“There’s not a guide book on how to deal with something like this. At the time you don’t realise how important some things will be but I think having a set of principals we were going to make decisions by was hugely important,” Fitzgerald said.
“Day-by-day, minute-by-minute we were forced to make a whole bunch of decisions and when you base them around some sort of guide posts in terms of what you are going to put first and what you should prioritise, it’s pretty easy to lose your way,” he added.
Fitzgerald, speaking at the RSA Conference 2012 in San Francisco, gave insight into how the company reacted in the immediate aftermath to discovering the large-scale breach.
“There wasn’t really panic, but determination. In those early hours we still didn’t know how big it would be and where it would go. Even if we knew it would be significant I don’t think we could understand the full scope until we got into it. There was never panic or complaining. As Art [Coviello] said, you form your brigades and you fight,” he said.
He added that, whilst the option was there to not disclose what had happened, the decision was made early on to inform the customers and then go public.
“We were fortunate that we discovered it in process. One of the guiding principles we had was if we understood there could be a risk for customers we were going to announce it. When it came down that we were in a place where we couldn’t rule out there could be risk to customers, that’s what we did,” he said.
“Then it was really execution and deciding what we had to do, how to roll it out and the best way to both let the customers know that there’s risk and then what we should tell them to do about it. We were really working with our technical teams to create best practices as they understood what the risk could be to the products and the customers. We got our mitigation tactics in documents very quickly, got our statements together and then literally hours later we put out our token letter on the website. It all happened in a blur,” he added.
With the entire RSA team working around the clock on such a vital issue to the company’s future, Fitzgerald admitted it was inevitable that senior members of staff would disagree on the logistics of how the situation should be dealt with.
“There was never a disagreement over what we were trying to accomplish, but there was always good discussion about how and the best way to do it. There were no fist fights or chairs thrown, but there was a lot of really good debate on how we were going to achieve what we wanted to do,” he said.
However, the decision was made that once RSA had dealt with its customers, it could draw benefits from drawing on its experience to become an expert in how to deal with severe threats, Fitzgerald said.
“We knew that when we thought we had the ability to start to educate the market on what we saw on this kind of threat, we would start to turn from simply being customer focused to working on recovering our image and becoming something else. That really started in July. We had an advanced threat summit in Washington DC with about 100 tremendously influential people in chief security from the offices of some of the world’s biggest companies and government leaders,” he said.
“We started talking about the breach and found that when we started to talk about what happened to us and what we were seeing, lots of other people starting talking about it. As an industry we have to get better at information sharing because in that simple session in DC a lot of people came up to us and said they were dying to have a session like this to just be honest and open in what was going on and what everyone was seeing. Then it really went on from there,” he added.
Fitzgerald was quick to clarify that RSA did not take advantage of a situation that harmed its customers.
“I want to make clear that we never tried to exploit the situation, but we are saying that we have a responsibility as a security leader to try to get people to understand this is a real deal, these are threats we will all face and there are things we can do about it,” he said.
“There was a lot of stress and concerns so I never like to say hey, it was good for us, I’m sorry for your trouble. But we think that it did make our business more focused. It really helped us to hone our strategy and you’ll see innovation in the product roadmap directly coming out of this. We can now channel what we’ve learnt into new investments,” he added.
However, Fitzgerald also does not deny that the crisis did bring RSA some benefits it would not have had the breach not happened.
“A lot of the security people in our company had wanted to have a discussion with our board for a long time about what we should be doing and weren’t getting that opportunity, so suddenly these were conversations they could have. We wanted to be able to help our customers educate their boards and senior management on what to do,” he said.
“Coming out of it we actually refocused and crystallised our business. We really wanted to take advantage of the opportunity to make our business stronger, get innovation out of it and help our customers lay out to their senior management that this was real, this is what we need to do and here are the investments we need to make,” he added.
Sub editor, Ben Rossi is reporting live from the RSA Security Conference, 2012 in San Francisco. For live tweets from the event, follow @ComputerNewsME and #RSAC.