Because of the pervasiveness of the Internet, organizations of all sizes today need to be on high alert about potential security breaches, especially cybersecurity threats. Meanwhile, these organizations need to look at security risks that new technologies, such as cloud computing, pose. No one understands the security challenges that global organizations face than RSA, EMC's security division. Each year, RSA publishes its Security for Business Innovation Report (SBIC), which includes findings from 10 of the world's most accomplished security leaders from Global 1000 organizations. Enterpriseleadership.org sat down with Sam Curry, RSA's vice president of strategy, to discuss the invaluable lessons learned from these security leaders.  Here is what he had to say:

EL. What are some of the enterprise security concerns about moving to cloud computing and virtualization and mobility?

SC. It is a risk reward equation. The companies in business accept some measure of risk for some return. Cloud computing can dramatically improve efficiency on the reward side of the equation. The important thing is the ratio between the two. At a high level, the main concerns are to achieve that same or better ratio of risk to reward. Generally, it means that people focus more on the risk. So how does the risk profile change? We wind up having to do better risk management, or at least the same degree of risk management. If the ratio to the reward improves, then it becomes compelling. The things that bubble up include security controls, such as being able to see into risk, and being able to show compliance in a cloud model as you would in a legacy environment.

To date, most of the discussions about security in the cloud have been around commonplace themes, such as dealing with the legacy world, and dealing with anti-virus concerns or firewalls. Those are really point things. The more interesting thing is that we have an ability to have makeover security. We have an ability to change the basic risk management and make it more of a tool. In other words, we can make the infrastructure a service to risk management as opposed to a thing that focuses on itself. The most important principles are that over time you focus less on the tool and more on the task. We can rethink things such as authorization and trust or governance and reporting.

EL. What can CIOs do right now to minimize these security risks?

SC. You need to be clear about the goals you want to achieve and then really enumerate the risks. Because risk management often proves negative, people try to lift out everything that could possibly go wrong. What is likely to go wrong is more important than what could possibly go wrong. I had a customer who said, 'I have so much to fear. There is no way I can sleep at night.' He was really asking for was a means to provide some granularity to that huge realm of everything that could go wrong.

First, you need to be clear about the clear. Second, really enumerate the risks, and then perform some disciplined triage. Look at the content of the entire world. Who are the actors? What can happen to you? There are all kinds of names for a program to this effect. Some folks like the name governance risk compliance or GRC, while some folks hate that name. The principles are similar. You should have a business policy and carry it out on your infrastructure -- whether you have legacy, public cloud, or private cloud. It should tell you what is happening, especially to the things you care about, such as risk and business goals like growing the top line, maintaining margins, and branding exposure. List it out, enumerate the risks, and build a GRC program (whether you call it that or something else). Do not forget to question your partners and their vendors on their ability to help with those goals on the risk management side.

Some will do it well and some will ignore it, hoping to distract you with the same old benefits statements you have seen in the past. Your risk management process has to become a manageable one with a program to make it something you can pass business policy to, something you can obtain status from, and something you can focus on the business drivers, not just reports for the sake of reports.

EL. What are some of the other types of security challenges CIOs face?

SC. CIOs usually hear about major mistakes, such as a system improperly deployed, long after they have occurred. CIOs need to make sure the organization has chosen business relevance for specific things in security. Some organizations still separate physical and logical security. That trend has become more and more out of date as an approach. CIOs need to minimize all risks to the business, such as someone about to drive a truck into a data center, someone hacking a system somewhere, or a potentially poisonous virtual system somewhere. I saw this recently with some of the public cloud things going on.

CIOs need to deal with an identity set of issues: How do you come up with a single model for identity? How do you deal with federation? How do you actually get a consistent notion of identity when you are dealing with lots of different islands of trust? Again, these issues include commonplace themes about sporting malware and filtering for bad traffic.

The more challenges you have in this environment, the more you have to   manage your posture or your risk profile. You can think of risk in the classic sense as what can it do to you, and how do you match that up to where you are exposed, and then you need to go one step further, and match that up with what matters to you. Each one of those adds a new realm of value. What can happen to you is a big scary thing. You need a refinement process to look at where you are actually exposed and what is likely to get hit. This process includes things such as vulnerability assessments and configurations. It might also include something like an understanding of dynamic environment of cloud computing.  It is not like the legacy environment where you say, 'We are 60 percent Windows. That is what we were yesterday and that is what we are going to be tomorrow.' Your makeup of just what assets exist in a cloud infrastructure could change radically. You might have one platform being 20 percent of your environment today and tomorrow it will be 80 percent.

Being able to understand the shifting nature of risk becomes important as you layer that onto a more dynamic environment.  It is not like dealing with a situation such as international affairs where countries are static blocks and positions on the globe. You know their posture because you understand the physical space around them. This awareness does not apply to the virtual world of cloud computing. Here you need to show the business relevance of what is going on. You need to be able to do it in a much shorter period than most folks are used to. You need to be able to say, 'Here is the landscape and here is the state.' You also need to show the critical state. When state is not favorable, you need to know what the actions to take, who has ownership, and what path to workflow. Security has to become better at managing the controls, and as to be better at showing business relevance and tying into the business. These things should be the CIO's job.

EL. During 2008 and 2009, did we see more security risks at the enterprise level?

SC. That is a tough question to answer. The number of exposures or number of vulnerabilities that could be exploited went up. At the same time, many enterprise environments did a good job of managing security because of the solid systems they had in place. As a result, they became more effective in their defenses. It is fair to say that the sophistication and coordination among enterprises have improved. The actual things that can be done did increase the number of platforms. For example, the attention paid to finding the seams in the systems went up. The cookbook of tricks that are available to your typical hacker did increase, but that is not to say the risk increased.  Companies paid more attention to managing policies and processes, and revolutionizing the way they treat information security.

I am in touch with many companies where security now reports to the CEO as an information protection initiative. In fact, some CEOs give their boards updates on information security.

If we accurately want to evaluate how the risk landscape has changed, we need to measure it more carefully. People became more aware of how to manage risk in 2009.

EL. Can you summarize some of the findings of SBIC report? What advice would you offer to C-level executives?

SC. RSA does this report. You can read the report and come out with many different takes on it. I can give you some of my takes. First, most users became aware of phishing. We expected that. When we compare the year-over-year results, we see more people in the population are aware of it. We saw a dramatic increase in the number of people who acknowledged themselves as victims in one sense or another. About 33 percent of the respondent acknowledged this. This surprised me. People were aware of Trojans, as well, which is surprisingly. That rose on their radar.

We checked for 10 security violations, including viruses, trojans, spyware, phishing, and worms. More than 50 percent of our respondents said they were aware of these things. This was the first time this passed the 50 percent mark. If I were to talk to my parents, one of them would know the meaning of each of these security violations.

Although we are becoming like a global village, I was surprised to see that respondents were similar in spite of different environments on all major continents. Some regions have visibly embraced security. Some regions have said this is an evolution. At one time, IT organizations could not let the company's security per se to show. Instead, they had to emphasize the security benefits of whatever the service they rolled out. Things have changed and we have a new tipping point. Customers want to see the security. They feel more confident when they can touch it, see it, and know it is there. Some regions have passed that point. Here in North America some industries have reached that point.

After we published our latest SBIC report, I give this advice on public blogs: You need to sit there and look for that tipping point. It may or may not be the time for you to start showing security. How do you put a padlock somewhere or send out something that is tangible or physical manifestation of security. You start thinking about when that is going to come. For year, I have talked about how the bad people work with on a ROI model. They have now moved to what we see on the business side of ROI versus costs. It costs money to execute an attack and expect people to deploy defenses and increase visibility. You can also expect the bad buys to pay attention to the 10 security violations such as voice phishing or botnots. Some times visible security can scare bad people off, and some times, it can inspire confidence in them. For your demographics, you need to know where are they and what do they need to see.

EL. As you know, President Obama appointed a White House coordinator of cyber security. What is your opinion on the state of national cyber security?  How well has Homeland Security done its job?

SC. Just like private-sector companies, all types of government offices - be they federal or state -- should first establish the bar, build the instrumentation, and then determine the metrics. All of these things help give meaning to an event and help to determine how to improve these events.

It is wonderful that the mandate exists, and we have Howard Schmidt on the job. I, however, am waiting as a citizen and as an executive of a company that can help here. We have an interest in seeing what comes next. I am waiting to see to what degree they will do that instrumentation --- whether it will be the right approach with the right authority and the right budget. That will take a program with some phases. I cannot comment on the state of national cyber security, except that we do not have the right metrics yet, goals, or milestones. We need to build these things. Having the office is great. Now let us see what Mr. Schmidt does with it.

Elizabeth M. Ferrarini - She is a technology writer from Boston, MA. Reach her at elizabethferrarini@yahoo.com.