February 7, 2007 9:26 AM PST

RSA: Standalone security firms are doomed

SAN FRANCISCO--Within a few years, companies that offer only security products will have been relegated to the history books.

So claimed Art Coviello, president of RSA Security, at the RSA Conference 2007 here on Tuesday. Coviello predicted the end of the standalone security industry--those companies that offer only protective services such as antivirus or encryption--within two to three years.

Art Coviello
Credit: RSA
Art Coviello

"Our industry is ripe for a transformation. In fact, it's already under way," Coviello declared. "With the exception of a few exceptional start-ups, there will be no standalone security businesses within three years."

In a keynote address that criticized the security industry for the way it has operated in recent years, Coviello argued that a more integrated response is needed to combat the scale of the threat facing Internet users and businesses today.

"As an industry of security vendors, we've been too self-righteous and smug--focused more on our challenges than on trying to perfect security. We've been motivated largely by threats, and we've been chasing after them while looking over our shoulders and muttering to everyone 'We warned you' like a bunch of latter-day Cassandras," said Coviello, referring to the mythical Greek soothsayer whose prophecies were ignored.

special coverage
Unlocking security at RSA 2007
All the latest from the San Francisco security conference.

Coviello pointed out that 200,000 viruses are expected to be released this year, which will pose a huge challenge to the antivirus industry, and that intrusion-prevention systems are only catching around 70 percent of attacks.

The solution, Coviello argued, is to worry less about individual threats and focus more on ensuring that the most important data is kept properly secure, perhaps through strong encryption. This requires data to be properly tagged and stored. Pattern-recognition systems could also be built into a company's infrastructure, to detect and respond to suspicious behavior.

Such approaches would require solid integration with storage and networking products, Coviello argued, and couldn't be performed well by a pure-play security vendor. He cited his company's takeover, announced on Tuesday, of Indian database storage company Valyd.

However, with 300 security companies exhibiting at RSA Conference 2007---around 100 more than last year--there are indications that the market is expanding rather than consolidating.

RSA, which specializes in encryption and authentication methods, was taken over by storage giant EMC last year. The acquisition was criticized by some analysts at the time, who claimed that EMC would struggle to integrate RSA's products into its storage offerings.

EMC's chief executive, Joe Tucci, who was also speaking at the conference, insisted the acquisition was going well and made sense in today's climate where companies need to make security a top priority.

"Customers wanted us to take their digital assets that we had stored and...protect them in another way, to make sure that it was encrypted, with really robust centralized key management," Tucci told journalists and analysts.

The purchase of RSA puts EMC in closer competition with Symantec, which recently bought storage provider Veritas Software. Symantec CEO John Thomson told the conference that businesses need an IT risk manager, to cope with the greater threat posed as consumers increasingly use mobile devices to access the Internet.

Graeme Wearden reported for ZDNet UK in London.

See more CNET content tagged:
Art Coviello, RSA Security Inc., EMC Corp., Joe Tucci, storage company


Join the conversation!
Add your comment
Cry Wolf
What he means is: "I had to sell my company to stay afloat, so I don't want any other security companies to succeed either."
Posted by dfpconsult (5 comments )
Reply Link Flag
IMHO I think most security firms are far to reactionary.

Their products don't appear to be of any use until AFTER you've been infected, and in many cases, not even then.

With the possible exception of a decent firewall, nearly every anti-malware product on the market hardly leaves you brimming with confidence even if it does detect and remove the problem.

However the chances are you will be presented with the immortal "found threat xyz - action : none"

In other words it was unable to fix the problem, and a system rebuild is you only 100% safe bet.

Now I readily admit that's a touch paranoid, and you really have to be an expert at getting yourself into trouble in order to do this more than once or twice a year - but often even these so-called experts say this is your best course of action when infected with certain brands of spyware or Sony rootkit.

Messing with the Dark Side of the internet may mean downloadable movies, games and music - but nothing is for free. Eventually you will pay, and even if your PC is in a state that data can be recovered - can you honestly say that everything you want to save is free and clear of malware?

Anyhow I reckon that until we have more basic protections in place - such as defaulting to using non-administrative accounts or a correctly configured firewall - the best you can hope for is that the other side of the world got infected first, and by the time whatever malware reaches your corner of the globe, the relevant patch or definition file has been released.
Posted by ajbright (447 comments )
Reply Link Flag
And this statement is not self-righteous and smug?
Posted by umbrae (1073 comments )
Reply Link Flag
What Exactly Gives?
I find that using a combination of firewall, and then other virus fighters still "works". I agree
a bit with the first commenter, but I find it is the American firms that seem to tout promotion over real committment to on-going Defense over Profits. of course I realize that's the name of the game, but before being not net savy I purchased some rather inferior products.

Not to be USA Bashing as Symantec is definetely the exception, as they are constantly up-dating threats. They also offer solutions, which I've taken advatage of, one being a viscious Trojan that nobody elso had a grasp on.

I have found shareware, that I still use for ADWARE/SPYWARE that is very effective, much more so than what I could pay for. So what gives?
The same is true for KeyloggerHunters and the like, best to look outside the field/box.
Posted by jackelshowl (1 comment )
Reply Link Flag
Need to learn a lesson from the CIA
You can't fly over the fray in your suit and tie with any hope of succeeding in the chaos below.

You absolutely have to put boots on the ground, infiltrate bad organizations, change a regime or two, occasionally assassinate a warlord or two.

Just my 2 cents.
Posted by Too Old For IT (351 comments )
Reply Link Flag
"Need to learn lesson from CIA"
It seems to me the CIA would be the worst organization to dran an example from. The only way to construct true and actual change is through social revolt and revolution. CIA, what a joke.
Posted by ghostboy005 (2 comments )
Link Flag
Bigger Security Companies are better?
Gee whiz, with only a handful of security companies around, if the RSA CEO had his way, how do the customers benefit with such huge overhead which is passed along in all their products?

Free market economies are a thousand fold better than what these self-important and over-blown CEOs believe. If bigger was really better, why is our government continuing to cost all the money and deliver nothing? Same goes for the security consolidations. Good for the share holders but the customers end up getting hosed.
Posted by Schratboy (122 comments )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.