RSA 2007: Art Coviello spells out the challenges ahead

As the RSA Conference, the largest security conference of the year, looms, Art Coviello, RSA Security's president and CEO, spoke to Computerworld UK about the UK ID card scheme, European data breach laws and an increasingly sophisticated online crime ring.


Coviello joined RSA Security in 1995 and brought in its acquisition by EMC in 2006. Since 1995, Coviello has been a key force of growth, as RSA's revenue expanded from $25 million in 1995 to more than $310 million in 2005.

Coviello gives his insights on the security landscape and what needs to be done by CIOs to counter the relentless onslaught of threats.

What do you expect to come out of this year's RSA Conference this year?

This year’s event will provide an unrivalled platform for debate and discussion from policy makers, businesses and vendors. Delegates can expect to hear discussion around the top issues of today.

Specifically, we can expect increased awareness around the need to protect data beyond the confines of the corporate network. The conference will explore how the requirements for information security have changed considerably over the last few years. Investment in securing the network perimeter has done a good job of protecting core business systems, but this approach does not take into account the way that information flows into, out of and through a modern organisation. In order for businesses to flourish they must stop looking at information – and information risk – in a vacuum and start treating it in a consolidated and holistic manner across the organisation.

What are you going to talk about in your keynote address?

I will be talking about how information security is falling short of its promises, and why it is now time to change the game. Despite billions of dollars of investment, the reality is that we have not successfully implemented information security. We have secured the infrastructure surrounding the information but rarely do we protect the information itself.

I will address the challenge that information security presents in the increasingly-connected global infrastructure, and what the world would look like and what great possibilities would emerge if we get it right.

You will also hear RSA’s vision that sees a fundamental shift in how we think about security – no longer as a technology, but as a strategy that underpins and powers dynamic new business behaviours and helps organisations achieve their full potential.

What is the difference between issues and attitudes around security for Europe compared to the US?

Directionally, issues and attitudes around security are very similar in both Europe and the US. That is not altogether surprising as the issues and threats we face are global in nature, being increasingly motivated by criminal intent and financial gain. There are some differences in how we approach the solutions to these issues, however. For example in Europe, there is no breach disclosure law and this has a big impact on the way organisations approach the protection of their customers' confidential data.

California saw the introduction of data breach notification legislation some time ago, which compels businesses to inform customers if their personal data may have been compromised. The legislation has since been mirrored in a number of other US states and highlights the duty of care that business has to its customers.

This legislation is being debated in the European Commission and is likely to emerge as a directive in 2008. One of the plenary debates at the conference will be on this topic and its relevance to the European market.

For similarities, we are seeing businesses in EMEA and the US invest in a multi-layered approach to security, whether with tokens or risk-based analytics. The key is to make the ‘security experience’ as seamless and straightforward as possible for the end user, reducing the risk that people will take short cuts.

This year has seen a multitude of lost and unsecured laptops leading to data leakages. Will enterprises ever learn?

Enterprises are beginning to get to grips with a fundamental truth: that they cannot expect users to do the right thing at all times with company data. It is too much of a burden on users to expect them to be the primary stewards of corporate security policy over their laptops, desktop PCs and mobile devices.

"Recommended For You"

Round-up: RSA Security Conference Europe 2007 RSA: Nation-state responsible for SecurID breach