Coviello joined RSA Security in 1995 and brought in its acquisition by EMC in 2006. Since 1995, Coviello has been a key force of growth, as RSA's revenue expanded from $25 million in 1995 to more than $310 million in 2005.
Coviello gives his insights on the security landscape and what needs to be done by CIOs to counter the relentless onslaught of threats.
What do you expect to come out of this year's RSA Conference this year?
This year’s event will provide an unrivalled platform for debate and discussion from policy makers, businesses and vendors. Delegates can expect to hear discussion around the top issues of today.
Specifically, we can expect increased awareness around the need to protect data beyond the confines of the corporate network. The conference will explore how the requirements for information security have changed considerably over the last few years. Investment in securing the network perimeter has done a good job of protecting core business systems, but this approach does not take into account the way that information flows into, out of and through a modern organisation. In order for businesses to flourish they must stop looking at information – and information risk – in a vacuum and start treating it in a consolidated and holistic manner across the organisation.
What are you going to talk about in your keynote address?
I will be talking about how information security is falling short of its promises, and why it is now time to change the game. Despite billions of dollars of investment, the reality is that we have not successfully implemented information security. We have secured the infrastructure surrounding the information but rarely do we protect the information itself.
I will address the challenge that information security presents in the increasingly-connected global infrastructure, and what the world would look like and what great possibilities would emerge if we get it right.
You will also hear RSA’s vision that sees a fundamental shift in how we think about security – no longer as a technology, but as a strategy that underpins and powers dynamic new business behaviours and helps organisations achieve their full potential.
What is the difference between issues and attitudes around security for Europe compared to the US?
Directionally, issues and attitudes around security are very similar in both Europe and the US. That is not altogether surprising as the issues and threats we face are global in nature, being increasingly motivated by criminal intent and financial gain. There are some differences in how we approach the solutions to these issues, however. For example in Europe, there is no breach disclosure law and this has a big impact on the way organisations approach the protection of their customers' confidential data.
California saw the introduction of data breach notification legislation some time ago, which compels businesses to inform customers if their personal data may have been compromised. The legislation has since been mirrored in a number of other US states and highlights the duty of care that business has to its customers.
This legislation is being debated in the European Commission and is likely to emerge as a directive in 2008. One of the plenary debates at the conference will be on this topic and its relevance to the European market.
For similarities, we are seeing businesses in EMEA and the US invest in a multi-layered approach to security, whether with tokens or risk-based analytics. The key is to make the ‘security experience’ as seamless and straightforward as possible for the end user, reducing the risk that people will take short cuts.
This year has seen a multitude of lost and unsecured laptops leading to data leakages. Will enterprises ever learn?
Enterprises are beginning to get to grips with a fundamental truth: that they cannot expect users to do the right thing at all times with company data. It is too much of a burden on users to expect them to be the primary stewards of corporate security policy over their laptops, desktop PCs and mobile devices.
As a result, enterprises are turning to data loss prevention solutions that are designed specifically to combat this problem without the need for user intervention. Using this approach, corporate policies are pushed through the fixed and mobile environment and can actually help decide, based upon the type of data, on what to allow and what not to allow. With this in place, you can determine what is safe and permissible, what is unsafe and should be prevented, or what is risky but requires administrator alerts.
This type of technology puts the responsibility and burden of control of sensitive company information in the hands of security professionals - and not onto the end-users.
The infrastructure needs to be able to protect itself and the data that transacts through it. You will be charged millions for embarrassment, but not one cent for defence.
Should companies be more open about whether or not they have had a data security breach and the damage caused?
The reality is that many organisations today are still not in a position to determine exactly what has transpired – or to what extent – when a breach occurs. This is because they are often not equipped with a complete view of all the data that is produced by, stored in or that passes through their network in the first place. It’s a major issue, but a critical one if businesses are to gets their arms around the digital explosion and get themselves into a position to manage the data they have holistically and appropriately. I would like to see companies focusing their efforts on clearing this hurdle and managing their complete information landscape according to the specific, associated risks.
Hackers and malicious code distribution has become more professional over the years, how can we win the fight?
We’re in for the long haul on this one. It is a fight, or more accurately an arms-race, in which both sides will forever battle to stay one step ahead of the other. I am proud that RSA is a leader in that arms-race, and we have achieved some significant successes. We have already seen a steady evolution over time, from the script-kiddies who would deface a website to impress their peers to today’s super-organised online fraud cartels that deploy a range of sophisticated techniques for the purpose of financial gain.
Vigilance is key, as is education and the evolving thinking around "intelligent security". What I mean by that is the importance of shifting the emphasis of security away from battening down the hatches or hardening the network perimeter – after all, data will always move around and often needs to be shared with third-parties – and toward securing the data itself, at-rest and in-motion, across devices and over time. Security should be applied continuously and intelligently so that it is commensurate with the level of risk posed by the information to be protected. But above all, it must be built-in and ever-present.
Where do you see your customers spending their IT security budget this year?
We see customers wanting to work with fewer vendors with broader security offerings, and who can provide a holistic approach to information security. Security budget justifications are trending towards risk factors throughout the information infrastructure. We’re seeing a dramatic increase in spending to prevent data breaches and protect credit card data and personally identifiable information.
Key management and data loss prevention technologies have been particularly popular in this respect. In the financial services industry, much of the focus continues to be on managing risk and protecting online transactions through risk-based authentication. And getting more attention than ever is the ability to track and analyse all security events on a network, to not only protect against data breaches, but to provide the key log and audit mechanisms to meet regulatory compliance mandates.
In this part of the world, we see that Western Europe accounts for almost 90% of information security spending in Europe, the Middle East and Africa. The UK is the largest market for security, with Germany, France and Italy following in terms of market size. Not surprisingly, European information security managers indicate that a lack of executive support and user awareness constitutes their biggest challenge.
What are the biggest IT security threats businesses and consumers face?
Both consumers and businesses face an increasingly-sophisticated crimeware ecosystem which specifically targets vulnerable groups, including employees of financial institutions and executives.
This crimeware ecosystem is complex, methodical, and professional, focusing on social engineering, vulnerable applications such as enrolling new customers, and vulnerable channels such as telephone banking. Just like businesses, cyber criminals have a “go-to-market” strategy that starts with attacking the largest major markets first like the United States. Now we are seeing increasing online fraud in Japan and a dramatic increase in malicious online activity based in the city of St. Petersburg.
Are security concerns hindering e-commerce?
Last summer Gartner reported that, in 2006, close to 50% of online consumers had changed their behaviour because of security incidents and that almost 70% are more careful entering sensitive data. RSA has also seen some evidence of both consumers and businesses drawing back from e-commerce as a result of security concerns. I think that is inevitable to an extent.
What I find encouraging, however, is the feedback from organisations that report accelerated growth in e-commerce – and in the adoption of online services – as a result of their measures to enhance security. There is a clear correlation between showing your customers that you take their security seriously, and that sense of responsibility being repaid with greater usage, trust and confidence.
Social networks are a boom phenomenon. Are you concerned about the security and identity theft risks they pose?
There are certainly risks that members of these networks need to be aware of. People post a lot of personal data on social networking sites that can be exploited – including date and place of birth, where they live, and more. Think about what you need to open a bank account – your date of birth, address and something like a social security number: some people readily post two out of those three on their social networking home pages. I would not put my birthday on a website – and certainly not when all that’s protecting me is a static password!
What’s interesting is that RSA did a man-on-the-street survey in 2005, under the guise of a tourism study, in which we asked people face-to-face for exactly this type of personal data. It was surprising, and concerning, that they gave it up to us back then – but now today they’re posting it on the Web of their own accord! And the irony of it all is that this is the type of information that businesses are being compelled to protect with robust security on behalf of their customers – or face the consequences.
What trends cause you concern for the future?
Criminals are constantly becoming more organised and sophisticated and are developing technology which they use to gather personal data from multiple sources and then put together to form a clear profile for exploitation. The focus has shifted from getting inside the perimeter to exploiting vulnerable data and creating false identities.
I am concerned that the attacks largely focused today on financial institutions are going to become increasingly focused on other industries rich with personal details, such as healthcare. I have also seen increased movement in Trojans and Man-in-the-Middle attacks with trends towards attacking vulnerable points of contact, such as account enrolment.
What are your thoughts on the UK's identity card programme?
RSA is in favour of appropriate government action if it will improve national and citizen security. It is critical, however, that the technological design and infrastructure around that action be comprehensively thought-through for the long-term, so that the programme is flexible enough to absorb the impact of emerging threats and new scenarios that will inevitably rear their heads in the future.