RSA head bets job on death of security

RSA president Art Coviello says he will quit his job if 'the security industry' is not dead within three years.

RSA president Art Coviello says he will quit his job if 'the security industry' is not dead within three years.

Increasing spending on security is becoming untenable, according to the boss of RSA — a company EMC acquired in 2006 for US$2.1 billion — who says that security must now become part of the infrastructure.

"On its current trajectory, [security spending] is going up to 3 percent [of the US$1.3 trillion global IT budget]. We can't continue to spend like this. Especially if you ask a CIO: 'were you more secure in 2006 or 2008 than you were in 2001?' No one will raise their hand, right? So what's wrong with this picture? We're trying to solve these problems reactively," he told ZDNet.com.au.

Instead, security should — and will if EMC has its way — be built into business initiatives from the outset, which will come at some expense to smaller, specialist security companies, said Coviello.

Two forces shaping the security landscape will make this change inevitable. On one hand, "nuisance" attacks focused on causing downtime, such as denial of service, have taken a back seat to "the wholesale theft of IP and wholesale fraud in financial services systems".

Meanwhile, businesses are opening up the borders of corporate systems to the public and business partners, creating greater potential for security breaches, especially while information is in transit.

"If we don't change the [security] model we'll never get it to be cost-effective and we'll never get ahead of these criminal elements," he said.

That so-called "new" model of delivering security can be seen in EMC's plans for Tablus, which RSA acquired in 2007. The discovery and classification engine sifts through unstructured data sources and will be released as RSA DLP 6.0 later this year.

A key target for this technology will be litigation-prone businesses, as new "e-discovery" rules are introduced to Australia placing an extra burden on companies to become "litigation ready". Discovery is the process by which parties in litigation request documents from each other prior to trial, relating to the facts in dispute. Squabbles over discovery are blamed for the exhausting length of court cases, including the recent C7 "mega-litigation".

The new rules place pressure on business to have more control over where and how their electronically stored information is managed, how their integrity can be guaranteed, and how electronically stored information can be collected and searched with minimal disruption to the business.

However, it won't be RSA that deploys the technology, but rather EMC via its content management platform, Documentum.

"We are going to take that technology and integrate it across the content management infrastructure," said Coviello.

"Why can't that be used by EMC's content management product line to discover and classify important information, and to do things with that information commensurate with its value and thereby leverage that information? Why can't that same engine be used for a legal purposes in the event of a law suit?"

If the security industry continues this way, it will spell the end for specialist security companies, as they are snapped up and wrapped within broader technologies, Coviello believes.

"If you look at something like data leakage prevention (DLP), you know it's not that there won't be new, innovative security companies. There will be. But with DLP, the three newest companies in that space — Port Authority, Vontu and Tablus — all those companies were snapped up within a year."

Last year Symantec acquired Vontu for US$350 million, Websense acquired Port Authority for an undisclosed sum, and McAfee launched its own DLP offering, DLP Host.

"Now, you could argue that Websense is a security company, so maybe at some point Websense will get consolidated. If you could look at Symantec, you'd say, 'Well Symantec is a security company'. But I would argue they're doing the reverse [to EMC] — a security company that's acquiring infrastructure companies such as Veritas."

And if niche security companies on the same scale as Vontu, Tablus and Port Authority, are still here in two years, Cavellio promises to follow Bill Gates' lead after getting his prediction that spam would be gone by 2006.

"See [Bill Gates] had to retire as a result of his prediction that spam would no longer be here by 2006," Coviello joked. "So if the security industry is around in a few years, I will have to retire."