So far, the reaction seems to be a muted wait-and-see attitude.

"Time is the teller," says Alex Naveira, information technology security officer at Miami's Children's Hospital, who notes RSA has had a "solid reputation" for a long time. He doesn't use SecurID today but based on what's known so far about RSA's cyberattack, he wouldn't dismiss RSA because of it.

Scott Crawford, research director, security and risk management at consultancy Enterprise Management Associates, says it would be "useful" if RSA put out more information. But so far he says the fact that RSA has acknowledged it's become the victim of stealthy cyberattack aimed at infiltrating and stealing information (RSA itself refers to itself as an advanced persistent threat) is not cause enough to stop using SecurID or drop RSA as a vendor.

There are bound to be concerns, since SecurID tokens are typically used for high-value transactions, he points out, such as in financial transaction or network administrative control function. And until RSA provides more information, there will be a lot of questions about what happened at RSA and how the attack took place.

In the "RSA SecurCare" note that RSA sent out to its customers, which alludes to the "extremely sophisticated cyber attack" that was identified, RSA lists a set of recommendations for SecurID customers. The fact that the first one is, "We recommend customers increase their focus on security for social media and the use of those applications and websites by anyone with access to their critical networks," raises a few eye-brows.