BANGALORE, INDIA: RSA, the
security division of EMC,
released the results of two new research initiatives that explore the
volatile relationship between information security and business
innovation.

The first survey - conducted by
IDC - reveals a growing chasm between security and innovation and
examines the business impact of this disconnect on leading companies
around the globe.

The second study, taps an elite
group of security executives to define the industry's first portfolio
of advanced information risk management strategies aimed at closing
this gap.

RSA President Art Coviello, said:
"The inextricable link between security and innovation is clear,
but organisations are still really struggling with how to strike the
right balance between driving new innovations to market
and instituting effective IT security practices. Security has
long been a global business issue and this research tells us it is a
top priority for today's senior management teams."

"There has never been a better time for
companies to make the cultural, philosophical and technological
shifts required to better align their security and business
innovation strategies," he added.

IDC survey reveals IT security risk is a
significant innovation inhibitor

"Innovation and Security: Collaborative or
Combative," survey showed that majority of organisations believe
creating an environment ideal for innovation is critical to staying
ahead of the competition.

However, survey respondents
revealed that in spite of their best intentions, IT security risk is
impeding business innovation. In fact, 80 percent of those surveyed,
admitted that their organisations have backed away from new
innovation opportunities because of information security
concerns.

IDC also found that although 80
percent of CEOs believe their security teams are being held formally
accountable for their contributions to business growth and
innovation, only 44 percent of security leaders believe they are
being measured on their contributions to innovation.

This finding points to a
surprising lack of alignment between the expectations of C-level
management and the priorities of security
professionals. And while the need to link IT security strategies
directly to business goals is a widely-recognized imperative, only 21
percent of respondents believe their organisations have successfully
made the transition to an approach that is proactive and
business-aligned, and enables rather than impedes innovation.

Security leaders call for
a new approach to risk management

"Mastering the Risk/Reward
Equation: Optimizing Information Risks to Maximize Business
Innovation Rewards," survey explores why legacy methods of
evaluating information security risk don't work in today's connected
world, in which any new business innovation inherently carries some
level of risk to information.

In this landscape, the security
focus must move from solely mitigating
risk to also maximising business reward. Based on the collective
best practices of these leading security executives, the report
offers a blueprint for making risk/reward calculations that help
drive business value, and ensure they are executed and governed for
enterprise success.

Bill Boni, Corporate Vice
President, Information Security and Protection, Motorola, said:
"Ultimately, the biggest risk any company faces isn't that a
particular piece of information is compromised or a particular
platform is disabled, it's that the company will fail to meet
customer expectations. To achieve business advantage, companies must
take calculated risks and rely on security measures that allow them
to be both adaptive and responsive."

As a critical starting point, the Council report
recommends some key shifts in organisational thinking and behaviour
including:

Move the security
team's focus from "Information Security" to "Information
Risk Management" to signal that the goal is to achieve an
acceptable level of risk;

Use a cross-organizational
approach to understand and formalise the enterprise's risk appetite;

Build a risk assumption model to
delineate where and with whom risk decision responsibilities lie; and

Create a repeatable, step by step
process, for making risk/reward calculations for new business
initiatives and ensure it is rolled out across the organiSation.