RSA's Coviello Predicts Security Consolidation

"The value of security as a standalone solution is diminishing," Coviello said.

Security, said Coviello, has been too focused on imposing limits rather than lifting them, never mind that this mantra has been used by many companies to explain how they'll adapt as collaboration and connectivity replace walls and silos. "Security needs to be inextricably linked to business strategy," he said.

Coviello pointed to the acquisition of ISS by IBM and EMC's purchase of his own company as a sign of things to come. And as if to hammer home the point, RSA said on Tuesday that it had agreed to acquire Hyderabad, India-based Valyd Software and to establish strategic partnerships with security companies CipherOptics, Decru, NeoScale Systems, and Epicor|CRS.

For those who have been paying attention to Microsoft's security acquisitions and its considerable efforts to build security into its new Vista operating system, or to Symantec's objections to Microsoft's moves, the writing has been on the wall for some time: Security is becoming the province of the big infrastructure players like Cisco Systems, EMC, IBM, Microsoft, and Oracle.

Coviello arrived on stage following Microsoft chairman Bill Gates -- and he risks matching Gates' record as predictor of the future. Recall that in 2004, Gates predicted "spam would be solved" by 2006. At the 2004 RSA Conference, Gates also said passwords would fade away, an assertion repeated at the 2006 RSA show, in three to four years thanks to Vista.

But Coviello's foresight is more firmly grounded in hindsight, given that security industry consolidation is readily evident and that the traditional model of perimeter protection has largely been supplanted by a defense in depth strategy.

"Static solutions aren't enough for dynamic attacks," said Coviello. To support his point, he spoke of the professionalized, profitable cybercrime industry. There's a $1 billion market for stolen identities, he said, citing IDC research. Malware has risen by a factor of 10 in the last five years, he said, citing Yankee Group research. And the antivirus industry catch rate of 70% isn't good enough, he said.

That's fairly convincing stuff. It's certainly enough to motivate ongoing security spending, for those unmoved by ongoing data breach headlines. But it remains to be seen whether the cure is worse than the problem. The approach to security that Coviello described -- an information-centric strategy in which data and networks are protected at all times by layered, active defenses -- sounds more like a hindrance to productivity than something that will get more information to more people at the right time.

Coviello's vision could be described as ubiquitous, always-on digital rights management, and, true enough, something of the sort could keep data safe. But it also could keep data from being useful. Simply put, the inherent tension between access and control won't be resolved through mere mergers.

Adding the digital equivalent of guard dogs, bodyguards, cameras, motion sensors, ID checks, and bear traps to corporate networks may instill a sense of security. Just don't count on getting anywhere with ease.