Either RSA is very thorough in being disingenuous, or it really has averted disaster.
When last year's breach hit, resulting in customers' SecurID data going missing, some gazed into the crystal ball and saw the dawning of a dark age for RSA. There was little doubt the embarrassment and subsequent cost of the compromise was going to hurt the company, at least in the short term.
The security division of EMC, which supplies authentication products to some of the world's biggest public and private organisations, did not just suffer financial wounds, but was also lambasted for not coming clean about the breach sooner. It also took some flak when it emerged how the attack took place. A seemingly simple spear phishing attack duped a low level employee into opening a file which exploited a vulnerability in Adobe Flash. It was fairly routine stuff as far as hacks go.
Yet at this year's RSA 2012 conference, the company has been in pugnacious mood, claiming the breach was all dealt with and the overall impact almost non-existent. Art Coviello and Co have come out fighting this week. At the minute, it looks like they're winning.
Emerging from the ashes
Data breaches have two particularly pejorative consequences: financial loss and reputational damage resulting in customer level depletion. RSA has suffered both, as anyone would expect, but on the face of it the impact has been minimal.
The time it took from the moment that we thought customers could be compromised to announcing it was 21 hours.
Lesser companies have fallen as a result of hacks on their infrastructure. DigiNotar, the Dutch certificate authority, went bankrupt after it was hit by cyber criminals seeking to implement clever man in the middle attacks. Fortunately for RSA, it has the large pockets of EMC to support it. From that respect, it is no surprise RSA has suffered little.
Yet the company has shown resilience in recovering from the devastation of March 2011. It would be easy to just brand RSA's comeback as all talk, but the vendor has backed its claims with some impressive figures.
Let's start with reputation. Since the breach, just four customers have been lost. That's out of tens of thousands. From studies the company has done amongst clients, the firm's standing has recovered in their eyes too. From a vicious initial backlash from customers, RSA said it had managed to regain their trust.
"We do a lot of data gathering on customers, like customer satisfaction surveys, and we got crushed for the first two to three months," Thomas Heiser, president of RSA, told IT Pro.
"Go back to those same customers in November/December and they said you stood by us, you opened up communication, you remediated if we wanted to.' We turned lemon into lemonades."
Despite the criticism RSA faced for not being quicker to come clean about the breach, Heiser claimed as soon as the company knew customers would be affected, it moved to let them know.
"The time it took from the moment that we thought customers could be compromised to announcing it was 21 hours," the company president said. "It was all hands on deck, it was just rapid."
Indeed, RSA had to work hard to ensure its reputation was not irrevocably tarnished. Following disclosure, RSA offered customers SecurID replacement tokens. Its sales team was plagued with calls from companies wanting to take advantage. "They were remediating customers up from 10 per cent of their time to 90 per cent of their time," Heiser added.
Financially, things are looking rosey too. Even though reports last year indicated the breach had cost the company $66 million, EMC's most recent results showed RSA grew its business 16 per cent in the last quarter. Then there was RSA chairman Art Coviello's telling comment at the start of this week's conference: "We are no longer dealing with the breach." That means no more payouts or costly remedial changes will be required.
It's CISO time
Customers will also want RSA to prove its infrastructure is safe and trustworthy. One of the biggest changes over the last year has been in employing a chief security officer. Some would say a little too late, but at least Eddie Schwartz, who was initially brought in during the NetWitness acquisition a month after the breach, stepped up to the CSO plate in June 2011.
-
RSAC Conference 2025: The front line of cyber innovationITPro Podcast Ransomware, quantum computing, and an unsurprising focus on AI were highlights of this year's event
-
Anthropic CEO Dario Amodei thinks we're burying our heads in the sand on AI job lossesNews With AI set to hit entry-level jobs especially, some industry execs say clear warning signs are being ignored
-
RSAC Conference 2025: The front line of cyber innovation
ITPro Podcast Ransomware, quantum computing, and an unsurprising focus on AI were highlights of this year's event
-
RSAC Conference 2025: AI and quantum complicate securityOrganizations are grappling with the complications of adopting AI for security
-
RSAC Conference 2025 was a sobering reminder of the challenges facing cybersecurity professionalsAnalysis Despite widespread optimism on how AI can help those in cybersecurity, it’s clear that the threat landscape is more complex than ever
-
RSAC Conference day three: using AI to do more with less and facing new attack techniques
-
"There needs to be an order of magnitude more effort": AI security experts call for focused evaluation of frontier models and agentic systemsNews Evaluating the risks of dynamic, evolving AI networks is slow work for cybersecurity analysts
-
Cyber defenders need to remember their adversaries are human, says Trellix research headThere's a growing overlap between nation-state actors and cybercriminals, but these attackers are real people who make mistakes
-
RSAC Conference day two: A focus on new hacking tacticsFrom quantum to AI, experts discussed how new and experimental technologies could be used by hackers to access and decrypt sensitive data
-
RSAC Conference Day One: Vibe Is 'All In' on AI for SecurityNews Artificial intelligence took center stage as RSAC Conference looks at how the discussion has moved from generative AI to agentic AI
