Securing more than a return on investment

Art Coviello, chief executive at RSA Security, believes that investing in IT security measures for areas such as remote access...

Art Coviello, chief executive at RSA Security, believes that investing in IT security measures for areas such as remote access can bring a dual advantage for firms.

IT security has always been high on the agenda for IT directors and chief executives, but with most company boards reining in their spending, it has never been more important that investment in security also brings a return.

If the RSA Conference in San Francisco earlier this month is anything to go by, this message has started to filter through to security suppliers. Their attention is turning very firmly towards offering systems that save money and generate new streams of income for businesses.

Art Coviello, president and chief executive at RSA Security, which specialises in software security products, claimed that while the downturn may have damaged some firms, it has also forced the rest to become much more focused on the real needs of the businesses they serve.

RSA, like many user companies, has grasped the efficiency nettle by outsourcing some of its development work offshore to India and Russia. But rather than seeing this as a symptom of cost cutting, Coviello sees it as a strength. It is, he said, an opportunity to supplement the firms' US expertise by drawing on a larger pool of international talent.

"You can't be a chief executive officer and not be an optimist," he said in an exclusive interview with Computer Weekly. "There are tremendous productivity improvements to be gained from better security."

Analysts believe these productivity gains will come from new remote-access technologies that will allow companies to open up their networks to their customers and their business partners.

At the same time, single-sign-on technologies, currently being developed by industry groups such as the Liberty Alliance, will allow firms to radically cut the cost of password management and simplify network access.

Coviello has staked his company's future on the success of remote access technologies. He predicted they will have radical implications for businesses.

"A just-in-time inventory becomes literally true, and offering more products more quickly to your customers is a reality. The importance of reducing unit costs and business costs is much greater than before. Companies will either have to embrace this or they will not survive."

Coviello pointed to one of RSA's customers, a US insurance company, as an example of the way security technology can transform a company's business processes. The company is using remote-access software to give insurance brokers direct access to their websites.

Once the brokers are online, the company's website can redirect them to other insurance products that might be of interest. "They have no reason to go to a competitor because it is much easier to come to you. You have created a competitive advantage," he said.

Security can be used offensively, not just defensively, Coviello said. Single-sign-on systems mean users do not have to remember complex passwords that are changed every month.

"Most helpdesk calls are made by people who have forgotten their passwords, so that is a big saving. But it can also expand the number of applications and the number of people you can have online because you do not have to worry about who is accessing your systems," he said.

Coviello acknowledged that businesses still have a long way to go before they have addressed the defensive aspects of security. Good security is a never-ending struggle, he said.

"People think they can solve problems while their businesses grow. The number of network nodes and applications increases exponentially every year. That means the number of vulnerabilities increases every year."

There are signs that as the better security suppliers focus on the need for businesses to improve the bottom line, that spending on security is picking up. But Coviello does not expect a rapid bounce-back.

"We had good success in the third and fourth quarters last year. We continued that success in the first quarter this year, but it has not been easy.

"The first clear signs of recovery you see are in activity levels. The number of leads the industry generates has increased, but sales cycles take from six to 18 months. I think you will see improvements in 2003 but nothing dramatic. It will either become a table-setting year for a robust 2004, or we will continue with a slow gradual recovery."

Read more on IT risk management