Boardroom
RSA Security

In the Boardroom With...
Mr. John Worrall
Vice President - Worldwide Marketing
RSA Security (NASDAQ: RSAS)


SecurityStockWatch.com: Thanks for joining us today, John. Please give our audience an overview of your background and your role at RSA Security.

John Worrall: As the vice president of worldwide marketing at RSA Security, I am responsible for RSA Security’s market strategy; global, corporate, and field marketing; product marketing and management;
corporate communications; government affairs; and the RSA Conference events in the U.S., Europe and Japan.

Before I became VP of worldwide marketing, I headed-up RSA Security’s product management team and was responsible for the product strategy and plans for our authentication and access management solutions. I’ve been with the company for nine years, and have been in the high tech industry for more than 20 years.

SecurityStockWatch.com: RSA Security has an impressive track record of “wins” in verticals such as finance and healthcare. Would you care to discuss a success story
from three major verticals?

John Worrall: Sure. First, in the financial space, a good example is our work with E*TRADE Financial where we work to secure their customers’ online trading accounts with strong authentication using our RSA SecurID® technology.

Their E*TRADE Complete™ Security System is secured by RSA SecurID two-factor authentication tokens and user adoption has been impressive. This added layer of protection serves to harden the existing security infrastructure. Their customers continue to use the established User ID and password, but then enter a random six-digit code—generated by the RSA Security authentication token—that changes every 60 seconds. This prevents unintended or unauthorized access to a user’s account. According to E*TRADE’s CIO, Greg Framke, their customers really like the solution and more of t heir customers are now willing to move more assets to their E*TRADE accounts because of the protection RSA SecurID provides. He considers the use of RSA SecurID, which they brand as Digital Security ID, to be the padlock on the front door of their Internet business.

On the healthcare side, Blue Cross and Blue Shield of Kansas City is using RSA® ClearTrust web access management software to implement a series of initiatives designed to enhance web self-service for their members, healthcare providers and brokers. They wanted to transact business through an electronic interface so they could increase the speed and quality of their services, while simultaneously reducing costs. The interesting part of this story is that they also had a requirement to meet HIPAA guidelines: HIPAA is the Health Insurance Portability and Accountability Act, which sets strict guidelines for protecting personal health information. We were able to help them fulfill each of these diverse needs. They are also using RSA SecurID two-factor authentication to provide over 750 employees with secure and convenient remote access to the intranet from home or while traveling. RSA SecurID gives this Blue Cross organization the confidence that they are granting
access to the right people, and to their protected resources.

Although we are strong in other verticals such as insurance and technology, we have an interesting and growing business in the real estate market. We are selling a focused solution  based on RSA SecurID, and the Mid-Florida Regional Multiple Listing Service (MLS) organization is working with us and a partner, Secure Content Group, to secure valuable MLS data online. MLS data is unique: it is valuable intellectual property that helps realtors win deals, and this information lives in over 800 MLS organizations nationwide, so you can imagine the incredible opportunity this brings to RSA Security. With Mid-Florida, we successfully delivered over 25,000 tokens to their members in just three weeks, and the process was extremely easy. The neat thing is that they expect to save over $1 million of their subscribers’ hard-earned commissions over the next three years, in part because – now – every realtor has to become an MLS member in order to obtain an RSA SecurID token to create a unique and trusted identity. Before the RSA SecurID-based program, some individuals were sharing passwords and identities to save money on membership fees. Not only did this limit revenue to the MLS, but it opened up potential breaches of sensitive data – such as the combinations of the lockboxes attached to doors on homes on the market.

SecurityStockWatch.com: RSA Security recently announced that the U.S. Treasury Department Financial Management Service (FMS) and the U.S. Office of Personnel Management (OPM) have selected RSA® Federated Identity Manager solution to help meet requirements related to the federal government’s E-Authentication Initiative. Would you kindly give us an overview of the solution RSA Security has provided here to the U.S. Government? 

John Worrall: I would be glad to tell you about this. First, the E-Authentication Initiative supports the President’s E-Government Management Agenda, and aims to provide a standardized process for establishing and using electronic identities. This will eliminate the need for each federal agency to develop a separate solution for verifying identities and electronic signatures. Our RSA Federated Identity Manager solution will enable both agencies to leverage this technology to easily and securely share trusted identities across government departments, agencies and business units. For these government organizations and businesses worldwide, RSA Federated Identity Manager eases online collaboration, reduces administrative costs, increases security and improves the end-user experience.

At OPM, RSA Federated Identity Manager is being utilized within an electronic system that empowers Federal employees to manage their own discretionary payroll and personnel transactions. This includes more than 60 agencies and more than one million users. The E-Authentication Initiative is an important example of how federated identity technology may enable organizations to effectively share trusted identities online.

SecurityStockWatch.com: Data loss and data protection is front page news now on a regular basis. Major companies often report that data is lost or stolen for hundreds of thousands of individuals. “Phishing” threats are becoming more prevalent and sophisticated and identity theft is on the rise. Please outline for our audience RSA Security’s data protection strategies.

John Worrall: We approach the loss and protection of data in two ways. First, we provide data protection through our encryption software, RSA BSAFE, which happens to be the most widely deployed software in the world. We’ve sold over a billion copies, actually. This technology integrates into existing technology infrastructures. The software takes advantage of the latest cryptographic technology and industry standards to ensure that sensitive information remains private and critical business transactions remain trusted and secure. RSA BSAFE also protects wireless and embedded applications – for customers such as Sony, Motorola and Nintendo.

In the financial space, you have probably heard a lot about tapes with customer data “falling off the truck”. We’re advocating that these organizations encrypt these pieces of data “at rest” from the get-go to ensure the privacy of sensitive information in databases, content management systems, and other critical data stores. If these repositories of data were to be encrypted in their original design, the ability to steal identities from the criminal possession of this data would be impossible. We believe this is a no-brainer and should be a standard practice for all, and we’re working hard to educate the market. The unfortunate incidents that we read about every day are certainly helping to raise awareness of this issue.

Secondly, you bring up the hot topic of phishing and identity theft. According to the U.S. Federal Trade Commission, identity theft has become the world’s fastest-growing crime. Consumers bear the emotional costs, but companies often bear the brunt of the associated financial costs. Notoriously easy to steal or guess, static passwords allow an intruder to access any online resources the legitimate user is entitled to see – and purchase items online with little likelihood of being caught and prosecuted. 

RSA Security has always led the way in protecting businesses from these real threats with our RSA SecurID technology. For example, well over 300,000 online banking customers at Credit Suisse in Europe are using RSA SecurID tokens as a method of strong authentication to gain access to their online accounts, similar to how E*TRADE customers are doing so for their online trading accounts. And we have a range of strong authentication formats to suit the diverse needs of the user population.

Further, last month, we completed our acquisition of Cyota - and now have the broadest portfolio of software and services available to protect online identities and transactions. Cyota delivers online security and anti-fraud solutions to thousands of financial institutions worldwide, such as Bank of America, Chase, and Washington Mutual – including nine of the top 12 banks in the U.S. and the United Kingdom.

RSA Cyota solutions will give our customers more options, more choices and more flexibility when they assess and choose what authentication product or service serves them best. We can give them enhanced flexibility, through access to strong authentication and transaction protection solutions that fit individual lifestyles and
security needs. This means that our customers can choose from a range of authentication techniques – from life questions, watermarking and anomaly detection to digital certificates, tokens and smart cards – depending on the risk associated with the transaction and the desired convenience. 

We’ve established ourselves as a strategic hub for the consumer marketplace, providing the ability to authenticate and protect all aspects of online banking and e-commerce: end-users, merchants and transactions. RSA Cyota Consumer Solutions include an RSA SecurID-based hosted customer service; an anti-phishing service that provides 24x7 detection of phishing attacks, alerts to customers and fraudulent site shut-down; risk-analytics techniques to identify fraudulent activity in accounts; and a cross-bank collaborative online fraud network.

SecurityStockWatch.com: What resources; such as webinars, case studies, and white papers, are available at www.rsasecurity.com for end-users? 

John Worrall: When you visit  www.rsasecurity.com, you’ll see that we’ve provided a lot of resources to help educate the market about critical information security issues, such as identity theft and password management, and it is also a vehicle for communicating information about our product line and the enforce the fact that we are the leaders in protecting identities and digital assets.

I’d like to start with a newer portion of the website, it’s called Speaking of Security, the RSA Security Blog. There, you’ll read postings from RSA Security bloggers, each of whom has knowledge and interest in different areas of the security industry: R&D, developer solutions, engineering and government policy. You’ll get to read their views on the industry’s breaking news and trends, and gain a deeper understanding of the company’s position, direction and attitude. It’s becoming quite popular. Another new section is our Information Security Glossary which we offer as an aid to understanding current concepts and initiatives in the realm of Information Security. We also publish our own magazine called Vantage, and will have a new issue next month during RSA Conference 2006. A major differentiator for RSA Security is RSA Laboratories,  an academic environment which serves as our research center. It was founded by the inventors of the RSA public-key cryptosystem. Through its research program, standards development, and educational activities, RSA Laboratories provides state- of-the-art expertise in cryptography and security technology for the benefit of RSA Security and its customers.

We also offer a robust program of Web Seminars, that are complimentary and interactive e-learning resources to both introduce and demonstrate the business value and potential of RSA Security’s solutions, and help educate the industry on new standards, regulations and issues such as identity theft and password management. In addition, we offer a roster of customer success stories to offer third party case studies of how our identity and access management solutions are working to solve problems at firms around the globe. Finally, most of our online resources can be found in our Content Library, where you can find items such as white papers, solutions briefs and technology backgrounders.

SecurityStockWatch.com: Government mandates and new legislation are driving public and private sector enterprises to improve the security of their networks. Please give us an overview of these Government initiatives.

John Worrall: I will start with HIPAA, since that has already come up in our conversation. A comprehensive law for the medical industry, the Health Insurance Portability and Accountability Act is especially important for its security implications. A portion of the law, the Administrative Simplification provisions, was developed to encourage the industry to work with healthcare information in its electronic forms. The provisions included standards for protecting the privacy of patients and for information security. As one of the first laws that applied to both privacy rights and information security in the United States, it has wide reaching implications.

Then there is the Gramm-Leach-Bliley Financial Services Modernization Act (GLBA) of 1999 which applies to all financial institutions in the U.S. and is regulated by the Office of the Comptroller of the Currency (OCC). GLBA requires that financial institutions ensure the security and confidentiality of customer personal information against “reasonably foreseeable” internal or external threats. From an information security perspective, organizations must implement a process that assesses and monitors the threat environment, as well as the tools and policies to counter threats, including access controls, authentication, encryption, data integrity controls and audit controls.

And there’s the Sarbanes-Oxley Act (SOX), a piece of legislation that regulates all public companies. This is more formally called the Public Company Accounting Reform and Investor Protection Act and is comprehensive legislation intended to reform the accounting practices, financial disclosures and corporate governance of public companies. SOX mandates that organizations ensure the accuracy of financial information and the reliability of systems that generate it. Section 404 of SOX requires that management perform an assessment of internal controls over financial reporting and obtain attestation from external auditors, on an annual basis. In today’s businesses, information technology (IT) systems are inextricably linked with financial reporting, and information security is essential in ensuring the reliability of these systems. Therefore, the guidance starts from the premise that single-factor authentication, as the only control mechanism, is not adequate to reliably authenticate online banking customers.

Something that is of particular interest to financial institutions and RSA Security, is the recent guidance from the Federal Financial Institutions Examination Council (FFIEC). Regulators have now noted that passwords have become highly vulnerable in the face of changing threats, including phishing, pharming, various types of malware and other evolving attack techniques. On Oct. 12, 2005, the agencies of FFIEC published joint guidance entitled Authentication in an Internet Banking Environment, recommending that financial institutions and their application service providers (ASPs) deploy security measures to reliably authenticate their online banking customers. The FFIEC published its guidance after the Federal Deposit Insurance Corporation (FDIC)—one of the five agencies of the FFIEC—had issued similar recommendations in a study on Putting an End to Account-Hijacking Identity Theft of December 2004.

Among the measures the FDIC recommended to its member banks in that report was upgrading from single-factor to two-factor authentication for access to online banking. Another related recommendation also was included in the FDIC’s July 2005 Guidance on Mitigating Risks From Spyware. FFIEC’s October 2005 guidance considers single- factor authentication, as the only control mechanism, to be inadequate for online banking. Rather, banks should use authentication (the process of verifying the identity of a person or entity) methods that are both effective and appropriate to the risks associated with online banking. These methods include multifactor authentication, layered security or other controls reasonably calculated to mitigate those risks.

It is important to note that the guidance is not a formal regulation; it does not create any legal obligation for banks. It is only a recommendation—strong guidance to be exact. Financial institutions are taking this guidance seriously and implementing it because the guidance comes from not one, but five regulatory agencies of the financial sector, and because all five agencies of the FFIEC have given banks a deadline of Dec. 31, 2006 to comply.

Finally, our encryption solutions have been certified under the rigorous U.S. government cryptographic standard, Federal Information Processing Standard (FIPS) 140, ensuring our customers meet the stringent requirements needed to maintain the security of government applications and data. Our solutions have been used in numerous military and civilian equipment and system applications including internal agency I.T. systems, aerospace systems, munition systems, and others.

SecurityStockWatch.com: The 15th anniversary of RSA Security’s annual conference is coming up in February 13-17 in San Jose, CA. How about an overview of the Conference?

John Worrall: We are proud to celebrate the 15th anniversary of the annual RSA® Conference, which we will hold in the U.S. in February, as you mentioned, and then in Japan in the spring and in France in the fall. We are especially proud to be the producers of the RSA Conference as it is the largest and most comprehensive event for information security professionals. We also are careful to maintain a “church and state” policy where the RSA Security corporate business and the RSA Conference division are separate from each other, and are actually located on different coasts of the United States. This helps to ensure a vendor-neutral industry-wide event.

At a time when most technology conferences are growing in the single digits, last year our conference grew in attendance by 40%, with 14,000 attendees. This year the booth space sold out in record time, and our call for papers submissions were in the thousands. I think you would have a challenge in booking a hotel room in San Jose these days.

The RSA Conference provides a forum for information security professionals to learn, network and grow professionally with thousands of their peers, industry experts and leaders – and it is all under one roof at the McEnery Center. We have a vast lineup of keynote presenters, including Bill Gates from Microsoft, John Chambers from Cisco, Gary Bloom from Symantec, and our own Art Coviello.

We have more than 200 class sessions offered in 17 tracks, and more than 275 exhibitors who represent the top companies in the industry. And every year, the RSA Conference is built around a different historical theme which highlights a significant use, or misuse, of information security. In 2006, the theme is centered on ancient Vedic mathematics, and a mathematical Sage named Aryabhatta.

SecurityStockWatch.com: Thank you very much for your time today, John.









Please read our Terms of Use and Disclaimer.
  Investment Guide To 350+ Security Stocks©.