04:50 PM
Connect Directly

RSA's Ex-CEO Coviello Back In The Game

Art Coviello, former head of RSA Security, has returned to the security industry after retiring from RSA for health reasons.

Art Coviello, the longtime head of security company RSA, in February stepped down from his role as executive chairman of RSA and executive vice president at parent company EMC due to undisclosed health reasons. The former executive took about a month off and since then has quietly returned to the security industry.

Coviello and RSA were under fire in late 2013 in the wake of a Reuters report that the NSA in 2006 had paid RSA $10 million in a secret contract to use the Dual EC DRBG random-number generator algorithm in RSA's Bsafe software in order to facilitate the NSA's spying programs. The encryption algorithm reportedly was one that the NSA was able to crack. 

The company dismissed the allegations in a blog post, and Coviello later said RSA had been doing business with the NSA's cyberdefense arm, the Information Assurance Directorate, which was "a matter of public record." NSA's IAD traditionally has worked with security firms in the standards space, for instance.

In one of his first interviews since retiring from RSA, Coviello this week spoke with Dark Reading about his new role in the security industry now, how he sees the security and privacy debate shaping up, and what it's like to be semi-retired. Coviello will take the stage later this month at the Privacy.Security.Risk 2015 conference in Las Vegas, where he will deliver a keynote address.

"I do plan to stay in the game," he says of his future plans in security.

Dark Reading: First and foremost, how are you doing health-wise?

Coviello: I've got an ongoing health issue that needs to be kept an eye on. I'm being monitored. If anything, the last physical I had was one of my better ones in years. You should see a slightly leaner and meaner me [now].

Dark Reading: What have you been up to since you left RSA in February?

Coviello: Rally Ventures is one of a number of things I'm engaged in. I help them with deals, selections, and also help advise the companies they invest in. I've set up a little consulting firm -- Art Coviello Associates -- and am doing a big of consulting to one of the consulting firms … I'm also on a number of boards [including EnerNOC and AtHoc].

I can get a lot done working in my home up in New Hampshire for three or four hours, gazing out at the lake. Then I'm hopping on jet skis with my wife, and I'm playing golf in the morning. It's not a bad life. I focus more on my health [now]. I'm training for a half-marathon with my wife and daughters.

Dark Reading: What security issues are on your radar screen right now?

Coviello: My thinking has evolved … and it's clear to me that … you cannot have privacy without security. But by the same token, the level of security being provided can't be a major threat to privacy. So how do you reconcile those kinds of points of view on a macro basis, on a national and international basis and on an organizational basis? It's amazing how complex this is.

I come at it from a security bias. RSA invented the kind of encryption that protects people's privacy, and I'm a huge advocate for privacy. But by the same token, if you look at it from the law enforcement person's perspective, they [are saying] 'I can't do my job if everything is encrypted and I can't get at it.' I can understand his perspective if I put myself in his shoes. But I can also understand the perspective of people about their Internet freedoms and how they can potentially be abused.

Dark Reading: How did the fallout from the NSA document leaks ultimately help or hurt security and privacy?

Coviello: That pre-supposes that the tech industry was in wholesale cahoots with the NSA, which it was not. The fact is ... the NSA doesn't have the ability to bulk-collect like they used to. I do think there has been a huge change in attitude among politicians about respecting privacy and recognizing the need to not just have the appearance of it. And people's privacy is not going to be abused as we try to protect them.

The only way we're going to reach an agreement on an issue such as security and privacy is if we have true dialog, and recognize you have these native biases and try to put yourself in the other person's shoes and understand where they are coming from. Now you're in a better position to compromise and to understand the other side. That's what we desperately need in this security and privacy discussion.

Dark Reading: What do you see as some of the main failures in security to date?

Coviello: Quite frankly, the core AV technologies. It's not keeping up. Things like VPNs and firewalls, they are table stakes things. They're commodities. What I worry about less is technology being eclipsed, and more about how you keep adding control after control, which is why I am such a fan of technologies that gather input from multiple controls.

Art Coviello
Photo: RSA Conference

Art Coviello

Photo: RSA Conference

Dark Reading:  What do you consider the more promising trends in security today?

Coviello: I think we can do a gigantically [better] job at rooting out … vulnerabilities in software. That's one of the reasons I'm excited about Bugcrowd [a Rally Ventures client]. A crowd of ethical hackers finds these vulnerabilities and they're matching with companies who want to see their products securely brought to market.

I've been saying for years we have to be able to detect breaches more rapidly … so not surprisingly, I'm still a fan of RSA and what it has been able to do with security analytics.

We need more data science and data scientists to add more value atop data analytics. Another major area in data science … is to as rapidly as possible spot these breaches as they are happening [and to] prevent harm.

A third area I'm excited about is automating the responses. People [traditionally] really never thought about this [as a viable solution] because they didn't want to automate false positives [which then] would shut down a commercial application or an element of the infrastructure. But as we start seeing the first elements of this [approach] with several startups, that's [automated response] an exciting prospect for the future because we don't have the security professionals to cover all the companies and vulnerabilities that exist out there in our infrastructures.

[Then] there is next-generation AV … I used to think that had to be behavior-based. But Cylance [for instance] is using pure math.

Dark Reading:  Have Internet of Things security risks been overblown or justified?

Coviello:  Internet of Things represents to me just another [vector] … in the ever-expanding attack surface.

I don't think we're exaggerating it [as a threat]. I do think we are a little ahead of the power curve than we were with Windows. I don't know a single vendor not thinking about how they can build security and safety into their products; that [perspective] didn't exist a decade ago.

I worry about people trying to minimize the threat. But on the flip side, some really cynical people out there … say they are not going to fix [security in their IoT] until a catastrophic event occurs. That's way too cynical of a view.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-01-18
TP-Link WDR Series devices through firmware v3 (such as TL-WDR5620 V3.0) are affected by command injection (after login) leading to remote code execution, because shell metacharacters can be included in the weather get_weather_observe citycode field.
PUBLISHED: 2019-01-17
** DISPUTED ** An issue was discovered in BMC PATROL Agent through 11.3.01. It was found that the PatrolCli application can allow for lateral movement and escalation of privilege inside a Windows Active Directory environment. It was found that by default the PatrolCli / PATROL Agent application only...
PUBLISHED: 2019-01-17
A spoofing vulnerability exists when a Skype for Business 2015 server does not properly sanitize a specially crafted request, aka "Skype for Business 2015 Spoofing Vulnerability." This affects Skype.
PUBLISHED: 2019-01-17
A Cross-site Scripting (XSS) vulnerability exists when Team Foundation Server does not properly sanitize user provided input, aka "Team Foundation Server Cross-site Scripting Vulnerability." This affects Team.
PUBLISHED: 2019-01-17
An information disclosure vulnerability exists when Team Foundation Server does not properly handle variables marked as secret, aka "Team Foundation Server Information Disclosure Vulnerability." This affects Team.