Exposing the Downside of Digital TransformationFormer RSA Chairman Art Coviello on Innovation, Attack Surface and the Role of CISO
Digital transformation has accelerated the pace of innovation, but it has also brought on new threats. The state of cybersecurity defense is calamitous given the current attack surface. Even worse, adversaries are more efficient, automated and effective than ever before, said Art Coviello, managing partner with SYN Ventures.
IoT and OT devices pose a significant risk, and companies need to focus on securing their backend and side doors, said Coviello, a former executive chairman of RSA Security. While next-generation anti-malware technologies have addressed traditional malware, ransomware presents a unique challenge, he said.
"Identity is still at the forefront" as organizations are onboarding both employees and third parties, he added. He stressed the need to be aware of all the applications on the network and to "establish the workflows between all of those applications."
"If you don't have visibility as to who these people are, you can't have the identity protections you need to stop people from taking advantage," Coviello concluded.
In this video interview with Information Security Media Group at RSA Conference 2023, Coviello discussed:
- The emergence of the hybrid workforce, cloud migration and app culture;
- How security and privacy are evolving together;
- The changing role of CISOs.
Coviello has more than 30 years of strategic, operating and financial management experience at high-technology companies and is one of the most recognized figures within the cybersecurity industry. Former executive chairman of RSA Security, he has played a leading role in several national cybersecurity initiatives and has served as an adviser to key government agencies and public-private initiatives.
Tom Field: Hi there. I'm Tom Field. I'm senior vice president of editorial with Information Security Media Group, and I am privileged to have with me today Art Coviello. He is managing partner with SYN Ventures. Art, that's a new designation. Tell me about the new role.
Art Coviello: Yeah, it's a role that I took on last summer. I had been investment chair at SYN Ventures, which Jay Leek and Patrick Heim formed just a couple of years ago. And it's dedicated security fund. So that's where my heart is. And so I joined up with them full time, this past summer.
Field: When you say full time, it strikes me that you've been just as busy in retirement as you were when you were chair of RSA. Is that fair?
Coviello: Yeah, I'd say it's a safe bet that I've failed retirement miserably. But back in the day the Boston Pops conductor, Arthur Fiedler said, if you rest you're rust. And he conducted the Pops in the 90. I don't think I'm going to be around RSA Conference till I'm 90. But I'm going to be around for a while.
Field: We do have a goal. Speaking of 90, so much has changed since the 1990s turned into 2000. You got a timeline on digital transformation you want to talk about? Give me some sense of where we've been, and how we're exploring anew roaring 20s?
Coviello: One of the ways that I like to talk to boards of directors about the problem and the issue is not in terms of the APT attack, or what the latest vulnerability might be. But just in terms of how the attack surface expanded, and I do it in terms of the hardware, the applications that were being used, how the perimeter evolved, and how digital transformation basically took place over the last 20 years. But if past is prologue, we're going to see an acceleration or are seeing an acceleration in the 20s. That's why I call it the roaring 20s for technology's innovation on top of innovation has just accelerated the pace of digital transformation. But that's also accelerated the expansion of the attack surface and brought on new threats and issues that we've had to deal with as an industry.
Field: In your career, have you seen a period such as the past three years, spurred by the pandemic, a period of innovation?
Coviello: It has absolutely been crazy. There's no doubt about it, the pace of investment by venture capital, the acceleration of private equity in buying companies and consolidating, I used to say that the private equity guys used to clean up the messes that the VCs made, but they've gotten to be quite sophisticated themselves. And that's enabled us to do more and more innovation, which is been desperately needed. So no, this is kind of unprecedented what we've seen in the last several years.
Field: So we've got the largest potential attack surface in history. We've got adversaries that a more efficient and more automated and effective than ever before. I think our risk is probably greater. How would you describe the state of cybersecurity defense?
Coviello: If it's the roaring 20s, for technology, I think we could be looking at the calamitous 20s if we don't keep pace with what's going out there, and at a perfect example is in the realm of IT and IoT. , most companies are still worried about somebody coming in the front door. But increasingly, the attackers are coming in the back end and the side door, and there's just many, many millions and millions more of IoT and OT devices out there that can become a threat. So that's one avenue of attack that has to be looked at. And we've invested in a company called Phosphorus, which not only discovers because you can't secure what you don't know is out there, but enables you to remediate things like static passwords and vulnerabilities in the firmware itself. So that's one avenue of attack that we're trying to close off. Most people think that would the next generation anti-malware that you've seen come out of Microsoft and CrowdStrike and Sentinel One, that that problem has largely been solved. But ransomware presents entirely differently from traditional malware. And I think you had John Miller from Halcyon on, that has an incredible technology for fighting ransomware. And by the way, he's been teasing people and saying that he's my illegitimate son, and he's been good, that I asked him to start that company up. I want to dispel that rumor right now.
Field: We will not be testing.
Coviello: Yeah. Okay. Thank you. Thanks.
Field: Art, if you had envisioned a world where we'd have a hybrid workforce - sounds like NFL films - a world where there's a hybrid workforce or the cloud migration or the app culture that we have right now. You didn't envision the different kinds of identity company?
Coviello: There's absolutely no question of that. And not surprisingly, identity is still at the forefront, because that's where everything starts. And you talk about the pandemic earlier, that's just changed the game as to how people work. So we do work from home, we do go on Zoom. And we're getting more and more third-party access, We're going directly to the cloud without touching any physical infrastructure. So all elements, all elements of identity become critically important. And again, we've got an investment in Transmit software. But we've also got an investment in a company called Talon, which replaces the virtual desktop infrastructure with a more secure browser. And that right from the get go makes the user that much more secure.
Field: And before we came here and sat down, we were talking outside and we talked about visibility, and no question. Organizations need to know who, what, what apps are on their networks. But visibility is not enough. Is that something that concerns you?
Coviello: Yeah, again, visibility is like jacks are better. And, again, it's just critically important to establish the workflows between all of these applications, once you discover what you've gotten once. And to be able to secure elements of that. And a perfect example is offboarding and onboarding, not just your own employees, but your outside third-party people. So if you don't have visibility, as to who these people are, you can't have the identity protections you need to stop people from taking advantage.
Field: Now, perhaps the best marketing technology evolution in history has been ChatGPT. And the conversation about AI or machine learning has progressed to the point, I think they're talking about referring to the RSA AI conference now. Your thoughts on this conversation about machine learning and AI?
Coviello: Machine learning is not new. We've been using machine learning in next-generation AV and it's been particularly effective. But the problem these are, these are predictive AI capabilities. It's the generative AI capabilities like ChatGPT that presents that much more of a problem because they feed on themselves. And ChatGPT is just grabbing information, whether it or not, once you connect to them. If you're using them to automate an email, and you're putting in PII information, or you're putting in some kind of technological formula, or what have you, ChatGPT is just going to grab it and run with it. So we have to fight fire with fire, and have our own artificial intelligence capabilities to stop those things from happening. And once again, not surprisingly, we've got an investment in a startup called Cranium, that's going to help us do that.
Field: It used to be the conversations we're having.
Coviello: Yeah, but we're very active. It's incredible, the number of companies that we see this, there's hardly a company that gets funded, that we don't get a chance to look at. And we're focused on the very areas we've been talking about. Not surprisingly, if those are the most important ones, those are the ones we're going to be looking at.
Field: What are the technologies you're most bullish on?
Coviello: So there's one that I had mentioned. So I bought Archer in 2010. And it's gotten to be totally unwieldy as to how you do governance risk and compliance and Archer has been and is just the framework. So it requires you to have all kinds of spreadsheets and work effort by people. And we've invested in still another company called RegScale that automates the connectivity of applications and pulls the data from them to give you a real-time status of your compliance requirements, which you can't do if you're just updating periodically on a spreadsheet. So whether it's anti-ransomware, IoT, OT, discovery, and identity, those are the areas that we're particularly concerned with and continue to track and invest in.
Field: Last time you and I talked personally, you would take a great interest in the privacy conversation. That's only ratcheted up with more diverse and strict privacy regimes around the world. What are your thoughts on how security and privacy are evolving together?
Coviello: I'd like to be more hopeful. I just think it gets more and more complicated and things like deepfakes and, social media just have made it almost impossible to maintain a level of privacy. But there was another company that SYN Ventures is not invested in but BigID which does a particularly good job around protecting privacy within a company.
Field: You get the chance to walk around, see lots of different organizations and people these days, not the same as when you were at RSA. What's your thoughts on what the next generation of security leaders need to bring to the table?
Coviello: More of a business orientation. They, I mean, I remember way back in the early part of the millennium, I talked about the fact that this is our time; that we were becoming mainstream. Security people weren't those Crazy Uncle in the Attic anymore. But we've gone well past that, that we are mainstream, but now we have to become more business people, more aligned with the business. And that's something that I have seen over the last several years is most CISOs are becoming integral parts of the management team itself.
Field: What happens when those CISOs start to get put on the spot in certain legal issues, as we've seen over the last couple years, there are a lot of people that shy away from that.
Coviello: It's absolutely frightening. And we're advising no CISO to take the job without having the same kind of indemnification provisions that most corporate offices have, but some of the things have been chilling where they've been scapegoated literally, for things that they shouldn't have been held responsible or accountable for.
Field: Art, as always a pleasure to see you. Thanks so much for stopping by.
Coviello: Yeah, great seeing you. Good to be back.
Field: Again, we've be talking to Art Coviello. He's the managing partner with SYN Ventures. For Information Security Media Group, I'm Tom Field. Thank you for giving us your time and your attention today.