Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

9/3/2015
04:50 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

RSA's Ex-CEO Coviello Back In The Game

Art Coviello, former head of RSA Security, has returned to the security industry after retiring from RSA for health reasons.

Art Coviello, the longtime head of security company RSA, in February stepped down from his role as executive chairman of RSA and executive vice president at parent company EMC due to undisclosed health reasons. The former executive took about a month off and since then has quietly returned to the security industry.

Coviello and RSA were under fire in late 2013 in the wake of a Reuters report that the NSA in 2006 had paid RSA $10 million in a secret contract to use the Dual EC DRBG random-number generator algorithm in RSA's Bsafe software in order to facilitate the NSA's spying programs. The encryption algorithm reportedly was one that the NSA was able to crack. 

The company dismissed the allegations in a blog post, and Coviello later said RSA had been doing business with the NSA's cyberdefense arm, the Information Assurance Directorate, which was "a matter of public record." NSA's IAD traditionally has worked with security firms in the standards space, for instance.

In one of his first interviews since retiring from RSA, Coviello this week spoke with Dark Reading about his new role in the security industry now, how he sees the security and privacy debate shaping up, and what it's like to be semi-retired. Coviello will take the stage later this month at the Privacy.Security.Risk 2015 conference in Las Vegas, where he will deliver a keynote address.

"I do plan to stay in the game," he says of his future plans in security.

Dark Reading: First and foremost, how are you doing health-wise?

Coviello: I've got an ongoing health issue that needs to be kept an eye on. I'm being monitored. If anything, the last physical I had was one of my better ones in years. You should see a slightly leaner and meaner me [now].

Dark Reading: What have you been up to since you left RSA in February?

Coviello: Rally Ventures is one of a number of things I'm engaged in. I help them with deals, selections, and also help advise the companies they invest in. I've set up a little consulting firm -- Art Coviello Associates -- and am doing a big of consulting to one of the consulting firms … I'm also on a number of boards [including EnerNOC and AtHoc].

I can get a lot done working in my home up in New Hampshire for three or four hours, gazing out at the lake. Then I'm hopping on jet skis with my wife, and I'm playing golf in the morning. It's not a bad life. I focus more on my health [now]. I'm training for a half-marathon with my wife and daughters.

Dark Reading: What security issues are on your radar screen right now?

Coviello: My thinking has evolved … and it's clear to me that … you cannot have privacy without security. But by the same token, the level of security being provided can't be a major threat to privacy. So how do you reconcile those kinds of points of view on a macro basis, on a national and international basis and on an organizational basis? It's amazing how complex this is.

I come at it from a security bias. RSA invented the kind of encryption that protects people's privacy, and I'm a huge advocate for privacy. But by the same token, if you look at it from the law enforcement person's perspective, they [are saying] 'I can't do my job if everything is encrypted and I can't get at it.' I can understand his perspective if I put myself in his shoes. But I can also understand the perspective of people about their Internet freedoms and how they can potentially be abused.

Dark Reading: How did the fallout from the NSA document leaks ultimately help or hurt security and privacy?

Coviello: That pre-supposes that the tech industry was in wholesale cahoots with the NSA, which it was not. The fact is ... the NSA doesn't have the ability to bulk-collect like they used to. I do think there has been a huge change in attitude among politicians about respecting privacy and recognizing the need to not just have the appearance of it. And people's privacy is not going to be abused as we try to protect them.

The only way we're going to reach an agreement on an issue such as security and privacy is if we have true dialog, and recognize you have these native biases and try to put yourself in the other person's shoes and understand where they are coming from. Now you're in a better position to compromise and to understand the other side. That's what we desperately need in this security and privacy discussion.

Dark Reading: What do you see as some of the main failures in security to date?

Coviello: Quite frankly, the core AV technologies. It's not keeping up. Things like VPNs and firewalls, they are table stakes things. They're commodities. What I worry about less is technology being eclipsed, and more about how you keep adding control after control, which is why I am such a fan of technologies that gather input from multiple controls.

Dark Reading:  What do you consider the more promising trends in security today?

Coviello: I think we can do a gigantically [better] job at rooting out … vulnerabilities in software. That's one of the reasons I'm excited about Bugcrowd [a Rally Ventures client]. A crowd of ethical hackers finds these vulnerabilities and they're matching with companies who want to see their products securely brought to market.

I've been saying for years we have to be able to detect breaches more rapidly … so not surprisingly, I'm still a fan of RSA and what it has been able to do with security analytics.

We need more data science and data scientists to add more value atop data analytics. Another major area in data science … is to as rapidly as possible spot these breaches as they are happening [and to] prevent harm.

A third area I'm excited about is automating the responses. People [traditionally] really never thought about this [as a viable solution] because they didn't want to automate false positives [which then] would shut down a commercial application or an element of the infrastructure. But as we start seeing the first elements of this [approach] with several startups, that's [automated response] an exciting prospect for the future because we don't have the security professionals to cover all the companies and vulnerabilities that exist out there in our infrastructures.

[Then] there is next-generation AV … I used to think that had to be behavior-based. But Cylance [for instance] is using pure math.

Dark Reading:  Have Internet of Things security risks been overblown or justified?

Coviello:  Internet of Things represents to me just another [vector] … in the ever-expanding attack surface.

I don't think we're exaggerating it [as a threat]. I do think we are a little ahead of the power curve than we were with Windows. I don't know a single vendor not thinking about how they can build security and safety into their products; that [perspective] didn't exist a decade ago.

I worry about people trying to minimize the threat. But on the flip side, some really cynical people out there … say they are not going to fix [security in their IoT] until a catastrophic event occurs. That's way too cynical of a view.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ...
View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/5/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-12848
PUBLISHED: 2020-06-05
In Pydio Cells 2.0.4, once an authenticated user shares a file selecting the create a public link option, a hidden shared user account is created in the backend with a random username. An anonymous user that obtains a valid public link can get the associated hidden account username and password and ...
CVE-2020-12849
PUBLISHED: 2020-06-05
Pydio Cells 2.0.4 allows any user to upload a profile image to the web application, including standard and shared user roles. These profile pictures can later be accessed directly with the generated URL by any unauthenticated or authenticated user.
CVE-2020-13842
PUBLISHED: 2020-06-05
An issue was discovered on LG mobile devices with Android OS 7.2, 8.0, 8.1, 9, and 10 (MTK chipsets). A dangerous AT command was made available even though it is unused. The LG ID is LVE-SMP-200010 (June 2020).
CVE-2020-13843
PUBLISHED: 2020-06-05
An issue was discovered on LG mobile devices with Android OS software before 2020-06-01. Local users can cause a denial of service because checking of the userdata partition is mishandled. The LG ID is LVE-SMP-200014 (June 2020).
CVE-2020-13839
PUBLISHED: 2020-06-05
An issue was discovered on LG mobile devices with Android OS 7.2, 8.0, 8.1, 9, and 10 (MTK chipsets). Code execution can occur via a custom AT command handler buffer overflow. The LG ID is LVE-SMP-200007 (June 2020).