RSA: Standalone security firms are doomed

Security vendors have been 'too self-righteous and smug,' says RSA president Art Coviello.

SAN FRANCISCO--Within a few years, companies that offer only security products will have been relegated to the history books.

So claimed Art Coviello, president of RSA Security, at the RSA Conference 2007 here on Tuesday. Coviello predicted the end of the standalone security industry--those companies that offer only protective services such as antivirus or encryption--within two to three years.

Art Coviello
Credit: RSA
Art Coviello

"Our industry is ripe for a transformation. In fact, it's already under way," Coviello declared. "With the exception of a few exceptional start-ups, there will be no standalone security businesses within three years."

In a keynote address that criticized the security industry for the way it has operated in recent years, Coviello argued that a more integrated response is needed to combat the scale of the threat facing Internet users and businesses today.

"As an industry of security vendors, we've been too self-righteous and smug--focused more on our challenges than on trying to perfect security. We've been motivated largely by threats, and we've been chasing after them while looking over our shoulders and muttering to everyone 'We warned you' like a bunch of latter-day Cassandras," said Coviello, referring to the mythical Greek soothsayer whose prophecies were ignored.

Coviello pointed out that 200,000 viruses are expected to be released this year, which will pose a huge challenge to the antivirus industry, and that intrusion-prevention systems are only catching around 70 percent of attacks.

The solution, Coviello argued, is to worry less about individual threats and focus more on ensuring that the most important data is kept properly secure, perhaps through strong encryption. This requires data to be properly tagged and stored. Pattern-recognition systems could also be built into a company's infrastructure, to detect and respond to suspicious behavior.

Such approaches would require solid integration with storage and networking products, Coviello argued, and couldn't be performed well by a pure-play security vendor. He cited his company's takeover, announced on Tuesday, of Indian database storage company Valyd.

However, with 300 security companies exhibiting at RSA Conference 2007---around 100 more than last year--there are indications that the market is expanding rather than consolidating.

RSA, which specializes in encryption and authentication methods, was taken over by storage giant EMC last year. The acquisition was criticized by some analysts at the time, who claimed that EMC would struggle to integrate RSA's products into its storage offerings.

EMC's chief executive, Joe Tucci, who was also speaking at the conference, insisted the acquisition was going well and made sense in today's climate where companies need to make security a top priority.

"Customers wanted us to take their digital assets that we had stored and...protect them in another way, to make sure that it was encrypted, with really robust centralized key management," Tucci told journalists and analysts.

The purchase of RSA puts EMC in closer competition with Symantec, which recently bought storage provider Veritas Software. Symantec CEO John Thomson told the conference that businesses need an IT risk manager, to cope with the greater threat posed as consumers increasingly use mobile devices to access the Internet.

Graeme Wearden reported for ZDNet UK in London.

Featured Video

VTech hack exposes 5 million accounts, including kids' photos, chats

The toymaker stores personal data and photos in a way that may be easy for hackers to access. Also, Amazon shows off its latest design for delivery drones.

by Bridget Carey