The RSA Conference Europe opens 27 October at London's ExCel centre. SC was granted an exclusive interview with Art Coviello, RSA president and executive vice president of EMC. He spoke to Andrew Donoghue on whether organisations should be compelled to disclose data breaches and whether he expects to see general levels of IT related crime increase during the tough economic times ahead.
SC: You are a bigger supporter of the idea of data breach notification regulations but some people – such as Microsoft UK's chief security advisor and former FBI agent Ed Gibson – have questioned whether they are really a good idea?
Consumers have every right to know that there personally identifiable information has been compromised. If that personally identifiable information has been breached, you need to go public and explain that. Data breach regulations engender the following kinds of behaviour: 'Wow, I could be embarrassed if this happens. Wow, I could be subject to subject to liabilities if this happens. Wow, I could suffer significant loss of reputation if this happens. Therefore I need to take appropriate action to make sure this doesn't happen in the first place'. There is no technology that has been purchased just an awareness on the part of the company that they need to do something, they need to do the right thing.
SC: When I spoke with him, Gibson was referring to the data loss incident that hit the UK Prison Service where the details of prison guards where exposed – potentially endangering the individuals and their families. In that example, he asked what good was done making the details of that breach public?
If the horse is out of the barn then it doesn't matter – you have got the transparency whether you like it or not. But the devil is the detail. We are not for a level of immediate notification on the suspicion that something has been lost. There was a tremendous amount made in the US of the Veteran's Association losing a laptop – or having it stolen – containing all these records. It turned out that none of the records were ever compromised but there was a tremendous uproar about that.
There is a level of responsibility that has to go with the disclosure but it should be commensurate with the risk. With the case of personally identifiable information then you should assume the worst. You have already lost the transparency argument by virtue of the fact that the information is already out there in somebody's hands.
SC: Does the recent spate of private and public sector data breaches point to a real problem with data security or is it simply down to the issue being reported in the press more?
No. I think there is genuinely more of this stuff going on and the reason is that the criminals themselves are getting more and more sophisticated all the time. They are not unlike a high-tech company. If I was to bring a product to market I would start with the big banks in Manhattan because they are early adopters of technology and they have a strong interest in security. And then over time I would do geographic expansion and then I would go to small and medium sized companies and then target verticals eventually.
And that is what you see these guys doing. It used to be easy pickings to do a phishing attack against a bank, now the banks are getting more sophisticated on their own. So now we are seeing the hackers expanding their nefarious activities and they will take the path of least resistance so if the financial services industry is getting good at protecting themselves and their data, then they will go to the retail industry that is notoriously bad. Or they will go to civilian agencies of government which are notoriously bad.
SC: But should we see data breach incidents as a natural by-product of doing more business using IT and the web. The more we use IT, the more we will see a corresponding escalation in IT security incidents and data loss, so maybe we just have to live with a certain amount of this?
Should we live with it? Absolutely not. That is why a certain level of accountability with the breach notification is so important. Verizon did a survey recently in which they said 80 percent of the breaches of databases could have been prevented with normal best practices around security – some technology but nothing extraordinary and above the norm. If that is the case and I genuinely believe it to be true, we should absolutely not accept it.
People need to do a better job understanding risk and then they need to construct defence in depth. Take a holistic approach and step back and think about what data you really need to protect, what is most vulnerable and what is the probability that people are going to get at it. No one does that introspection and thoughtful step by step approach to security. I mean people are starting to but they haven't done historically.
SC: But do you see people really investing in IT security strategy, products and services given the current dire economic conditions?
As IT spending drops because of macro-economic conditions then security is likely to drop with it but it will have a higher priority that certain other initiatives, so I don't think it will be impacted as much. We have heavy exposure to the financial services segment so a lot of the internal infrastructure security projects are on hold or being delayed and some have been cut or deferred. But the consumer facing part of our business, protecting the banks consumers, we are enjoying tremendous growth in that part of our business to the point where our sales and revenue, to financial services for protecting their consumers and online transactions is up so much that it is largely off-setting the slow-down and then some around their own infrastructure.
SC: Is that down to banks wanting to avoid any damage to their brand in already tough conditions?
Yes and its also down to the fact that they continue to want to encourage consumers to do more online because it is more cost effective and profitable for them.
SC: There are reports showing that crime increases across the board during a financial downturn – do you see cyber-crime and IT-related crime increasing too? Did you see that in the last downturn?
Well, you know what during the last downturn there was very little cyber-crime that existed. It is a good question, I hadn't thought about it in that fashion. I think the way I would describe it is cyber-crime is recession proof in good times or bad.
SC: Where you have got increasing numbers of people being made redundant from organisations, you could see that as a risk to the company's IT security?
There is always the possibility of malicious acts but that presupposes that people are dishonest. While the threat increases, I think it is disparaging to the average person being let go to presume they will do something vengeful. But it is just human nature that you would see some level of increase in that.
SC: You have discussed the idea that security systems could benefit from some kind of artificial intelligence. How do you see that developing?
I totally see it as the way of the future in security. Part of the reason that security is seen as ineffective is that it is perimeter based and it is static. Anti-virus is based on static signature technology. I think for security to be cost effective it needs to be far more dynamic and to be able to react to facts and circumstance and only be revoked when a vulnerability is detected. I think the way that happens is with behaviour based or content based technology, behaviour that looks at the patterns of the human being interacting with the application. We need to have content-based technologies that scan the infrastructure in the same way that a human would scan documents on his desktop, and say, ' I need to protect that one, that goes in a locked file, but this one can be left out on my coffee table'.
SC: And how does the artificial aspect come into that?
The artificial intelligence is the fact that it mimics human behaviour. It is not artificial intelligence per se but it does come pretty close. If I have the ability to track important information across my infrastructure and classify it and maybe not let an important file get written to a USB drive and enforce a policy of encryption then that is the equivalent of artificial intelligence in my book.