SecurityNewsletter.com : How does the information-centric approach you’ve talked about during the show fits into your strategy ?

Art Coviello: The reality of information security is that you can’t secure what you can’t manage, and you can’t manage what you can’t find. That’s why last august we acquired Tablus, a provider of data loss prevention solutions. We are going to merge Infoscape (editor’s note : a product EMC launched last year as the flagship of its Intelligent Information Management initiative), which is a data discovering classification engine, with the Tablus functionalities. That will help us satisfy one element of an information-centric approach. Because now you are looking at the data and the information. But everything we do in Identity, in terms of either identity protection or in terms of identity authentication, is also supportive of that information-centric approach, because it’s people that usually get access to the data so if you control the people and you know who is getting access, then you are in a position to also protect the information. You need to monitor the flow of data and who is getting access to it.

So everything we do is pretty much in concert with this information-centric approach. And what I think happened is that the market headed our way. We never were in the perimeter defense business, we did not have Intrusion Detection Systems, vulnerability assessment scanners, VPN or firewall. We’ve always been in the business that centered on the people and the data itself. But encryption, which is a form of data protection, wasn’t sufficient, because it only protects information at rest and not information in use. Which is why we added the Tablus piece.

The other thing about an information-centric approach is understanding risk. It’s more a consultative approach so we made an announcement this week about risk management and risk assessment. We are trying to leverage the fact we are part of EMC to take advantage of their professional services infrastructure and methodologies. We are thus launching a security consulting practice. It will help our customers understand the risk on their information and be in a position to provide an appropriate solution to mitigate that risk.

How large will be this security consulting practice ?

Right now we have 80 people. Most of them have been involved in implementing security products. So it’s not like we didn’t have already a professional services organization already. But we wont’ to scale that up to an additional 200 people over the next 12 to 24 months. The other way we will accomplish the goal is through partners, and training the partners on our risk assessment methodology, and then qualify them. There is such a need for this service on the market that we don’t think we can’t do it all by ourselves.

Do you feel services will be, or should be, a big part of RSA's revenue ?

Keep in mind we are a products and solutions company first. We expect professional services over time will get to be between 10 to 15%, and in a long term 15 to 20% of our business.

Why aren't there more partnerships between business intelligence companies and security companies ? Since you want to protect the data you need to know where is that data and how to deal with it. It would make sense to work closely with companies specialized in data management, analytics, etc.

I think you bring up a very good point. You will start to see that happen. You should expect to see that happen because I believe security is inextricably tied to information management. And people that have a good understanding on how to extract and use information would be potentially a natural partnership. It’s only a matter of time.

Will it take long to build the 1 billion dollar unit that Joe Tucci (CEO of EMC) talked about at the time of the acquisition ?

The last full year that we operated as an independent company, RSA did 310 millions dollars, that was 2005. In 2007, we have already established at half a billion. So we don’t make predictions in terms of the timeline but I think we are on a pretty fast trajectory.

Do you think you will need to make new acquisitions in order to keep that growth ?

We’ve made, either as a part of EMC or before EMC, six acquisitions in the last two years. The four previous years before that, we acquired no companies at all. And during the four previous years before, we acquired four companies. So we would acquire when it makes strategic sense for us to acquire. But right now we need to absorb past acquisitions and be effective with the assets that we already have.

What did you get from EMC since the acquisition ?

Some assets in resource management, and part of the EMC portfolio that will help us. We also get storage technologies and products from EMC, used in our incident and event monitoring product line. But EMC did not acquire us to deliver technologies to the market. They acquired us to get technologies and to add distribution and financial power to RSA. So they’ve made incredible contributions, much higher than what we ever had the opportunity to have before. Plus all the acquisitions we would not have been able to do on our own, and the professional services practice that we build now.

Did the merge with EMC have any affect on RSA’s channel program ?

I met with the channel partners in the USA two weeks ago and they were all quite happy. They were concerned that because we are part of EMC that it might affect our program with the channel. But it hasn’t either in the USA or across the rest of the world. We may have had an impact on EMC. EMC has work hard to become a more channel friendly company.

Is life very different for you as the President of the security division of EMC ?

I’d say my life has changed maybe 15-20%. I no longer have the worry of being a public company CEO or as much in contact with investors, but I still meet EMC investors periodically. And I don’t have my own board of directors. That’s a good thing ! I just have Joe Tucci, that’s a good trade. On the other hand, there is a bigger entity that I need to figure out how to leverage and plug into. So the time I save not dealing as a public company CEO, I spend on try to create leverage across EMC. But in terms of RSA business I feel I am more productive.