Security breaches at large corporations, governments and even military organisations are becoming increasingly commonplace, but when an IT security firm is breached, it still causes more than a little stir.
Particularly when that IT security firm is RSA, the security division of EMC, and is a supplier to many of the world's largest corporations, defence industry contractors and government organisations.
Reputational damage, as most IT security professionals will tell you, is often greater and more difficult to recover from than the data breach itself, but just over a year later, it is hard to believe that RSA was ever breached at all.
Art Coviello, executive chairman of RSA, looks more relaxed than ever, even though he has just arrived in London by train from a day of meetings with CIOs in France, which came hot on the heels of similar meetings in China and Australia.
"I am seeing more CIOs than ever before," he says. RSA is no longer on the back foot, it seems, but instead capitalising on its battle-scarred status – a tactic that was already in evidence at RSA Europe Conference 2011.
Response, recovery, resurgence
Barely six months after the breach, RSA president Tom Heiser told attendees of the event in London that it had made RSA more focused and more experienced, and provided first-hand knowledge of what it is like to detect and mitigate the effects of an advanced persistent attack.
Fast-forward three months to RSA Conference 2012 in San Francisco, and barely a year after the breach, Heiser states confidently that RSA has moved from response to recovery to resurgence.
The response was about remediation, recovery was about sharing information, and resurgence is about what we can do with all we have learned
Tom Heiser, president, RSA
"The response was about remediation, recovery was about sharing information, and resurgence is about what we can do with all we have learned. There was a bloom of innovation for defensive reasons, which we can now use to benefit our customers," he told Computer Weekly.
Infused with this same confidence, Coviello is on a mission to engage with as many CIOs around the world as possible to discuss the reality that traditional perimeter-based defences are no longer working.
"CIOs are keen to talk about how to evolve their IT defences; how to get ahead," says Coviello. "Accepting the inevitability of compromise is not the same as accepting the inevitability of loss."
Securing strategic relationships
RSA is championing the idea of intelligence-led security systems capable of pulling information from across organisations, analysing it and turning it into actionable data to enable business to move beyond the scalability and performance limitations of traditional data leakage prevention (DLP) and security information event management (SIEM) systems.
To that end, RSA has begun forming strategic relationships with other IT security suppliers, such as the initiative to provide higher levels of authentication for mobile users. Rather than attempting to be all things to all people, RSA is partnering with other security suppliers such as Good Technology, Zscaler, Citrix, VMware and Feed Henry.
At RSA Conference 2012, Coviello used his keynote to issue a call to arms to the security industry. Only together, he said, could they win the race against their common enemy.
CIOs are keen to talk about how to evolve their IT defences; how to get ahead
Art Coviello, executive chairman, RSA
True defence-in-depth cannot be achieved with a siloed approach, he says. In contrast, an intelligence-led approach includes contextual information and enables organisations to manage risk at a more granular level.
This vision of intelligence-led security, in which organisations are able to monitor, correlate and analyse what is happening within all IT systems across the business automatically, is resonating with CIOs who realise they have to do things differently.
But few organisations are in a position to do this, Coviello has found, and RSA has learned from experience how important it is to manage both internal and external risk. "Train and test all employees on evaluating risk," he advises.
In the light of experience, RSA has appointed a chief risk officer, who is dedicated to evaluating risk across the business. Coviello says IT risk is inextricable from overall risk, but management of risk has, in most cases, failed to keep up with technology.
"Boards need to get educated on this risk. They need to understand it, because if they don't they won't be able to provide the necessary oversight or appropriate support," he says.
Leading the way in IT security
Returning to the technology, Coviello allows that continuous monitoring and analysis will not be the solution to every threat, but he believes it provides a framework that has a long life ahead of it. He dismisses objections that this approach will raise too many false positives.
The use of fingerprints and DNA sampling in crimefighting was rough at first, he observes, but with refinement both have become accepted and effective ways to catch criminals. "With recent advances in computing power and storage, the vision of intelligence-led security is technically feasible," he says.
RSA's vision is not altogether altruistic either. Even though there is "still a lot of revenue" coming in from its core SecureID authentication product, the company is aware of the need to add value.
Coviello believes that by adding situational awareness, RSA can breathe new life into its authentication business. "By thinking innovatively in terms of behaviour, we can prevent one-time password tokens going the way of anti-virus software," he says.
To RSA's credit, it is not attempting to be all things to all organisations and its vision is not only inward-looking. In the past year, the company has demonstrated its ability to pull together other suppliers, including some competitors, to build interoperable components to enable better security systems. RSA has also worked with partners on defining the most important problems to tackle and leading discussions between customers and between the public and private sectors.
Coviello and Heiser are keen for RSA to take a position of leadership in the IT security industry. This strategy will undoubtedly be good for business, but it should also be good for security, which is what counts.