RSA: Standalone security firms are doomed

Security vendors have been 'too self-righteous and smug', claims RSA president Art Coviello
Written by Graeme Wearden, Contributor on

Within a few years, companies that offer only security products will have been relegated to the history books.

So claimed Art Coviello, president of RSA Security, at the RSA Conference 2007 in San Francisco on Tuesday. Coviello predicted the end of the standalone security industry — those companies that offer only protective services such as antivirus or encryption — within two to three years.

"Our industry is ripe for a transformation. In fact, it's already underway," Coviello declared. "With the exception of a few exceptional start-ups, there will be no standalone security businesses within three years."

In a keynote address that criticised the security industry for the way it has operated in recent years, Coviello argued that a more integrated response is needed to combat the scale of the threat facing internet users and businesses today.

"As an industry of security vendors, we've been too self-righteous and smug. Focused more on our challenges than on trying to perfect security. We've been motivated largely by threats and we've been chasing after them while looking over our shoulders and muttering to everyone 'we warned you' like a bunch of latter-day Cassandras," said Coviello, referring to the mythical Greek heroine whose prophecies were ignored.

Coviello pointed out that 200,000 viruses are expected to be released this year, which will pose a huge challenge to the antivirus industry, and that intrusion-prevention systems are only catching around 70 percent of attacks.

The solution, Coviello argued, is to worry less about individual threats and focus more on ensuring that the most important data is kept properly secure, perhaps through strong encryption. This requires data to be properly tagged and stored. Pattern-recognition systems could also be built into a company's infrastructure, to detect and respond to suspicious behaviour.

Such approaches would require solid integration with storage and networking products, Coviello argued, and couldn't be performed well by a pure-play security vendor. He cited his company's takeover, announced on Tuesday, of Indian database storage firm Valyd.

However, with 300 security companies exhibiting at RSA Conference 2007 — around 100 more than last year — there are indications that the market is expanding rather than consolidating.

RSA, which specialises in encryption and authentication methods, was taken over by storage giant EMC last year. The acquisition was criticised by some analysts at the time who claimed that EMC would struggle to integrate RSA's products into its storage offerings.

EMC's chief executive, Joe Tucci, who was also speaking at the conference, insisted the acquisition was going well and made sense in today's climate where companies need to make security a top priority.

"Customers wanted us to take their digital assets that we had stored and... protect them in another way, to make sure that it was encrypted, with really robust centralised key management," Tucci told journalists and analysts.

The purchase of RSA puts EMC in closer competition with Symantec, which recently bought storage firm Veritas. John Thomson, chief executive of Symantec, told the conference that businesses need an IT risk manager, to cope with the greater threat posed as consumers increasingly use mobile devices to access the internet.

Editorial standards