Art Coviello, the longtime head of security company RSA, in February stepped down from his role as executive chairman of RSA and executive vice president at parent company EMC due to undisclosed health reasons. The former executive took about a month off and since then has quietly returned to the security industry.
Coviello and RSA were under fire in late 2013 in the wake of a Reuters report that the NSA in 2006 had paid RSA $10 million in a secret contract to use the Dual EC DRBG random-number generator algorithm in RSA's Bsafe software in order to facilitate the NSA's spying programs. The encryption algorithm reportedly was one that the NSA was able to crack.
The company dismissed the allegations in a blog post, and Coviello later said RSA had been doing business with the NSA's cyberdefense arm, the Information Assurance Directorate, which was "a matter of public record." NSA's IAD traditionally has worked with security firms in the standards space, for instance.
In one of his first interviews since retiring from RSA, Coviello this week spoke with Dark Reading about his new role in the security industry now, how he sees the security and privacy debate shaping up, and what it's like to be semi-retired. Coviello will take the stage later this month at the Privacy.Security.Risk 2015 conference in Las Vegas, where he will deliver a keynote address.
"I do plan to stay in the game," he says of his future plans in security.
Dark Reading: First and foremost, how are you doing health-wise?
Coviello: I've got an ongoing health issue that needs to be kept an eye on. I'm being monitored. If anything, the last physical I had was one of my better ones in years. You should see a slightly leaner and meaner me [now].
Dark Reading: What have you been up to since you left RSA in February?
Coviello: Rally Ventures is one of a number of things I'm engaged in. I help them with deals, selections, and also help advise the companies they invest in. I've set up a little consulting firm -- Art Coviello Associates -- and am doing a big of consulting to one of the consulting firms … I'm also on a number of boards [including EnerNOC and AtHoc].
I can get a lot done working in my home up in New Hampshire for three or four hours, gazing out at the lake. Then I'm hopping on jet skis with my wife, and I'm playing golf in the morning. It's not a bad life. I focus more on my health [now]. I'm training for a half-marathon with my wife and daughters.
Dark Reading: What security issues are on your radar screen right now?
Coviello: My thinking has evolved … and it's clear to me that … you cannot have privacy without security. But by the same token, the level of security being provided can't be a major threat to privacy. So how do you reconcile those kinds of points of view on a macro basis, on a national and international basis and on an organizational basis? It's amazing how complex this is.
I come at it from a security bias. RSA invented the kind of encryption that protects people's privacy, and I'm a huge advocate for privacy. But by the same token, if you look at it from the law enforcement person's perspective, they [are saying] 'I can't do my job if everything is encrypted and I can't get at it.' I can understand his perspective if I put myself in his shoes. But I can also understand the perspective of people about their Internet freedoms and how they can potentially be abused.
Dark Reading: How did the fallout from the NSA document leaks ultimately help or hurt security and privacy?
Coviello: That pre-supposes that the tech industry was in wholesale cahoots with the NSA, which it was not. The fact is ... the NSA doesn't have the ability to bulk-collect like they used to. I do think there has been a huge change in attitude among politicians about respecting privacy and recognizing the need to not just have the appearance of it. And people's privacy is not going to be abused as we try to protect them.
The only way we're going to reach an agreement on an issue such as security and privacy is if we have true dialog, and recognize you have these native biases and try to put yourself in the other person's shoes and understand where they are coming from. Now you're in a better position to compromise and to understand the other side. That's what we desperately need in this security and privacy discussion.
Dark Reading: What do you see as some of the main failures in security to date?
Coviello: Quite frankly, the core AV technologies. It's not keeping up. Things like VPNs and firewalls, they are table stakes things. They're commodities. What I worry about less is technology being eclipsed, and more about how you keep adding control after control, which is why I am such a fan of technologies that gather input from multiple controls.
Dark Reading: What do you consider the more promising trends in security today?
Coviello: I think we can do a gigantically [better] job at rooting out … vulnerabilities in software. That's one of the reasons I'm excited about Bugcrowd [a Rally Ventures client]. A crowd of ethical hackers finds these vulnerabilities and they're matching with companies who want to see their products securely brought to market.
I've been saying for years we have to be able to detect breaches more rapidly … so not surprisingly, I'm still a fan of RSA and what it has been able to do with security analytics.
We need more data science and data scientists to add more value atop data analytics. Another major area in data science … is to as rapidly as possible spot these breaches as they are happening [and to] prevent harm.
A third area I'm excited about is automating the responses. People [traditionally] really never thought about this [as a viable solution] because they didn't want to automate false positives [which then] would shut down a commercial application or an element of the infrastructure. But as we start seeing the first elements of this [approach] with several startups, that's [automated response] an exciting prospect for the future because we don't have the security professionals to cover all the companies and vulnerabilities that exist out there in our infrastructures.
[Then] there is next-generation AV … I used to think that had to be behavior-based. But Cylance [for instance] is using pure math.
Dark Reading: Have Internet of Things security risks been overblown or justified?
Coviello: Internet of Things represents to me just another [vector] … in the ever-expanding attack surface.
I don't think we're exaggerating it [as a threat]. I do think we are a little ahead of the power curve than we were with Windows. I don't know a single vendor not thinking about how they can build security and safety into their products; that [perspective] didn't exist a decade ago.
I worry about people trying to minimize the threat. But on the flip side, some really cynical people out there … say they are not going to fix [security in their IoT] until a catastrophic event occurs. That's way too cynical of a view.