The Public Eye with Eric Chabrow

No Such Thing as Bad Publicity

Reversal of Fortunes: How the RSA Breach Might Help Drive Sales
No Such Thing as Bad Publicity

"I don't care what you say about me, as long as you say something about me, and as long as you spell my name right." - George M. Cohan

* * *

And, it's spelled R-S-A.

The fact that a highly renowned security provider's IT system was breached, and the target of the assault was one of its flagship products, isn't the type of publicity any company would want, let alone an information security vendor. After all, hackers successfully penetrating and pilfering data from the IT system of a security maker isn't good for business.

But the advanced persistent threat attack against RSA and its SecurdID two-factor authentication product revealed March 17 has raised the visibility of multifactor authentication technology to potential users. And, in the long run, that might benefit RSA's bottom line.

"Even bad book reviews lead to sales," says Nick Wreden, an author and expert in international branding and onetime information technology writer. "However, the real benefit to the company is the awareness that the breach has raised. People will think, 'If that can happen to those big companies, it can happen to me, so I'd better do something now.' Like a rising tide, every company in an industry can gain if awareness goes up."

And, historically, many brand leaders have rebounded from negative publicity. "Look at aircraft manufacturers after a crash, or car manufacturers after a recall. What matters is the response to it," says Wreden, author of ProfitBrand. "The response needs to be open and appropriate, with at least some acceptance of responsibility. As the cliché goes, it's not the crime that gets you into trouble, it's the cover up."

RSA has said very little publicly about the breach. Two weeks passed between the initial website posting from RSA Executive Chairman Art Coviello revealing the APT attack (see RSA Says Hackers Take Aim At Its SecurID Products) and last Friday's blog by Uri Rivner, head of new technologies, identity protection and verification at RSA, who wrote about how an employee who unwittingly opened an e-mail attachment that contained a Trojan that let in the virus (see 'Tricked' RSA Worker Opened Backdoor to APT Attack).

Still, RSA hasn't been quiet with its core constituency: customers of SecurID. RSA reached out to its customers within hours of realizing the severity of the breach, furnishing them with steps to take to assure SecurID's efficacy. The day after the attack was revealed, Christopher Ipsen, Nevada's state chief information security officer, says RSA contacted him and he found Coviello's comment reassuring. "They did the right thing," says Ipsen, who's also an RSA certified administrator. "As a result, I am more comfortable than I would have been had I heard about the APT from some other source."

Individuals knowledgeable of the inner workings of RSA, who requested anonymity, say leaders at the security subsidiary of storage maker EMC believe the company isn't in dire straits because of the breach. They note that gloating over the breach primarily came from niche players in the authentication marketplace and not from most of RSA's bigger rivals, in part, because the larger competitors realize their IT systems could be breached, too.

And, the fact that SecurID has been around for a quarter of a century - outdated technology in the minds of some, but a product that the company maintains has evolved over the years to remain vital - means it can't be easily dismissed but must continue to prove itself. "Everyone applauds when a salesperson brings in a big win. Then, the next day, the boss asks, 'What have you sold today?'" Wreden says. "People's memories are pretty short, especially in the tech arena, where this morning's leader can be this afternoon's laggard."

RSA should be lauded for its quick response to its customers. And, with Rivner's blog, the company is becoming a bit more transparent about the breach. The coming weeks and months will determine the viability of RSA's wares, as the company reveals more about the breach, which those with inside knowledge say will happen.

What the marketplace doesn't want is what George M. Cohan is best known for, a song and a dance.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.