EMC faces mounting criticism over the March data breach that continues to expose its RSA security division customers--including Lockheed Martin--to targeted attacks. In response, it's created a new job position at RSA: chief security officer (CSO).
While EMC hasn't officially announced the move, a Wednesday Twitter post from Eddie Schwartz, formerly CSO of NetWitness, said that he was now CSO of RSA. "Only job more public and challenging at the moment would be CSO of Sony
Schwartz comes to EMC via its April 2011 acquisition of NetWitness, where he was CSO. NetWitness develops security analysis and visualization software that competes with offerings from such vendors as Cisco, HP, and IBM. (With the conclusion of the purchase, EMC said that NetWitness products would become core parts in its RSA security products.)
Previously, Schwartz's positions included serving for 12 years as a foreign service officer for the Department of State, technical director of a large government security lab, and CTO of ManTech. He also authored the network forensics chapter of "CyberForensics: Understanding Information Security Investigations," published last year.
RSA has faced criticism--and the threat of customer defections--over its handling of the March data breach, in which hackers stole sensitive details related to RSA's SecurID two-factor authentication system. RSA has yet to fully detail, at least publicly, what hackers stole, and the resulting risks faced by its customers.
But earlier this week, RSA said that it was in the process of replacing SecurID hardware tokens for organizations deemed to be at the greatest risk of attack, which it identified as "customers with concentrated user bases typically focused on protecting intellectual property and corporate networks." It also said it was recommending risk mitigation strategies for firms with large, dispersed user bases, such as consumer banking operations. In addition to that customer outreach program, RSA is adding what appears to be its first-ever CSO.
But is it surprising that the security powerhouse didn't already have a CSO? "No," said John Oltsik, a security analyst at Enterprise Strategy Group. "I imagine that Eddie will be an outbound CSO working with the sales team and meeting with high-level security executives. I don't see him with an internal role."
In fact, EMC already has a global CSO in the form of David Mitchell, who joined the company in 2004. According to the EMC website, Mitchell "has functional and operational responsibility for all of EMC's information, risk, crisis management, investigative, fraud, and workforce security operations." He previously led EMC's office of information security, which focuses on protecting the organization's assets.
RSA is hardly the first outfit to add a CSO in the wake of a data breach. But simply creating the role is not enough, warn security experts. "CSO/CISOs are completely ineffective and not worth it if they are either hired for the wrong reason, or relegated to an IT role," said Oltsik. "For a CISO to be effective, he or she must work with the business and executive managers."
Arguably, given RSA's security background as well as the presence of Mitchell--amongst other EMC executives responsible for the organization's own security--Schwartz will hit the ground running.
In this special retrospective of recent news coverage, Dark Reading offers a look at the lessons learned from the most common database security mistakes and big-time breaches, as well as tips for how to avoid them. Download it now. (Free registration required.)
