Operations
9/3/2015
04:50 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

RSA's Ex-CEO Coviello Back In The Game

Art Coviello, former head of RSA Security, has returned to the security industry after retiring from RSA for health reasons.

Art Coviello, the longtime head of security company RSA, in February stepped down from his role as executive chairman of RSA and executive vice president at parent company EMC due to undisclosed health reasons. The former executive took about a month off and since then has quietly returned to the security industry.

Coviello and RSA were under fire in late 2013 in the wake of a Reuters report that the NSA in 2006 had paid RSA $10 million in a secret contract to use the Dual EC DRBG random-number generator algorithm in RSA's Bsafe software in order to facilitate the NSA's spying programs. The encryption algorithm reportedly was one that the NSA was able to crack. 

The company dismissed the allegations in a blog post, and Coviello later said RSA had been doing business with the NSA's cyberdefense arm, the Information Assurance Directorate, which was "a matter of public record." NSA's IAD traditionally has worked with security firms in the standards space, for instance.

In one of his first interviews since retiring from RSA, Coviello this week spoke with Dark Reading about his new role in the security industry now, how he sees the security and privacy debate shaping up, and what it's like to be semi-retired. Coviello will take the stage later this month at the Privacy.Security.Risk 2015 conference in Las Vegas, where he will deliver a keynote address.

"I do plan to stay in the game," he says of his future plans in security.

Dark Reading: First and foremost, how are you doing health-wise?

Coviello: I've got an ongoing health issue that needs to be kept an eye on. I'm being monitored. If anything, the last physical I had was one of my better ones in years. You should see a slightly leaner and meaner me [now].

Dark Reading: What have you been up to since you left RSA in February?

Coviello: Rally Ventures is one of a number of things I'm engaged in. I help them with deals, selections, and also help advise the companies they invest in. I've set up a little consulting firm -- Art Coviello Associates -- and am doing a big of consulting to one of the consulting firms … I'm also on a number of boards [including EnerNOC and AtHoc].

I can get a lot done working in my home up in New Hampshire for three or four hours, gazing out at the lake. Then I'm hopping on jet skis with my wife, and I'm playing golf in the morning. It's not a bad life. I focus more on my health [now]. I'm training for a half-marathon with my wife and daughters.

Dark Reading: What security issues are on your radar screen right now?

Coviello: My thinking has evolved … and it's clear to me that … you cannot have privacy without security. But by the same token, the level of security being provided can't be a major threat to privacy. So how do you reconcile those kinds of points of view on a macro basis, on a national and international basis and on an organizational basis? It's amazing how complex this is.

I come at it from a security bias. RSA invented the kind of encryption that protects people's privacy, and I'm a huge advocate for privacy. But by the same token, if you look at it from the law enforcement person's perspective, they [are saying] 'I can't do my job if everything is encrypted and I can't get at it.' I can understand his perspective if I put myself in his shoes. But I can also understand the perspective of people about their Internet freedoms and how they can potentially be abused.

Dark Reading: How did the fallout from the NSA document leaks ultimately help or hurt security and privacy?

Coviello: That pre-supposes that the tech industry was in wholesale cahoots with the NSA, which it was not. The fact is ... the NSA doesn't have the ability to bulk-collect like they used to. I do think there has been a huge change in attitude among politicians about respecting privacy and recognizing the need to not just have the appearance of it. And people's privacy is not going to be abused as we try to protect them.

The only way we're going to reach an agreement on an issue such as security and privacy is if we have true dialog, and recognize you have these native biases and try to put yourself in the other person's shoes and understand where they are coming from. Now you're in a better position to compromise and to understand the other side. That's what we desperately need in this security and privacy discussion.

Dark Reading: What do you see as some of the main failures in security to date?

Coviello: Quite frankly, the core AV technologies. It's not keeping up. Things like VPNs and firewalls, they are table stakes things. They're commodities. What I worry about less is technology being eclipsed, and more about how you keep adding control after control, which is why I am such a fan of technologies that gather input from multiple controls.

Art Coviello
Photo: RSA Conference

Art Coviello

Photo: RSA Conference

Dark Reading:  What do you consider the more promising trends in security today?

Coviello: I think we can do a gigantically [better] job at rooting out … vulnerabilities in software. That's one of the reasons I'm excited about Bugcrowd [a Rally Ventures client]. A crowd of ethical hackers finds these vulnerabilities and they're matching with companies who want to see their products securely brought to market.

I've been saying for years we have to be able to detect breaches more rapidly … so not surprisingly, I'm still a fan of RSA and what it has been able to do with security analytics.

We need more data science and data scientists to add more value atop data analytics. Another major area in data science … is to as rapidly as possible spot these breaches as they are happening [and to] prevent harm.

A third area I'm excited about is automating the responses. People [traditionally] really never thought about this [as a viable solution] because they didn't want to automate false positives [which then] would shut down a commercial application or an element of the infrastructure. But as we start seeing the first elements of this [approach] with several startups, that's [automated response] an exciting prospect for the future because we don't have the security professionals to cover all the companies and vulnerabilities that exist out there in our infrastructures.

[Then] there is next-generation AV … I used to think that had to be behavior-based. But Cylance [for instance] is using pure math.

Dark Reading:  Have Internet of Things security risks been overblown or justified?

Coviello:  Internet of Things represents to me just another [vector] … in the ever-expanding attack surface.

I don't think we're exaggerating it [as a threat]. I do think we are a little ahead of the power curve than we were with Windows. I don't know a single vendor not thinking about how they can build security and safety into their products; that [perspective] didn't exist a decade ago.

I worry about people trying to minimize the threat. But on the flip side, some really cynical people out there … say they are not going to fix [security in their IoT] until a catastrophic event occurs. That's way too cynical of a view.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.