Q&A: Eddie Schwartz, chief security officer, RSA

Secure token specialist RSA appointed Eddie Schwartz as its chief security officer (CSO) in June this year, following a major security breach which it claimed cost £40m.

In an awkward moment for a company which trades on its security expertise, RSA was forced to admit that some information relating to its two-factor authentication products was accessed by cyber criminals.

When RSA customer Lockheed Martin suffered a breach in May, many commentators suggested that the security failing could have resulted from the RSA hack.

It was obvious that Schwartz had a large task before him in his new role, both to improve security in the short term, and begin to rebuild the damaged RSA brand in the longer term.

Computing spoke exclusively to Schwartz about his first six months at RSA.

What have you experienced so far in your role?

"Lots of RSA people saw the breach as a call to action; they were upset by what happened and wanted to know what they could do to help.

"When I came in there were some immediate actions I needed to take and I worked hand in hand with Dave Martin, CSO at [parent company and information infrastructure provider] EMC, to attack that list.

"The most important task was to secure the crown jewels; protecting customer data, financial information and key intellectual property."

What is the best way to improve security?

"We held a summit in Washington in July and got 110 CSOs behind closed doors and asked how they secure themselves. We asked what works in terms of people, process and technology.

"We exchanged ideas around areas such as end-user training. Historically, that was seen to be an audit check box: you show a website to people, ask them to change the password and you're done for the year because you've satisfied your audit requirement.

"The new approach is more  scenario-based using role-play and outcome-based training. It exposes people to true attack vectors and shows them the real damage that their activities in failing the security test could cause to the enterprise or to them personally.

"We decided to implement internally some of the things that came out of the summit.

"Everyone had a similar story about being attacked, and shared what they're doing about it. And it's not just about technology, we're talking about changing processes, and changes to the way these companies hire people.

"We found APTs [Advanced Persistent Threats] are more prevalent than is being reported in the press and than people believed."

How do you measure your success in this role?

"You can set objectives in terms of making process changes; you can get finite goals that way.

"In terms of outcome, ten years ago an employer asked how do I pay you as a CSO? I said I'm not going to commit to fewer than ten virus outbreaks a year because there are so many dependencies. One of the metrics that's interesting is are we getting better at reducing the amount of time that it takes us to see some of these advanced attacks?

"Adversaries have had a free reign for a long time. We saw the breach in progress in the March attack. Many organisations find out about a breach months after it's occurred.

"Part of the success criteria is to continue to shorten that window of opportunity.

"At our summit, everyone admitted that they're living with compromise. Breaches occur every day. We may be attacked by criminal groups, hacktivists, nation states and all we can do is attempt to shorten the time the attacker has on the network. Then we can limit the damage done."

How closely do you work with the RSA board?

"I absolutely have the backing of the board. In a lot of organisations, security is something which bubbles up now and again. In RSA this activity is a core competency.

"I would argue that organisations today need to think about things like incident management at board level; it's not just a security function. You need to get legal, HR and senior management involved. People need to understand their roles in situations like this and buy into it."

Do you worry that you'll be blamed if there is another similar breach?

"It doesn't worry me at all. When you sign up for a role like this, you take on all of the associated responsibilities. RSA isn't looking for a scapegoat, but someone to help it put together a successful security programme.

"Any mature operator who steps into a role like this has to look at it as a unique opportunity. It's a company that has the resources and interest [to fund this role], and is the target of attacks, I can't think of a more exciting job today.

"It's both a challenge and an opportunity. I stepped into this with both eyes open."