RSA muscles up on core capabilities
newsmaker RSA COO Tom Heiser doesn't consider himself a visionary because he "cannot predict where things are going to be in five years". But the company veteran is certain about one thing: security will be an increasingly critical component as cloud and mobile adoption continue to grow.
Heiser joined EMC, which acquired RSA in 2006, as a sales trainee in 1984 after graduating from the University of Massachussetts. The executive progressed through 12 positions within the company before landing up at the EMC security arm in July 2008.
With over 26 years of experience under his belt, the COO considers formulating and executing strategies his strongest suit--skills that are critical in building up RSA's core strengths in authentication and security management, which he described as "hot growth areas"--thanks to the rise of cloud and mobile computing.
Recently in Singapore to meet up with sales partners, Heiser met up with ZDNet Asia to discuss RSA's business plans and chat about new year resolutions and the risks in migrating to cloud computing.
It's been three years since the economic downturn in 2008 and things are finally looking bullish for the global economy. Is one of RSA's new year resolutions to capitalize on this upswing and enter new markets?
There's this book called Profit From The Core which we use as a template, and this talks about how close we should stay true to one's core businesses.
Using this as part of our strategic planning process, we determined that RSA has three cores to our business. One core is authentication, the second is security management, while our third "emerging" core is around virtualization and cloud computing.
Are we branching out of these? Probably not. I mean, we take a look at the whole landscape of security, and we see what's hot, where's the growth. Security management is super hot, virtualization and cloud computing is crazy hot, so we're already in these hot, high-growth areas.
What we don't want to do is delude ourselves. You won't see us getting into network-based security or endpoint-based security, firewall or antivirus. Those are big but, like antivirus, super slow growth and ripe for disruption. You can take a look at the numbers--antivirus is estimated to be effective 35 percent of the time. So, we're assuming the firewall will be breached and antivirus won't work.
Where do you see RSA's focus heading in 2011?
What RSA has done is we have assembled a portfolio of products, solutions and services into a suite that addresses customers' challenges. IT spend is supposed to grow 4 to 6 percent this year, and the security market is supposed to grow 9 percent. If you look at these figures, security is twice what the IT spend is. This demonstrates that we're in areas of high growth.
One of these areas is in security management. We're putting RSA's enVision, security information and security management, data loss prevention (DLP) and Archer Technologies' GRC (governance, risk and compliance) products into a suite, which is where customers are spending their dollars.
The other trend is the explosion of virtualization and cloud computing, and their associated risks. We have tons of data on that, and one statistic that jumped out at me was that 91 percent of CIOs are concerned about security with cloud deployments. Another survey showed that 51 percent of CIOs said security was their No. 1 concern. So, we're attacking this concern and our portfolio is uniquely positioned to capitalize on that.
That would mean that some companies still can't quite manage the security risks involved when moving to the cloud?
Absolutely. It's something I see all the time.
About two months ago, for instance, we were talking to one of the top five global healthcare companies which recently completed a huge private cloud deployment. The company was very progressive and driving cloud for cost savings and operational efficiencies. So it was virtualizing its IT infrastructure and was going crazy with that.
But when we met the CIO and his team, he was, like, 'I need a strategy to keep up with this thing'. He wasn't involved in the upfront deployment, so now what he's doing is playing catch-up with how to protect that environment. This happens all the time.
I wouldn't call the CIO's reaction as panic, but you could see huge concern on his part where it was reactive rather than proactively building security into the company's cloud deployment.
You identified authentication as one of RSA's core areas. Could you give us a glimpse of authentication innovations that are on the cards?
If we go back seven years ago, over 80 percent of RSA's business was SecurID. In 2011, this will be the first year that SecurID constitutes less than half of our business. It's not that the business is declining, but that all the other areas are seeing high growth.
If we fast forward, we still have the largest market in authentication but what we're doing is deploying it in a cloud environment, which is the next big thing.
Mobile authentication is also a big growth area for us. There are over 300 million identities we're protecting through our software-as-a-service (SaaS) application products. There'll also be other things through mobile and non-token-based authentication, which are coming up real soon.
Mobile security presents a huge opportunity for us. How do we protect smartphones and make sure these are secured? The other challenge is how we can turn this device into an authenticator.
So these are great opportunities on both fronts: to secure the device, and using the device to secure.
Rivals such as Dell Computer, which acquired storage vendor Compellent last month, and Hewlett-Packard have been pretty active on the acquisition front. Are you planning to join in on the M&A (mergers and acquisitions) fray?
We will be acquisitive, mark my word on that.
Acquisitions aside, though, we're driving a lot of internal innovations as well. So, we'll stay true to our core, but we're going to complement it both organically with our own development as well as through M&A activities.
You've been with EMC since 1984, fresh out of graduating from the University of Massachusetts. Ever thought of doing something else, like, investing in your own startup?
You know it's an interesting question because I once thought of becoming a venture capitalist (VC). But, I'm not a visionary, I can tell you that now. I think I'm very good with execution, and I can develop a strategy but I can't predict where things are going to be in five years.
I probably picked only one stock to invest in in the past five years--General Electric at US$8 a share--because I knew it wasn't going to go under. That's why I never became a VC!
Today, I put everything into my work and family but leave the rest, such as investing, to the professionals.
Did you plan to stay with the same company for so long?
I didn't plan for it. I would have bet anything that I wouldn't have been with the same company for 26, almost 27 years. Never in a million ways would I have planned it the way my career has panned out.
In fact, I was 22 years old when I first started out and I wanted to work for IBM, but that offer didn't come in until after I started with EMC. By then, Roger Marino, one of the founders of EMC, wouldn't let me quit. I still see him socially and I thank him for keeping me here every time.
I don't know if you consider it a role or a job but, to me, I had about 12 different jobs in my almost-27 years at EMC. That has allowed me to stay fresh and learn. It's like every time I'm wrapping up a role, they would say, 'Hey, do you want to run M&A?' and I'd think, 'I'd love to run M&A!' So I go run M&A. Or 'Hey, RSA's got some changes going on' and I'd say 'I love RSA! They've got so much potential', and there I go. It's just been unbelievable for me.
In one sense, being at EMC is all I know, and yet, it's also kind of embarrassing. But who knows what's next? One of my tenets is to do the best job possible and your career and compensation will follow. It's a little bit idealistic, but I haven't seen anybody following this motto not get rewarded by it.