RSA has appointed its first chief security officer, three months after a data theft on its network contributed to the hack of the world's biggest defense contractor, and possibly other important customers. RSA awarded the position to Eddie Schwartz, who held a similar title at NetWitness, the security monitoring firm acquired …
Am I the only one who thinks it slightly humorous that a company that sells security devices doesn't have it's own security officer ?
This has all happend before, and will happen again
I seem to remember, waaaaay back, when someone stood up at an RSA conference and said, "I can predict the next tokencode on your demo unit". Everyone laughed. Said chap predicted the next Tokencode. Everyone stopped laughing. RSA, ummed & arrrd over this for a long time, then switched to AES to get round this problem. Not once did they say hey, your security is totally predictable by a sweaty guy with a laptop. The body was quietly swept under the carpet, Marketing waved their arms as a distraction and for the most part no one knew or gave a monkeys.
After tis latest boo-boo, I'm sure LM gave a whole cage of Monkeys as it was their IP that was (presumably) siphoned away.
Alas, security is like life, there are no guarantees.
"RSA has appointed its first chief security officer"
Remind me again what RSA *do*.
Icon expresses my view.
Behind the times...?
From the OP: "..RSA has appointed its first chief security officer..."
If this means what it says, it implies that RSA (a major security product provider) has NOT had a Head of Information Security position before. Amongst other things, it would be hard for them to be in compliance with ISO 27001/2 without such a post.
But that's not surprising. Amongst other skills, I work in contract interim Head of Information Security positions. Everybody talks a lot about this subject, but few clients want to pay money for it to be undertaken. I get about 1 job a year....
a new piñata..
.. for the hacker crowd.
So RSA keeps the keys to the kingdom for 40 million employees' two-tier authorization on their own internet-connected systems, but they didn't have a CSO until now?
I think that qualifies as an accident-waiting-to-happen....