Speaking of Security – The RSA Blog and Podcast

Over the past 6+ years at RSA I’ve seen a lot of changes at RSA from acquisitions to new product launches to the dreaded “end of life” of a product.  I’ve seen the group I originally start in grow from less than a dozen people to one of the largest segments of the company.  I’ve also seen how much our view of the world and the market can differ over the course of a few years.

Because of all of this change I thought it would be fun to look back and reminisce about the “old times” when I was new to the company and the company was new to the “consumer” space. While 5-6 years ago may seem like a long time to most people, in the cybercrime and fraud world it can be ancient history.  So in order to feed my need for nostalgia (and to help clean up my overstuffed hard drive) I decided to go back and look at some old materials and emails from the 2005-2006 era at RSA.  Here are some pretty interesting things from all those years ago:

• When I started at RSA the original strategy of the consumer group (which is now known as the Identity Protection & Verification group) was to sell RSA tokens directly to end-users. We envisioned a time when users would walk into their local Circuit City and buy a RSA token which would be then used at their bank, auction, brokerage or other online sites.  Like Circuit City, those days are long gone.  We quickly realized that the real challenge was convincing the banks to actually accept the token and to implement strong authentication.  In December 2005 RSA acquired Cyota.  Five months later RSA acquired Cyota’s primary competitor, Passmark, and we were “all-in” betting on the risk-based authentication market with less emphasis on tokens for consumers. (It’s worth noting that many sites all over the world today still support and even mandate strong authentication with tokens. In fact, I still use one to access my E*TRADE account).   A quarter of billion end users later it’s safe to say that risk-based authentication was a good bet, and is probably the most popular consumer authentication technique since the password.

• The consumer token strategy focused on a network based token which could be accepted at multiple sites.  RSA was intent on solving the “token necklace” problem – where users would have to carry a different key fob for every site.  Since consumer tokens never rose to the level of popularity to warrant this problem the network effect had less of an impact.

• Usability and consumer experience were as important as security in our messaging.  Statements such as “While online users demand strong authentication, they also require that the security be convenient and easy to use” were common. I’d argue this is still as true today as it was then.

• Common 2005-2006 interview question: “Have you ever heard of something called phishing?”. Many candidates had not.

• Words that did not appear in any of our marketing materials: “Man-in-the-browser attacks”, “cybercrime”, “APT”, “malware” or “Zeus”.  However “risk-based”,” adaptive authentication”, “layered security” and “site-to-user authentication” were all commonly used.

• In a 2006 an RSA white paper stated “Realistically, man-in-the-middle attacks are impractically-difficult to sustain.”  If only this were still true! The same white paper emphasized that users should be encouraged to “type out URLs instead of clicking on links” as a defense against phishing.

• Much of the business pitch to financial institutions before the FFIEC authentication guidance (“Authentication in an Internet Banking Environment”) was released in 2005 was convincing the banks to add security in order to give users the “confidence to transact online”. Back then “security” was a dirty word for most banks. Many banks told us “we don’t talk about security; if we do it implies we have a security problem”.  Before the guidance there were only a handful of banks like E*TRADE, Bank of America and Stanford Federal Credit Union who tried to used security as a differentiator.  Fast forward a few years and banks had no choice but to convince users that they had excellent security since the problem was widespread and reported in the mainstream media.

E*TRADE was one of the earliest banks to use security as a marketing tool

• The very first eFraudNetwork event, then called “eFraudNetwork Live!” was held at the Roosevelt Hotel in New York City in 2006.  It was partially a user-conference and partially an industry event. Back then the idea of financial institutions getting together to discuss fraud and attacks was relatively new.  Fast forward to today and everyone realizes that collaboration is a key defense tactic. The eFraudNetwork Live! event has grown into the eFraud Global Forum, an official invitation-only RSA Conference event (run by an independent cross-industry program committee) dedicated to the discussion of online fraud. Check out the video RSA created to click off the 2007 eFraudNetwork Live! event which is still up on You Tube.

• In 2005 I did not own a smart phone. Even more shocking,  I did not want one.  Mobile security wasn’t even on our radar.

What do you remember about the market 5-6 years ago?  Had YOU ever heard of phishing or malware? Do you remember when your bank first introduced additional layers of security? 

Be Sociable, Share!

•