Q&A: RSA President On Dell-EMC Deal, Company Transformation, Encryption And The NSA

RSA: Past, Present And Future

It's been a busy year at RSA, to say the least. From the pending blockbuster acquisition of EMC, RSA's parent company, by Dell, to an extensive reorganization and transformation of the security vendor starting back in January, to a rapidly evolving security landscape, President Amit Yoran has had a lot on his plate in his first full year as head of the company. At a dinner event with select Boston media this week, Yoran shared his thoughts on the state of the security industry, as well as addressed tough questions on RSA's year and what challenges and changes face the vendor in the year to come, both in its own technology portfolio and its future under Dell. Here's what he had to say.

What were the highlights of 2015 at RSA and in security?

It's been a pretty incredible year in terms of raising broader awareness in the business and in political and policy maker agendas and mindsets. It is just one of the most critical challenges that our society faces… It even pops up when you see other news media, whether it's the shootings in California or the terrorist attacks in Paris [last month], somehow cyber becomes a part of every single news story that concerns us…

At RSA we've been on a journey over the past year to radically transform one of the largest and most established and successful security companies. Our view of the world is that the approach that people have taken for decades is not getting the job done and the market is right for disruption. We have the willingness to disrupt ourselves. You look at successful businesses over time, and if they're not willing to disrupt themselves and change…they end up getting disrupted. We've been on a very deliberate journey to transform RSA to align with our view of the world and future. We've had the support of EMC to do that and will continue pushing further and faster into 2016.

What do you think RSA's biggest challenges are going into 2016?

Today, our biggest challenge is us…If you look at the large security providers, you look at McAfee, Symantec and Palo Alto, though Palo Alto is clearly more on the leading edge, they have such an entrenched position in protecting the existing security mindset…that I think is [keeping] them from aggressively transforming their business. Being a billion dollar entity, and therefore not being material from a reporting perspective, within the context of a broader EMC, we have the ability to make some change. I would say that we are one of the larger security [companies], but we have the ability to do some things that the larger security companies can't do, which is transforming our business… Can we push internally to let go of legacy stuff and embrace the future?....I don't know if any other security vendor can say they are in a better position to address those challenges.

How confident are you that you can overcome these challenges in a decent timeline?

It depends on your definition of timeline. I'm a startup guy, so my timeline is the next 30 days. I believe in the company, or I wouldn't be at RSA. I think the potential is definitely there. I think RSA, as rich as the history and legacy of the company are, I think we've got our best years still ahead. We're gaining a lot of great talent, a lot of great leadership and a lot of new thinking. I think people believe in it as well.

Talk about the way you have changed how RSA does business.

We started a very deliberate process in January, rolling out a series of changes that were very countercultural and very antithetical to how RSA operated…We're getting out of that punching clocks, dress codes. Even deeper, we used to measure revenue as the primary objective…But, the right future for everyone's long-term success is customer service and experience. We told our services team that…compensation will now be driven by [customer satisfaction] scores… Our C-sat scores have gone up and customers are generating more revenue and are buying more product, which has greater margin…It has really been around aligning our company around this vision for the future and where we're headed. I don't care if you're in product management or in services or in marketing, we're all unified in this quest. That is one example of a lot of changes.

How is that transformation impacted by the deal with Dell?

I know Dell was aware of the transformations that we had been making. EMC leadership has talked to Michael about the transformations and I've talked to him about it. He's very supportive. He will give us the Michael Dell speech about how he's passionate about the customer experience and making sure that we not only run an efficient shop but also that the customer experience is what they are looking for long term…He gets it. He's very supportive.

Will there be any tangible impacts on RSA from Dell's acquisition of EMC?

This is where we have to be very careful and calculated. We just finished the 90-day go-shop period, and now we're entering the phase of the merger where you're getting into some of the planning and the changes we're going to make.

How do you see the RSA solutions fitting into the Dell portfolio? Do they make sense as a coherent package of security solutions?

I think it's really early to tell. We haven't started a lot of the planning discussions around that. It's a little premature to tell at this point.

Any future M&A plans?

I think RSA has been very acquisitive over the years. We've been going through a process of deliberately evolving our portfolio to align with how we see the security market over the next few years. A lot of the recent past has been deciding what lines of business are no longer needed, like crypto and DLP as examples. But, I think we will continue to both develop organically…and we will look at technologies and market segments which align with this vision for the security market that we have. I don't see us moving and chasing other market segments that don't align with those solutions…Our focus is on execution of our strategy and the cornerstone of that will continue to be development, but that we certainly have been active in the market and are currently active in the market with companies and technologies that make sense.

What was your motivation for getting out of the crypto business?

We embarked on a process in late 2014…looking at the key challenges facing our customers in the security market and security practitioners and looking at the set of technologies we had built or acquired over the years to try and figure out where those intersect and where we had the ability to deliver best-of-breed capabilities around the challenges they face today and over the next several years. We came up with a strategy that focuses around three key areas. The first is around security operations and incident response…the second market is in the world of authentication and identity management…and the third market is governance, risk and compliance…What we've done is we've said we're getting out of other markets and discontinuing products, such as DLP.

Is your portfolio where you want it to be? Or do you have more evolution to go?

No. In those three market segments, which we believe are increasingly aligned with the future of security, I believe we have very strong offerings. Are they complete? No. I think there's a lot of work to be done. We have as good or better positions in those segments, but we will continue to innovate and grow inorganically as it makes sense.

Where does the cloud play into RSA's new strategy?

There are definitely some cloud-specific security functions that should exist or don't have natural parallels to the traditional enterprise environment, but…we don't view cloud as a separate and distinct environment. We think people want to do security and risk management across their enterprise, whether it's in the cloud or a more traditional environment. That's our approach and we'll see how many other cloud security vendors end up succeeding…I think RSA has a trusted name in security and we have a responsibility, so we haven't been hyping the cloud-specific aspects of what we do. If you look at the acquisitions we've done over the years…It's part of what we do, but we don't advertise it that way, in a marketing way.

What do you think about the debate around encryption?

Amit's personal opinion, not reflecting the views of EMC and Dell and RSA, is that this is quite possibly one of the most absurd public policy proposals in recent decades. It just shows a complete lack of understanding as to how technology works. When you listen to, and you believe the reports coming out of the government…cyber is one of the greatest threats to our society and if you look at any newspaper, you'll see on a daily basis high-profile compromises that are occurring…Given the existential threat that this poses, anything that we can do as a public policy to reduce the level of protections that organizations have and can protect themselves with is fundamentally a step in the wrong direction…The truth of the matter is, when you're dealing with national security and terrorist threats, those sophisticated threat actors are not going to use encryption that has been back-doored by U.S. technology providers…So, not only are you not catching the threats that matter most…you're also weakening the competitiveness of American tech companies on top of the challenges that have been posted by the Snowden exposures and other things.

What about the politics of encryption – can we expect some legislation?

There's certainly a Patriot Act opportunity. When you have legislation at the ready and things happen, you can sweep in on an emotional reaction and response. I think in this case, maybe with the exception of the FBI, you have pretty uniform dislike of this policy, or at least an active neutrality to this policy. If you talk to senior levels of intelligence communities, there isn't a lot of support for this behind closed doors…It does not help the intelligence world to get access to this information…In many of these cases the data is already available – you can see it in the metadata.

What would happen at RSA if they said you had to comply with a court order for decrypting communications?

We wouldn't do it. When I say RSA is going through a lot of transformations, RSA made the decision this year to get out of the crypto business. It is just not a key part of the focus or vision we have for the future. So, we wouldn't make those modifications to our products…as they are products we have already announced end of support for.

Did RSA have a relationship with the NSA in the past? Is there one now?

The good news is, I wasn't here at the time. I think if you listen to Art's keynote at the RSA Conference, which was a short while after some news and hype cycle around this topic, I think Art was very adamant on stage and his answer was, as I understand it, that there was no truth to [rumors of RSA working with the NSA] and no fact to it. I don't know how much more clarity I can add than that…RSA does do business with the federal government…but I can tell you definitely that RSA does not do anything in any way, shape or form to any of our products to do anything other than have the maximum possible protection to those people who buy it…I'm not aware of any R&D with the NSA or any part of the federal government. I think our responsibility is to build the best security products.

Talk a little bit more about the need for governance, risk and compliance.

Generally speaking, this is a problem where organizations have built a lot of internal, manual process trying to manage data that is produced for compliance requirements or risk management practices…We have a platform, called Archer, which allows you to automate the collection of this data, allows you to define work processes and workflows…and have all of that documented. The idea is you can not only make the audit function and risk management functions more efficient, but you can also use the data once it's in a digital format in a much more integration form with your security operations. Once you know what matters most and where the most sensitive systems are, you can monitor those differently…We think that's an important part of how security is going to be done going forward.

Have you seen any impact on RSA revenue from public sector pushing the private sector for customer information?

I don't know that we've had any specific push-back at RSA. We've been pretty upfront and vocal about our policy on these issues. RSA develops a technology and provides them to customers, so we don't have access to our customer's sites and customer data, which makes it less of an issue…as opposed to, like, a Microsoft Azure where this stuff is actually residing in their environment.

Are nation-state attackers as big a problem as ever? Do we have a clear idea of what to do about hacks from China, etc.?

RSA has no foreign policy arm yet…There have been some good policies coming out of the government and [Department of Defense], which said cyber activity happens and we will retaliate through a number of means…The piece that has been missing from a public policy perspective has been overt response on the part of the government. Other than the naming and shaming and the indictment…there hasn't been any approach from a deterrence factor. That's been largely missing. You'll see some catastrophic event or activity…like OPM, which is the most catastrophic breach ever by a long run, and the response from the government has not been visible.

What would have been the appropriate response to the OPM breach?

That's a great question. Do you make some disclosure? Do you make some sort of economic response? I think there's just lots of visible response, none of which happened…It has to be visible: if you do this, we will expose stuff collected on you...There's a complete lack of any deterrent functionality.

In terms of the vast amount of venture capital funding being invested in startups, can we expect some consolidation in 2016?

There's a lot of pressure to sell your solution and pursue your dream, but there's also a lot of hyped up claims and expectation for what these technologies can do…I don't know if it's lack of experience in the security market or aggressive market[ing] claims…I think you'll continue to see M&A activity because there are a lot of great innovations out there over the past several years. As we see market adoption and traction pick up for some of these technologies, I think you will see market consolidation…At the moment it seems like the valuations are a little irrational, so I think you'll probably see a fair bit of shakeout as well.