Enrique Salem, Symantec's recently appointed CEO, speaks at RSA. Source: RSA Conference

SAN FRANCISCO -- Symantec's new CEO put it plainly in his keynote at the RSA Conference yesterday morning: The current security model isn't working.

"It's time for us to change how we approach security. It's time to change the game," Enrique Salem told hundreds of attendees in one of his first major speaking appearances since assuming the top spot at Symantec last year.

Urging security managers to "operationalize" their efforts, he urged the creation of "a bridge between day-to-day operations and security departments" to create shared plans and goals.

"We know that the most effective programs are those that bring together security, storage, and systems management to automate the repetitive tasks that consume most of your time," he noted. "When you bring together these areas, it’s possible to be more proactive and policy-driven."

Security remains a struggle after all this time, he said, in large part because administrators still perform manual analysis of threats against their systems within carefully partitioned silos. One team configures laptops, another looks after the datacenters, an operations team keeps an eye on routine tasks and an entirely separate security team does vulnerability testing.

As a result, security is done piecemeal. Stand-alone products at various points within the system hamper policy coordination, making automation of many processes nearly impossible. Lower-level administrators end up creating de facto policy day-by-day based on how they configure e-mail, backup and server security.

Instead of such seat-of-the-pants security planning, Salem proposes a new approach that's "risk-based, information-centric, responsive, and workflow-driven."

Key in that, he noted, is the notion that the information must be protected just as diligently as the infrastructure already is. "Virtualization and cloud computing mean that information increasingly is becoming separate from the systems," he said. "Protecting the infrastructure is necessary, but not sufficient. You need to ask, where does the information itself live and what are the risks to it?"

By factoring in concern for the day-to-day work flow, administrators can close the gaps between security products and the tools used for operations. Automating all processes simultaneously, he said, "reduces the latency for remediation" when problems do arise.

"We have to get away from the siloed, piecemeal, opaque approach we have today," he said.

Symantec has been headed in that direction for the last three years, he said, by developing what he calls "reputation-based security."

"Our new technology automatically derives the reputation of software based on the anonymous usage patterns of our tens of millions of protected customers. We compute the reputation of a program from a number of different factors, including the software’s origin, its prevalence, its age, and some secret sauce I can’t discuss in front of such a big crowd," he said.

"See, I know a little something about protecting information."

Rather than the all-or-nothing blocking used so far, this new form of security would be based on customizable policies based on each customer's tolerance for risk. Where a government agency might choose to forbid installation of any software that isn't at least 60 days old and hasn't been installed by at least one million users, a start-up company or college systems administrator might define a software's "good reputation" by requiring only 100 previous users to have downloaded it and used it successfully.

"You're in control. You choose. You decide what risks you're willing to take," he said.

To be effective, however, the security industry needs to begin setting new standards. Vendors must collaborate because no one supplier will be in control of all aspects of a computing environment.

Security, he noted, needn't been an inhibitor. Instead, it can be an enabler.