RSA's Coviello sees sweeping changes ahead for security pros

In his 13 years as CEO of RSA Security, Art Coviello has just about seen it all. He's seen the security industry grow from a handful of small companies to the massive, fragmented market it is today. And he's been through both the booms and the busts. Now, with RSA a division of storage giant EMC, Coviello is leading a push to bring security to all aspects of the information lifecycle. Executive Editor Dennis Fisher sat down with Coviello at RSA's Bedford, Mass., headquarters recently to talk about the changes sweeping the security industry, the data breach epidemic and what might have been if Symantec and RSA had merged.

I know that you had some layoffs recently. Where were they and what effect have they had?
We had 1,600 people at the time of the merger, we cut back almost 100 just after, because you don't need a chief financial officer or a legal officer. Then through a combination of hiring last year and acquisitions we got up as high as 2,100. What we've been doing is rationalizing the overhead structure and complement of people we have, post acquisition. We did three acquisitions of our own last year. So net net, when the dust settles, we'll still be up 300 people from where we were after the acquisitions. It's across all different phases. A lot of it is redundant engineering as we move things to India. Having said that, we have record employment in these two buildings. We now have a contingent of probably about 160 people in India and 60 of those came in an acquisition. We had a fabulous year. Every quarter since the acquisition we've grown at 20% year on year. EMC has its management kickoff next week and I have this slide that shows the point of view of analysts at the time of the merger. Two companies struggling for earnings combined here, to a report that came out 13 months later saying what a brilliant deal it was and how much sense it made. It's just typical because the guy that wrote that report was talking about our 2005 results, where we were flat almost the whole year. But the fourth quarter we had a spectacular quarter and we just never stopped. It kind of speaks to where security is headed. More of an information-centric approach and less of a perimeter approach. Which is why you see companies like Check Point going out and buying encryption companies. So what's been driving RSA's growth overall? Is it that shift to locking down the data at rest and in transit?
Exactly. Things around identity like we do with authentication and access management and encryption and with Tablus now, data loss prevention are all the hottest areas in anyone's budgets. A couple years ago, we were probably one half of Check Point and now we're sneaking up pretty close. I remember having a brief conversation with [Symantec CEO] John Thompson on whether or not it would make sense to bring our companies together, because I was wondering about our strategy. I had confidence, but again, I couldn't be sure. And I had some conversations with John, and he said, Art, you guys aren't growing and we're growing at 20%. Now we're growing at 20% and they're growing in the single digits. So that's changed pretty dramatically. What do you hear from your customers about the combined offerings they'd like to see from EMC and RSA?
I think that John's premise in terms of information assurance is not a bad idea. But antivirus and archiving and backup and recovery, that doesn't give you assurance. Ironically, I remember thinking at the time that what we did and what Veritas did made a hell of a lot more sense in that context. More and more, people see the need to combine the management of information with the securing of information, and that extends through its whole lifecycle. So in the areas where EMC is strong, which is data at rest and backup and recovery, we can add a lot of value. But as EMC does other things like document management and virtualization and gets closer to the action, then we play an even stronger role as EMC executes on their strategy of building out an information infrastructure. Storing and archiving, but also optimizing and leveraging information. So we play a pretty important role in that – little things like adding strong authentication to their product lines for administrative access or service access. A lot of these data breaches that you see are because administrative access has been breached. So, do we sell a lot more tokens or a lot more products? No, but we make EMC's information infrastructure infinitely more secure with those steps. But things like encryption that people want to see, we're building it in. We're building it into Power Path, EMC's storage software. We're combining with Cisco to manage the keys that are used to encrypt through the SAN switch. You saw Neoscale basically expire and Decru's sales through NetApp are basically flat because people don't want another in-line appliance. They want it built in. So not only are we doing those things that obviate the need for another in-line appliance, because we do it either in software or in the SAN switch, but over the next 18 to 24 months we'll actually build encryption into the storage arrays and then the problem pretty much goes away. [EMC CEO] Joe Tucci is fond of saying that you should get that encryption for free, and I kind of laugh. But the fact is, he's right. But what you need to pay for is the ability to manage those keys not only on your desktop, but on your switch and your storage arrays, because you're going to have keys proliferate. You need some sort of systems management to do that, and that's where we'll continue to add value. And as you see it all gets built more and more into the infrastructure. And it's not just EMC's products, but as we collaborate with Microsoft, collaborate with Cisco, collaborate with Brocade, with Oracle. Security has to be done collaboratively and need to do more and more of that and people are more open to those kind of partnerships. Are you hearing a lot from customers about the data breach problem?
Oh, yeah. And unfortunately, it's not that we're selling fear, it's their own fear. I had this line in one of my keynote speeches. I talked about the Barbary pirates and how they basically extorted money from civilized nations and said if you don't give us money, we'll attack your shipping. And one of Jefferson's diplomats said, millions for defense and not one cent in tribute. And he sent the three or four frigates that were our navy and a bunch of marines and he solved the problem that way. Today, it seems to be millions upon embarrassment, but not one cent for defense. But then I qualify it and say, Look it's not as if you're not spending millions on security, but you're not looking at it in a logical, holistic fashion. And if you want to be embarrassed, then keep on doing point products and spending without thinking about your entire security and management infrastructure. I guarantee you'll be embarrassed because you won't plug every hole by looking at individual spots in the dam as opposed to getting up on top of the dam to see if you have some structural defects. Some of the breaches are just people leaving a laptop in a taxi or something, but then you have something like TJX where they had this cascade of failures, with weak encryption on their WiFi network and stores storing this credit card data locally.
But I can tell you that every retail customer I went into, and I say, Why hasn't this happened to you? They say, Luck. All these systems were built prior to the Internet and they get connected to the Internet and then all of a sudden everyone's a schmuck. It's the preventive step that people haven't taken. They'll plug gaps that they find, but they don't take the step back to say, what have we done here? It's changing rapidly. When I get the opportunity to talk in CEO venues, you can tell it's an issue that's getting to them. Most businesses, contrary to what you might hear from politicians, want to be trusted. They want to have a brand that equates to trust. I'm talking about any business. Especially retail. If you lose consumer confidence, you're in big trouble.
Kudos to the California people. But that bill's not perfect, which is why a federal bill would be nice.
Art Coviello,
CEORSA Security
You mentioned PCI DSS. How much are you involved with helping customers with that?
Quite a lot. And one of the things that being part of EMC has allowed us to do is build out a consulting practice to help people understand the risk. Which is one of the things that I wanted to do, but couldn't afford to do as an independent company. EMC's got a pretty sizeable professional services organization and that's allowed us to piggy back their infrastructure. We always had the subject matter expertise and then it was just a case of bringing on the right people and training them. So I expect that to be a pretty big part of our growth story going forward. I use the famous brakes on a car analogy. You'd never consider building a car without brakes, but you build a business without the security brakes. But security needs to be unobtrusive and only invoked if a risk is recognized. So why can't you do that with data flows? And that's what Tablus is all about, not just understanding data, but key words and phrases and whether data should be traveling in the direction it's traveling.
Art Coviello in the news:
Coviello: In 3 years, no more stand-alone security Art Coviello says today's patchwork of monolithic security devices will disappear in the next three years as security is integrated into the larger IT infrastructure.

Q&A with RSA Security's Art Coviello This year's RSA Conference will be unlike any other in the past 16 years. RSA Security is now a division of storage and data management giant EMC, thanks to a $2.1 billion acquisition.
The industry is going through another of these periodic waves of consolidation. Do you expect that to continue?
It's different than it's ever been. When I started here 13 years ago, I saw no need for a security industry. I just assumed that security would be subsumed into the IT industry as a whole. And then everything took off without us. So now when I say it's coming full circle, I see that people see security needs to be built in. How many pure security companies over $200 million in revenue are there? The sizeable companies, ourselves, ISS, the companies that had an opportunity get a lot bigger have gotten scarfed up. I think the VCs will continue to fund innovation. When I gave my keynote speech last year [at the RSA Conference], which is a lot more famous than I thought it would be, I qualified it by saying that there will always be innovative startups and there would always be a need for independent security applications, but they would be so related to the IT infrastructure, that IT infrastructure companies would have to own them. SecurID exists independently of anything EMC does, but EMC feels the need to own a security company that has those kinds of offerings. I don't think it's bad economics for the customers because there's enough of us competing that I don't sell everything at list price. Customers at the end of the day do want fewer vendors. So you would expect to see more consolidation?
Well, I had an interesting conversation with an investment banker friend of mine. I said I've never seen anything like it because it seems like the industry is consolidating and fragmenting at the same time. For every five companies that get acquired, there's 100 more out there. She said you should look at it like the Big Bang theory. There's all this security matter and security issues that need to get resolved and it's just blown up. The velocity of the expanding universe is faster than your ability to chase them down and tie them all together. So like endpoint or data leakage. How do you get everything to tie to the endpoint, and on and on and on. There's still all of these problems that need to get resolved. What we need to be mindful of is that we're productive with our engineering resources so we don't keep bolting things on. It's one of the problems that I think Oracle or IBM face because they've bought so many companies that they don't even try to integrate. They go in with the professional services and do it that way. Getting back to the data breach problem for a second, do you see the need for any help from Washington on this?
Well, it's now at least two years and counting that I've been waiting for a breach notification bill to be passed by Congress, so they could just get around to doing that. I just find it appalling how long it takes these guys to get around to doing something that's obvious and that five or six committees each have a decent enough bill. Why they can't get together and pass something is beyond me. Politicians never miss an opportunity to stand on the steps of the Capitol and pontificate about how irresponsible business is, and yet they're as irresponsible as anyone. Kudos to the California people. But that bill's not perfect, which is why a federal bill would be nice.

Dig deeper on Security Industry Market Trends, Predictions and Forecasts

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close