EMC's acquisition of RSA was one of the biggest stories in the industry last year. How is the integration progressing and how have your respective customers reacted to the change? The reaction from customers once we explained the strategy is absolutely phenomenal. When you put security in the context of EMC's information infrastructure strategy, they get it. Now, the question is, how do you put all of it together? One thing is Infoscape,...
which allows the tagging of structured and unstructured data and from there you can decide what to encrypt. Also there are ways we can combine access control and incident monitoring to see how we can work with document management. When you take the strategy down to the street level like that, customers get it. I keep hearing these comparisons of this deal to the Symantec acquisition of Veritas. There's no correlation with Symantec. EMC is five or six times the size of Symantec, and they make a bold move in acquiring us and they have a lot more credibility to work with. Symantec is about protecting the machines. Ours is more information-centric security. We protect the access to the information from the inside out. For us when we talk to customers, we talk about the need to solve the problem of protecting data at rest. It's less about products for us.
Strong authentication is still one of the major concerns for enterprises, and part of the reason more of them haven't deployed it is the cost. Do you believe the hardware token business will still be viable in the coming years?
Tokens definitely are going to be big business for us for the foreseeable future. Every year we hear about the demise of tokens. In 22 years we've sold 24 million tokens. In the 18 months ending in December 2006 we'll be in the process of protecting 100 million consumer accounts. That's a combination of SecurID tokens, the SecurID toolbar and other tools. But the game has changed dramatically in authentication. You need a number of solutions that satisfy a number of dynamics, such as low volume, high value accounts or high volume, low value accounts. You need methods of going from very passive to very active authentication to give customers confidence. A customer might want a SecurID token for online trading, but maybe Site Key is enough for online banking. We have to be able to adapt. People accessing information or performing transaction don't always do it in the same way each time. How much of an effect have regulations such as FFIEC and Sarbanes-Oxley had on driving demand for your products, especially the authentication line?
FFIEC has been absolutely huge for us. We've gotten hundreds of financial institutions as customers through that. It has had a dramatic impact on sales of tokens especially. And I would expect that to continue.
How does RSA plan to address the growing popularity of on-demand services? What's the opportunity there for you?
There's actually a lot that we can do in terms of access control, permissions, authentication. You will see us spreading out to more on-demand services in the future. As we've seen at the RSA Conference in past years and will again this year, some of the biggest players in the tech industry, including Cisco and Microsoft, are pushing hard on security and building more and more functionality into their products. Does that make it more difficult for independent security companies to survive over time?
Well, it's interesting. That's a great question. I think security does need to be built in and not bolted on after the fact. That's just the more efficient and sensible way of doing it. I don't think that over time you will see an independent security industry in the future. I see this as security coming of age. Our perimeter defenses are way too porous. We need to fill in those holes somehow. And if products overlap, that's not necessarily a bad thing. It's better to have overlap than to have holes. But as [EMC and RSA] integrate, we will support the security work that Microsoft and Cisco and others are doing. But I think there will always b a requirement for products to work in a heterogeneous environment, regardless of who makes them.