An increasingly complex and cumbersome regulatory environment may be forcing many companies to focus their information security efforts purely on meeting compliance and audit goals rather than on understanding and addressing business requirements, warned Art Coviello, president of EMC's RSA security group.

Delivering the inaugural keynote at the annual RSA Conference in San Francisco this week, Coviello called on regulators and policy makers to create regulations that focus on outcomes, rather than laying out a prescriptive list of controls.

Regulators need to make sure that any regulations they mandate do not end up "actually weakening a business by enforcement actions that drive companies to spend unnecessarily on perceived but not genuine security risks," Coviello said. Such "make-work projects" add little material value to a company's overall security stance. "Instead of passing regulation that creates a climate of 'what's the least I can do to get a check mark,' drive regulation that focuses on outcomes," Coviello said.

An example of a properly functioning regulation is California's SB 1386 bill, which focuses on requiring companies to notify consumers of data breaches involving their private data rather than on telling them how to protect that data, Coviello said.

One step that regulators can take to reduce the current complexity is to create a national baseline standard for protecting sensitive data -- passing one federal data breach notification law that preempts the 40 separate state laws with which companies have to currently contend, he said. More effort also needs to be put on punishing cyber-criminals, Coviello added, urging Congress to ratify a national cyber-crime bill already passed by the U.S. Senate in late 2007.

At the same time, security practitioners themselves need to start thinking more about information-centric security strategies, as opposed to mere information security strategies, he said.

"We must look beyond tools that blindly lock down data, [and] toward mechanisms that can understand information and safeguard it intelligently throughout its lifecycle," Coviello said.

Instead of implementing products for dealing with specific security threats, the goal really should be on making security an indistinguishable part of the infrastructure, he said, Processes for monitoring and enforcing security need to be automated as far as possible and companies need to get away from static controls that are focused simply on controlling access to data, he said.

For more enterprise computing news, visit Computerworld. Story copyright Computerworld, Inc.

Whitepapers

• Gene Kim's Practical Steps to Mitigate Virtualization Security Risks
• Selecting Effective Virtual Directories
• A Modern Approach to On-Demand Email and Data Security
• Best Practices for HP Servers and HP Enterprise Virtual Array in a Microsoft Exchange
• Compliance, Protection, Recovery: A Layered Approach to Laptop Security
• Endpoint Security: Data Protection for IT, Freedom for Laptop Users

View more SECURITY whitepapers

Webcasts

• Key Considerations for a Successful 802.11n Deployment
• Solutions to the Toughest IT Challenges in Remote Offices
• Lowering the Cost of Email Archives
• High Availability for SQL Server 2005 Using Array-Based Replication and Host-Based Mirroring Technologies
• Technical Overview of Exchange Server 2007 with HP Servers and Storage
• Bringing Order and Security to your Mobile Workforce: Corporate Mobility Policy and Device Management On-Demand

View more SECURITY webcasts

Special Reports

• The Evolution of Network Security
• Taking Virtualization Up a Notch
• Learn how to Keep your Mobile Workforce Connected
• The self-managed network

View more SECURITY special reports