Balancing Computer Security and Innovation—A Talk with RSA’s Art Coviello
It’s no surprise that the president of RSA, the security division of Hopkinton, MA-based information management giant EMC (NYSE: EMC), has strong views about the need for better security practices within corporations and government agencies. But Art Coviello, who joined RSA in 1995 and helped engineer its 2006 acquisition by EMC, says the problem isn’t that companies aren’t aware of today’s cyber security challenges—it’s that they often aren’t doing the right things to address them.
Companies try too hard to protect the machines that data live on, rather than the data itself, Coviello told me during an interview earlier this month. They dive into faddish new technologies like cloud computing and social networking without investigating the new kinds of security risks they pose. And they focus too much on achieving technical compliance with government regulations, rather than on minimizing the risks those regulations are meant to address.
Coviello spoke with me shortly after RSA issued the latest report from the Security for Business Innovation Council, a group of 10 security executives from companies like Motorola, JP Morgan Chase, Time Warner, and Novartis. RSA assembled the council to draw attention to ways that businesses can continue to innovate—a process that often involves adopting untested new technologies—without exposing themselves to new waves of fraud, data breaches, and other cyber attacks.
Coviello was eager to share the recommendations in the report, which range from suggestions about specific security policies and technologies that companies can adopt to ideas for broad industry cooperation on ways to thwart cyber criminals. But I also asked him for his perspective on the recent increase in the number of New England-area companies offering so-called “governance, risk, and compliance” software, and for his views of the Obama Administration’s performance so far on cyber security issues. (See page 3. A preview: he’s reserved, but optimistic—and has some specific suggestions on who President Obama should name as the new cyber security czar.) A condensed version of our interview follows.
Xconomy: What’s the main purpose of this latest report from the Security for Business Innovation Council?
Art Coviello: One of the things we tried to establish early on is that security doesn’t have to be viewed as an inhibitor of innovation. It can be viewed as an enabler of innovation. This is the fourth in a series of reports that does just that. It gives tips and advice on how [security] can not only not get in the way, but how it should give people confidence to do more things online.
But one part of what we’re bringing out here is that when it comes to things like cloud computing and social networking, people are just jumping ahead, and saying we’ll take care of the security later. That’s a bad idea.
X: Forgive me if this question sounds cynical, but cloud computing and certain forms of social networking are among EMC’s services and software these days—and so, obviously, is security. Wouldn’t almost any report coming from a group convened by the security division of EMC be recommending more adoption of security software?
AC: I can see how you could be cynical about almost anything that gets produced by a technology company. But the guys who are part of this study are independent. We facilitate it, we don’t pay them for it. You’ve got people like Bill Boni from Motorola, Anish Bhimani from JP Morgan Chase, David Kent from Genzyme, Craig Shumard from Cigna. You have a cross section of people, and they’re not making any money from cloud computing or social networking.
Having said that, the fact is that the horse is out of the barn, and people are going to be adopting these technologies, because they improve productivity and communication. You are not going to slow it down, but you can expose yourself to risks that you would feel fairly sorry about if you don’t address some of these security concerns. The report offers some specific guidance about not just the protections required, but how to afford them.
X: Okay, let’s run through the recommendations. [For clarity, the council's recommendations are in bold type below.---Editor]
AC: The very first recommendation is to rein in the things that you are doing [as a security officer]. Chances are that you are protecting things that don’t need protecting, and you aren’t focusing on the things that pose the most risk. The second recommendation follows on that—it says make sure the services you get are competitive. Either outsource them, or if your outsource provider isn’t working effectively, change your provider. The third element is, don’t say no [when workers propose adopting new technologies]—say yes, but here’s how. Information security guys are no there to be the Dr. No’s of the company. They are the ones who should be involved up front, so that you’re doing it right.
Item four speaks to cloud computing. It’s that you should shift from protecting the container to protecting the data. If you are outsourcing your infrastructure to the cloud, then you don’t own the containers anymore. How am I authenticating people who access my cloud environment? How does the cloud provider ensure that my data doesn’t get commingled with somebody else’s? In the event of a breach, is the data encrypted? How is data leakage prevented? How can the provider prove that the environment is working in accordance with my policies? These are all things for which products and technologies are available, and some of these do come from RSA, which positions us as particularly strategic to the rest of EMC. With VMware [a virtualization company in which EMC has controlling interest], and with so much of the data center relying on EMC storage, we are right at the forefront of the cloud computing phenomenon.
The fifth recommendation follows on that—it’s to protect the data itself with advanced monitoring techniques. We have shifted from static technologies that say “yes or no” to technologies that say “bend but don’t break.” These technologies are behavior-based; they look for anomalies. They are far more cost-effective and less intrusive and easier to deploy, and that’s the way security is trending generally.
The last two elements are things that the technology community should take to heart, and also each vertical industry. It’s clear that no one vendor can do it all—but it’s also clear that there are so many point products that fraudsters can just figure out how to navigate around each of them. There needs to be a technological ecosystem to counter the fraud ecosystem—which means the vendors need to figure out ways to get their products and technologies to work together. I hate standards bodies—they move too slowly, and they tend to work toward the least common denominator. But there are ways to move more quickly, by reaching out to partners. We have reached out to Microsoft and Cisco to create de facto standards that we then open up to other people to get on board.
[The last element is that] it’s also in the interest of [companies within specific industries] to tell each other how they’re getting attacked and exploited. They make each other smarter. It’s almost like a neighborhood watch. If JP Morgan Chase gets hit by a phishing attack, we know that within a day or a week that that attack is going to hit Citigroup and eventually Barclays and Bank of China.
X: This is the fourth report issued by the Security for Business Innovation Council in the last 14 months. How have the group’s recommendations changed over that time?
AC: It’s a continuum. If you looked at all four reports you’d find a level of consistency. The first one was about how to make the security guys more relevant inside their companies—how to know the business so you can add value, know what projects are in the offing so you can get in ahead of the game. The second one was about the risk-reward equation—so much of security is based on what is level of risk you’re willing to take. There are some approaches you can take to mastering that equation. The third one was in the heat of the economic meltdown, so it was all about being more cost effective.
X: Who reads these reports, and what kind of feedback to you get about them?
AC: We’ve gotten tremendous feedback. We get a lot of hits from security people. Journalists have eaten them up pretty well, too. We feel like we’re educating a large group, by calling on some of the best minds that are out there. It’s just another way we provide leadership in the marketplace.
X: Changing the subject—I wanted to ask you for your perspective on this emerging area called “governance, risk, and compliance,” or GRC. There are quite a few companies around Boston now that call themselves GRC software providers. Why do you think this is happening here, and do you see GRC as an important market for RSA and EMC?
AC: I’ll quote one of our own technical guys who is trying to get his arms around a definition of GRC. He said, “You could stick a ham sandwich under the umbrella of GRC.” It’s a big, amorphous term that could mean anything to anyone. Even within EMC, you’ve got our resource management group saying, “We are the GRC of EMC,” and you’ve got the content management and archiving group saying, “No, we’re the GRC of EMC.” Fortunately, cooler heads have prevailed, and we have a unifying story that we are actually taking to market in the next quarter.
But you’ve got a real challenge there. Is GRC about information risk? Is it about operational risk? Is it about business risk? Should you be doing all three together? How does one interconnect to the other? My view of it is that it’s too amorphous. I think it breaks down between business, operational, and information risk. EMC puts its stake in the ground around information governance, risk, and compliance. But we will do everything we can to link that with the operational risk guys and the business risk guys.
If you look at this entire financial meltdown, I think it’s extraordinary that technology has enabled us to create these incredible financial instruments and trade them at warp speed in volumes that were unimaginable 10 years ago. But then I’d ask you, with all of this improved productivity for delivering these instruments, has business risk management evolved as quickly? And the answer is obviously no. So business risk management has not kept up with the technology—and yet technology is the means with which we can keep up. It’s just so ironic to me.
Here’s my other view about GRC. The C is last, and it should be last. But the problem is that people are doing compliance first, because governance and risk are just too freaking hard. As much as everyone hates regulation, they will take the regulations and say, “tick, tick, tick—I’m complying so I can ignore the governance and risk part.” So that’s why you get people who pass the PCI audits and then wonder why they have breaches of their credit-card databases. [PCI stands for payment card industry; the PCI Security Standards Council sets standards for credit card account protection.---Editors] That doesn’t mean that the companies that focus on compliance and reporting aren’t helpful, but that ought to be the means by which you prove out what you’re doing on governance and risk.
AC: We applaud the Obama Administration for deciding to put an executive in charge of cyber security, even though he didn’t quite match his campaign promise of having that person report directly to the President. I never thought it would or should. But the fact that there will be central coordination for cyber security is a good thing. There are too many elements within the government—Justice, the intelligence agencies, homeland security, the civilian agencies that need to protect consumer information. There is way too much to be done. You should have someone coordinating that out of the White House, so we applaud that.
X: What about the conclusions of the 60-day review of cyber security plans that was carried out this spring by Melissa Hathaway at President Obama’s direction—do you think it went far enough?
AC: I think it’s solid. It’s got a number of good recommendations. But quite frankly, in 2003, Dick Clarke presented the “Strategy to Secure Cyberspace” for President Bush’s signature, and had we been actively implementing that strategy, we would be way ahead of the game. Six years later, we have not executed on that strategy one iota. And shame on the government, because industry—including myself—was ready to do that.
There has been sustained study of the problem, including a recent study by the Center for Strategic and International Studies, which I think Melissa Hathaway’s report borrowed liberally from—she took the substance of that to heart, and used a lot of that content, as well as other policies, in developing her 60-day report. All of that is good stuff, provided it is acted upon. I think we’ve got an administration that is making it a priority.
X: President Obama says he will name a cyber security czar to coordinate federal action. Hathaway herself is mentioned as one of the potential candidates. Do you think she’s the right person for the job?
AC: Hathaway would be okay. I would hope that we could get a vastly more experienced and higher-powered individual, but at least she knows the topic.
X: Do you have somebody better in mind?
AC: I actually think John Thompson [the chairman of the board of Symantec] is the best candidate. I would love to see a guy from the industry named. Tom Noonan, who ran ISS [Internet Security Systems, acquired by IBM in 2006], would be a great bipartisan appointment and a terrific candidate.