“So often, security infrastructure is being built around the perimeter which we have decreasing control over. We need to move to an intelligence-driven cyber-security model”, Coviello insisted. That model, he advised, needs to be risk-based, agile, and focus on predictive analytics and information sharing at scale.
Coviello acknowledged that the evolution in strategy is currently being held back by security budgets, which currently allocate 80% to prevention, 15% to detection and 5% on response.
“We know that breaches are inevitable”, said Coviello, “so we need to shift the balance.” RSA’s Coviello insisted that security models are not making this transition to intelligence-based security fast enough, and warned, “our adversaries are running off ahead of us”.
The skills shortage in the information security industry is also holding back this shift, Coviello said. “We need to fill the skills shortage gap with the right expertise. Frost & Sullivan estimated we currently have 2.25 million security professionals. By 2015, we need 4.25 million – where will they come from?”
While Coviello argued – perhaps surprisingly – that we have too much awareness in the information security industry, he declared a lack of understanding, which he partly blames on a lack of context reported by the media in an over-sensational way.
“Information security threats are not over-hyped. The depth of the problem, however, remains hidden.
“If all constituencies have a better understanding of risks, all problems can be solved”, he continued. “I’m encouraged by the UK government calling on business leaders to step up their cyber-security response.”
Coviello wisely reminded the audience that “we are only as strong as our weakest link, and an attack on one of us means an attack on all of us.”
Finally, RSA’s executive chairman insisted that compliance should be a by-product of doing the right thing and putting the right security strategy in place to begin with – “not the other way around. Security should not be a by-product of compliance.”