Press Release

RSA Research Readies Global Enterprises for New Era of Compliance

Sweeping Changes in Compliance Landscape Mark End of Business as Usual; Top Security Officers Share Strategies for an Age of Escalating Scrutiny

BEDFORD, MA., October 11, 2010 - 

Today, RSA, the Security Division of EMC (NYSE:EMC) released the latest research report from the Security for Business Innovation Council, a premier source of industry insight and advice from the world's top security officers. The research takes an in-depth look at the complex web of new information protection regulations, reporting requirements, and third-party responsibilities that are dramatically raising the stakes for organizations around the globe. Arming leaders to act on these shifts, the council outlines strategies for helping to align compliance programs to this new era.

To view the multimedia version of this release, visit:

The report, "A New Era of Compliance: Raising the Bar for Organizations Worldwide," describes the huge impact this new wave of legislation and legal obligations is having on business, sparking renewed board-level attention and forcing up-leveled strategies. Council members spotlight the convergence of four significant new trends that are driving organizations to get much more serious about compliance: 1) Strengthened enforcement, 2) Global spread of data breach notification laws, 3) Increasingly prescriptive regulations, and 4) Growing business partner requirements.

"Regulators are moving away from light-touch to more interventionist regulation," said Stewart Room, Partner, Privacy and Information Law Group, Field Fisher Waterhouse LLP, a data protection expert and guest contributor to the report. "That's clear in all senses of society and economy, so it’s not surprising regulation is tightening up in the data protection field. As I see it, the trajectory of the law here is one way only, which is towards more frequent regulatory intervention, more disputes, more arguments, and more litigation."

Changing Landscape Forces Compliance Programs to Next Level

"A New Era of Compliance: Raising the Bar for Organizations Worldwide" outlines a landscape in which highly-motivated legislators are escalating information protection mandates due to a steady stream of massive data breaches and the resulting public outrage. Enforcement of existing regulations is being tightened through expanded powers, higher penalties and harsh enforcement actions. Organizations operating in Europe are facing the upcoming overhaul to the EU Data Protection Directive, which is expected to include not only increased enforcement but also breach notification.

"As more regulations are introduced, the rules are becoming increasingly prescriptive," said Art Coviello, executive vice president, EMC Corporation and president, RSA, The Security Division of EMC. "Regulators are making it clear that you're on the hook for ensuring the protection of your data at all times, even when it's being processed by a service provider. Going forward, it will be impossible to hide information security failings as legislators force transparency and data breach disclosure becomes a global principle."

This new era of compliance ratchets up the challenges facing information security teams. The council report offers recommendations to help organizations align their programs to the heightened demands of the new compliance landscape. Specific guidance and "how to" strategies include:

1.) Embrace Risk-Based Compliance: Build an effective enterprise program that provides everyone in the chain – from individual business process owners to the board of directors – with all of the multi-faceted information needed to make risk decisions.

2.) Establish an Enterprise Controls Framework: Create a consistent set of controls across your enterprise that is mapped to regulatory requirements and business needs.

3.) Set/Adjust Your Threshold for Controls: Determine the "right" level of security controls and gauge the prevailing industry standard to meet the legal requirement for "reasonable and appropriate" security measures.

4.) Streamline and Automate Compliance Processes: Establish an Enterprise Governance, Risk and Compliance (eGRC) strategy that consolidates all of the information necessary from across the organization to manage risk and compliance and provide visibility into controls.

5.) Fortify Third-Party Risk Management: Move away from "boilerplate" security agreements and toward comprehensive third-party strategies that focus on: diversification, due diligence, rigorous contractual requirements, consequence management and governance.

6.) Unify the Compliance and Business Agendas: "Operationalize" compliance and develop the organizational structure required to fully embed compliance into the business and align it with the organization's highest-priority goals.

7.) Educate and Influence Regulators and Standards Bodies: Educate legislators and constructively affect regulation to avoid overly prescriptive rules that will cripple business.

About the Security for Business Innovation Council

The Security for Business Innovation Council is a group of highly-successful Global 1000 security executives who are committed to sharing their own insights and experiences to help move information security forward at organizations worldwide.

Council members include: Anish Bhimani, Chief Information Risk Officer, JP Morgan Chase; Bill Boni, Corporate Information Security Officer, Vice President Enterprise Information Security, T-Mobile USA; Roland Cloutier, Vice President, Chief Security Officer, Automatic Data Processing, Inc.; Dave Cullinane, Chief Information Security Officer and Vice President, eBay; Dr. Martijn Dekker, Senior Vice President, Chief Information Security Officer, ABN Amro; Professor Paul Dorey, Founder and Director, CSO Confidential and Former Chief Information Security Officer, BP; Renee Guttmann, Vice President, Information Security & Privacy Officer, Time Warner Inc.; David Kent, Vice President, Global Risk and Business Resources, Genzyme; Petri Kuivala, Chief Information Security Officer, Nokia; Dave Martin, Chief Security Officer, EMC Corporation; Felix Mohan, Senior Vice President, CISO & Chief Architect, Bharti Airtel Ltd; Dr. Claudia Natanson, Chief Information Security Officer, Diageo; Vishal Salvi, Chief Information Security Officer and Senior Vice President, HDFC Bank Limited; Craig Shumard, Chief Information Security Officer, Cigna Corporation; and Denise Wood, Chief Information Security Officer and Corporate Vice President, FedEx Corporation. This Council report also includes contributions from Stewart Room, Partner, Privacy and Information Law Group, Field Fisher Waterhouse LLP.

The report released today is the seventh in the series, and RSA expects to publish more original Council reports over the coming months. Those interested in learning more about the Security for Business Innovation Council reports can visit the RSA Thought Leadership website at to view and download all of the studies.

About EMC

RSA, The Security Division of EMC, is the premier provider of security, risk and compliance management solutions for business acceleration. RSA helps the world's leading organizations succeed by solving their most complex and sensitive security challenges. These challenges include managing organizational risk, safeguarding mobile access and collaboration, proving compliance, and securing virtual and cloud environments. Combining business-critical controls in identity assurance, encryption & key management, SIEM, Data Loss Prevention and Fraud Protection with industry leading eGRC capabilities and robust consulting services, RSA brings visibility and trust to millions of user identities, the transactions that they perform and the data that is generated. For more information, please visit and

EMC Corporation (NYSE: EMC) is the world's leading developer and provider of information infrastructure technology and solutions that enable organizations of all sizes to transform the way they compete and create value from their information. Information about EMC's products and services can be found at

Press Contacts

Alison Parker
Outcast Communications

Lona Therrien
RSA, The Security Division of EMC

RSA and EMC are either registered trademarks or trademarks of EMC Corporation in the United States and/or other countries. All other company and product names may be trademarks of their respective owners.