Q&A: RSA's Art Coviello

Coviello believes security should be based on principles, not rules

In the opening keynote of this year’s RSA Conference Europe event, you argued that politicians often get things wrong when legislating for IT security. Why is that?

Art Coviello: You’d think I would evangelise regulations that result in people buying more of my stuff, but we’re doing well thank you very much and we’ll sell on our own merits. What makes anyone think policy makers are qualified to tell business people what to do? Politically, people may be demanding this legislation but businesses hate it. My advice to policy makers is to focus on the outcomes without telling business specifically what to do. Self-regulation is not exact. Take personally identifiable information. The powers that be could say, "If you let it out of the door without evidence of universally accepted best practice, we’ll impose a penalty on you". This is a lot different from saying, "We want you to do this, this and this".

Can you give an example of poorly thought-out legislation?

A government in Asia told businesses they had to encrypt live databases. This is crazy. Do you have any idea of the overheads to encrypt in this way, in real time? If they’d said on the other hand "If you lose the data you’re in big trouble, just figure it out for yourself how to protect the data", then firms could have looked to authentication and access controls to meet these requirements. It’s about focusing on the results and outcomes. Unfortunately, we’ve gone from being a principles-based society to a rules-based society.

Are data breach notification laws a positive step then?

Yes, who wants to have their name spilled over the front pages for the wrong reasons? There are definitely more breaches occurring and there is also more awareness of the breaches, because of disclosure laws. In 2001, if there was a breach, it would be because some prankster wanted to create some noise, not bec ause they were stealing intellectual property for economic reasons.

How about the PCI Data Security Standard for online card payments – is that a good example of common sense regulations?

PCI is a decent standard because it’s a best practice framework. It’s not totally prescriptive. Like [US auditing standard] SAS 70 though, you can pass it and still have lots of problems. It is no substitute for understanding the risk in your own environment, and mastering the risk/reward equation.

How is the current economic climate likely to affect the job of the IT security chief?

The criminals and the hackers are literally licking their chops. There is tremendous pressure on chief security officers (CSOs). As businesses are distracted by their financial performance it’s a great opportunity for an online criminal to take advantage. Also, CSOs are under pressure to control costs, so they need to be doubly smart on how to spend their security dollar. As to redundancies in the industry, I remember in 2001 saying that we were immune to the effects of the dot-com crash, and then finding we had to sack people. Nothing will be immune from this – but security will still be a high priority, where you can show return on investment because it helps to mitigate fraud losses. Fraud reduction via behavioural risk-based authentication pays for itself.