'Volatile Relationship' Between Security, Innovation

MBA (10/2/2008 ) Palaparty, Vijay
A volatile relationship exists between information security and business innovation, according to research from RSA, the security division of EMC, Bedford, Mass.

Eighty percent of organizations worldwide reported that they have backed away from innovation opportunities because of information security concerns—though acknowledging innovation is critical for competition.
"The inextricable link between security and innovation is clear, but organizations are still struggling with how to strike the right balance between driving new innovations to market and instituting effective IT security practices," said Art Coviello, president of RSA. "Security has long been a global business issue for today's senior management teams. There has never been a better time for companies to make cultural, philosophical and technological shifts required to better align their security and business innovation strategies."

Richard Johnston, president of Acris Solutions, Laguna Hills, Calif., said in the mortgage industry, growing issues of data security and needed corrective responses are being pushed out into the future due to turmoil in the market.

“The need to share borrower information across technology platforms to further reduce the time to fund a loan is the driving force for IT initiatives yet we see obstacles that hinder that evolution from occurring,” Johnston said.

The research also found that 80 percent of CEOs believe security teams formally hold responsibility and accountability for contributions to business growth. But only 44 percent of security leaders reported being measured on their contributions to innovation, suggesting lack of alignment between C-level management and security professionals.

Only 21 percent of respondents said their organizations have successfully made the transition to an approach that aligns business and security, rather than impeding innovation.

"Today's businesses cannot grow in the absence of a healthy environment for the realization of new innovations," said Chris Christiansen, vice president at IDC, Framingham, Mass., which conducted the research. "In spite of some good progress, the relationship between innovation and security is still very strained. The reality is that innovation and security don't need to be competing priorities; they are in fact complementary. Organizations that demand early IT involvement in business innovation efforts and lay out explicit business innovation metrics for their security teams have a much better chance of advancing their overall organizational goals."

“Rules are now, or will be, mandated, yet many companies struggle in their execution for various reasons but mostly from the lack of C-level endorsement and backing,” Johnston said. “Roadblocks occur with elements of technology deployment in the mortgage industry. When the risk/reward equation is applied, most cannot get past the cost elements yet all seem to desire the ultimate end results. We have to find a better way to quantify the results to justify the time and money needed to bring them to fruition, even in these trying times.”

A report from the Security for Business Innovation Council, Mastering the Risk/Reward Equation: Optimizing Information Risks to Maximize Business Innovation Rewards, said legacy methods of evaluating information risk do not work today. It said security focus should move from solely mitigating risk to maximizing business reward as well.

"Ultimately, the biggest risk any company faces isn't that a particular piece of information is compromised or a particular platform is disabled, it's that the company will fail to meet customer expectations," said Bill Boni, corporate vice president of information security and protection at Motorola, Schaumburg, Ill. "To achieve business advantage, companies must take calculated risks and rely on security measures that allow them to be both adaptive and responsive."

The report recommended that organizations change by moving their security team’s focus from information security to information risk management; use a cross-organization approach to understand risk appetite; build a risk assumption model; and create a process for making risk/reward calculations for new business initiatives across the organization.