It’s no surprise that the president of RSA, the security division of Hopkinton, MA-based information management giant EMC (NYSE: [[ticker:EMC]]), has strong views about the need for better security practices within corporations and government agencies. But Art Coviello, who joined RSA in 1995 and helped engineer its 2006 acquisition by EMC, says the problem isn’t that companies aren’t aware of today’s cyber security challenges—it’s that they often aren’t doing the right things to address them.
Companies try too hard to protect the machines that data live on, rather than the data itself, Coviello told me during an interview earlier this month. They dive into faddish new technologies like cloud computing and social networking without investigating the new kinds of security risks they pose. And they focus too much on achieving technical compliance with government regulations, rather than on minimizing the risks those regulations are meant to address.
Coviello spoke with me shortly after RSA issued the latest report from the Security for Business Innovation Council, a group of 10 security executives from companies like Motorola, JP Morgan Chase, Time Warner, and Novartis. RSA assembled the council to draw attention to ways that businesses can continue to innovate—a process that often involves adopting untested new technologies—without exposing themselves to new waves of fraud, data breaches, and other cyber attacks.
Coviello was eager to share the recommendations in the report, which range from suggestions about specific security policies and technologies that companies can adopt to ideas for broad industry cooperation on ways to thwart cyber criminals. But I also asked him for his perspective on the recent increase in the number of New England-area companies offering so-called “governance, risk, and compliance” software, and for his views of the Obama Administration’s performance so far on cyber security issues. (See page 3. A preview: he’s reserved, but optimistic—and has some specific suggestions on who President Obama should name as the new cyber security czar.) A condensed version of our interview follows.
Xconomy: What’s the main purpose of this latest report from the Security for Business Innovation Council?
Art Coviello: One of the things we tried to establish early on is that security doesn’t have to be viewed as an inhibitor of innovation. It can be viewed as an enabler of innovation. This is the fourth in a series of reports that does just that. It gives tips and advice on how [security] can not only not get in the way, but how it should give people confidence to do more things online.
But one part of what we’re bringing out here is that when it comes to things like cloud computing and social networking, people are just jumping ahead, and saying we’ll take care of the security later. That’s a bad idea.
X: Forgive me if this question sounds cynical, but cloud computing and certain forms of social networking are among EMC’s services and software these days—and so, obviously, is security. Wouldn’t almost any report coming from a group convened by the security division of EMC be recommending more adoption of security software?
AC: I can see how you could be cynical about almost anything that gets produced by a technology company. But the guys who are part of this study are independent. We facilitate it, we don’t pay them for it. You’ve got people like Bill Boni from Motorola, Anish Bhimani from JP Morgan Chase, David Kent from Genzyme, Craig Shumard from Cigna. You have a cross section of people, and they’re not making any money from cloud computing or social networking.
Having said that, the fact is that the horse is out of the barn, and people are going to be adopting these technologies, because they improve productivity and communication. You are not going to slow it down, but you can expose yourself to risks that you would feel fairly sorry about if you don’t
