How Signify weathered the RSA breach storm: Eleanor Dallaway chats to Dave Abraham, co-founder and CEO of Signify

Written by

Last week, I went to lunch with Dave Abraham, co-founder and CEO of Signify, an information security company that delivers two-factor authentication.
One of their leading products is the RSA SecurID token. Yes, the red and blue ones. Yes, the ones that have been very famously compromised twice this year.
So naturally I was keen to find out how these catastrophic breaches have affected Signify’s business. I thought it might be a bit of a touchy subject, but I underestimated Dave Abraham. Within a few minutes of talking business, he skipped right to the consequences of the RSA breaches. “The sales may have slowed – or stopped – for a week or two, but then they bounced right back.” As with all “bad news” in the information security industry, considers Abraham, “sales can be maintained or even excelled. People need to be secure”.

Although he admits that 2011 has been “challenging”, it sounds like Signify coped with the situation very well indeed. “We’re a managed service, so we handled the process for the customers. We contacted our customers and asked them if they wanted their tokens replaced. If they did, we managed that for them – it was no hassle on their part”. As it happened, about 50% of their RSA-token holding customers wanted replacements. “To be honest, it was a little bit disappointing when some of the customers didn’t want them to be replaced when we believed it would be important to them. We didn’t advise them either way, it was more about giving them the option and letting them know that we would be able to manage and support their decision”.
While a small number of customers wanted to look at RSA alternatives following the breaches, Abraham insists that business has largely remained constant.
Putting the RSA breaches aside, Abraham and I discussed Signify’s route to market. And that route was neither short nor easy. After leaving university in 1993 in what Abraham calls “a recession”, he took a web development job in London before starting his own company in the same space.

In 2000, Abraham and his business partner John Stewart formed Signify, a two-factor authentication company, which Abraham describes as “a gamble”. Sadly, John Stewart lost his three-year battle against prostate cancer earlier this year. Abraham speaks fondly of his co-founder and I get the feeling that Abraham lost more than just a colleague with the loss of Stewart, it seems he also lost a good friend.
This is not surprising considering the journey they went on together launching Signify. When I hear of the hurdles they faced - what with investment “drying up” and being ahead of the times with two-factor authentication, I ask whether or not they ever considered just throwing in the towel. “Yes”, he said without hesitation. “In 2007, we tried to sell it. During this process, the company became profitable and we went on a management course. We got a good offer, but we turned it down”.
With hindsight Abraham considers this a good decision. “We’ve doubled our revenues since 2007 and the business is continuing to grow”. Abraham walks me through his four objectives for Signify customers:
  1. Be secure
  2. Reliable. It has to work.
  3. Flexibility – to serve anywhere from one user to 17,000 users.
  4. It has to be quick and easy
With the fourth objective I think he hits the nail on the head. Yes, authentication has to be secure, but if it’s not easy to use, people will find a way around it.
Perhaps this is one of the main reasons why Signify now offer authentication by smartphone, or by text, as an option. Abraham estimates that around 60% of Signify’s customers opt for hardware authentication, and the remaining 40% choose software tokens (smartphone).
We talk about how banks are one by one adopting two-factor authentication, largely in the form of hardware tokens. “Ideally, banks don’t want to carry on giving out tokens because they are expensive”. While Signify don’t target banks as customers, they do appreciate that the adoption by banks has a knock-on effect on people recognising the need for two-factor authentication.
I’m glad to hear that Signify have weathered the RSA-storm without too much collateral damage. It’s not surprising though, from a company who puts its customers at the absolute centre of what they do. 

What’s hot on Infosecurity Magazine?