's not exactly the question they asked.

Going back to the original report (you have to register if you want to download it), the question they actually asked was: "do you ever back away from innovative business opportunities because of information security concerns?" To which, 80 percent either said "often" or "occasionally". Now to me, drawing the conclusion that "security is the biggest barrier to innovation" because business folks "occasionally back away from a business opportunity because of security concerns" seems hyperbolic. Backing away from business opportunities when there's a legitimate security problem seems like good sense to me.

Looking at RSA's meta-message, it seems to me that their position is twofold: 1) security needs to be involved more strategically in the business, and 2) all innovation needs to be risk-based. I would agree with both of those things. #1 is good security sense, and #2 is good business sense. The issue though, comes about when trying to evaluate who's job it is to do what. Should Security reach out to the business more (a la #1)? Yes. Absolutely. Should IT security help make risk-based security decisions in conjunction with their businesses? Of course. But wait -all business innovation? Is it IT Security's job (for example) to do business risk analysis on things like derivatives trading? I don't think it is. But RSA seems to...

Art Coviello said: "The trading of derivatives is one example. You have very complex financial instruments that to me you need a PhD in applied mathematics to understand, and you have 25 and 30-year-old guys trading them in real time...You have to have the ability on a real-time basis to assess that risk." Now, I'm not saying that RSA's message isn't valuable. I agree that everything a business does should be based on risk. In fact, I argue that it already *is*. It's just not usually the IT security folks that are quantifying that risk.

For example, in financial services - the folks who do the derivatives trading (usually) have a pretty good idea of *exactly* how risky that is or isn't. That's their core competency. And I, for one, don't think that we in the IT Security business should be telling them how to do it. Now, I'm not saying that IT Security should be out of the conversation entirely - far from it. I just don't want to be the guy who goes in for brain surgery and gets a cardiologist because "hey, they both can perform surgery." IT Risk is IT Risk. Business Risk is Business Risk. Let the folks that are good at that do their thing - and by all means invite security to the party - but don't ask us to understand the business side even close to as well as the folks who've been doing it for 20 years.

Posted by Ed at October 1, 2008 10:04 AM | TrackBack