Member’s Login

Forgot Password  |  Create an account

Business-driven Security is About Owning Risks Across Functions

Posted By - Rahul Neel Mani, Editor

Managing risks and creating a stronger Cybersecurity posture in the ever-changing threat landscape is a tough job. On top of it most industries are grappling with a stricter, stringent compliance structures. Nigel Ng, Vice President, Asia Pacific & Japan, RSA spoke to Rahul Neel Mani of on various Cybersecurity issues and explained how RSA’s business-driven security can help both corporates and governments in managing their security holistically. This conversation was done on the sidelines of RSA Conference 2017. Below are the excerpts of the interview:

DC: RSA talks of ‘business-driven security’ as its core in 2017? Is it something new? Tell us about it.

Nigel: For RSA, business-driven security isn’t a new concept. Generally we have found that the business owners don’t understand the language that IT security folks speak. They don’t understand what a DDoS attack is, or how a data breach happens. The business owners simply look for clarity on a few fundamental things:  

  • What is the implication of an attack or a breach on their organization?
  • Can this be prevented from happening again through a combination of technology, people and processes?

It is from that perspective that RSA wants to drive the agenda of ‘business-driven security’. We want to ensure when our customers choose to work with us, we have answers to those questions. Business owners don’t appreciate any sort of delays and look for rapid action and quick resolutions. We live in the world of constant compromises. But when an organization is compromised, it should have the answers to those questions as quickly as possible. RSA never claims that it can provide 100% protection from threats. What we do assure CIOs and CISOs is that we can help put their business back to work with least disruption. That’s the key message we are giving through the ‘business-driven security’.

DC: Today the boards have mandated the CISO, CRO, or a CIO with taking care of the business risks of organizations. They want a stronger security posture. How is RSA’s new portfolio of technology helping them achieve it?

Nigel: Actually, the other aspect of ‘business-driven security’ is about owning the risks. We want our customers to own risks. The ownership of risk is practically with everybody in an organization. It doesn’t just belong to an IT or a Security professional or group of professionals. RSA, with its ‘business-driven security’ approach, can quantify, and qualify what these business risks are. In case of a security event occurrence, the business should know the intensity of the impact to prioritize its resolution. If the business impact is high, it needs an immediate remediation and if the impact is lower, it can take time.

Most organizations have hundreds (if not thousands and tens of thousands) of events taking place everyday. None of these companies have adequate manpower to review every single event/incident. If we can educate them on their top 10 incidents that can impact business adversely, they’d be well prepared to tackle those. That’s what our business-driven security approach does.

DC: How do you work with business owners, business heads, and other relevant folks to help them understand the seriousness of business risks and not put it solely on the CISO or a CIO?

Nigel: Depending on the maturity of the customer, some of them are already aligned with this type of an approach. In many other cases, where the companies aren’t that matured, they take a disparate and siloed approach. In case of the former, it is easier for us to work with. However, in the latter case, we have to facilitate that conversation between different stakeholders. It’s in the interest of the organization to have a single goal. A lot depends on the maturity of the user organization. If we talk about the Indian organizations, there has been a tremendous change in their thinking about business risks and thus the importance of InfoSec has gone up tremendously. As a result, the piecemeal approach of deploying point products is paving way to a platform approach. This shift in approach can take care of containing the most sophisticated, new threats. 

DC: Apart from the products and platform selling, how do you engage with organizations on a strategic level or from a consulting point of view?        

Nigel: When we engage with customers, we first educate them that there’s no one silver bullet to tackle information/cyber security issues an organization faces in today’s time. The threat landscape has been changing and adversaries come from very unknown quarters. These adversaries are happy to spend months and even years to understand the user environments to find vulnerabilities and get inside the network. These adversaries have patience and resources. It is a tough scenario to deal with. With most organizations now delving into creating new business opportunities with the help of technologies such as digital, cloud, mobile, the attack surface is getting bigger and wider providing more opportunities for attackers to slide in. But to do business more conveniently, and to bring agility and speed, adoption of these technologies is a must. For any security vendor it is difficult to protect this ever-growing attack surface. Our role as a strategic partner starts with classifying data as crown jewels and non-critical. As a next step, we consult our customers to focus on the former. Anything that happens to those crown jewels need an instant alert and has to be remediated. The crown jewels are the primary assets to be protected.

DC: One part of the process is classifying the data in the two buckets and guarding the crown jewels. The other part is to look at the whole incident response mechanism, which in most cases is flawed. How does RSA look at this problem and what does it suggest?

Nigel: At RSA our endeavor is to provide an interactive and integrated security platform to the users. It’s true that no single security company can provide all pieces of this platform. Also, technology alone is not the answer by itself. When RSA works with its customers in building an intelligent Security Operations Center (iSOC), it brings technologies from various complementing technologies together to create this single platform. Our expert teams help build the processes. RSA has developed a special module in its “Archer” portfolio, which specifically helps a customer process and automate its Incident Response (IR). It gives them a single pane of glass even though they use products from us and other vendors. Otherwise, it is a daunting task to get reports from different products and make sense of those. For an organization handling thousands of incidents everyday, it is important to automate this process.

Since the adversaries are coming up with new, innovative ways to target an organization, the people who man the SOCs need to be equipped with advance skills. These skills need to be continuously upgraded. Professionals need to be trained, and retrained. Our IR experts work with customers to train and upgrade their professionals regularly.

DC: You mean RSA plays an active role in training the security staff of its customers?  

Nigel: For the large organizations that can afford to hire enough competent people in their SOC, there aren’t as many issues. But most SOCs, across the APJ region, have not more than 15 people. In cases where the customers don’t have enough people, RSA puts in its resources. As I mentioned earlier, our IR team spends time with the security teams of the customer organizations to update and upgrade them. In general, RSA also runs education programs to enhance the skills of the security professionals. We have begun working with many universities across the APJ region to offer courses in Cybersecurity. For example, in Singapore we partner with Temasek Polytechnic. In Australia we partner with Macquarie University. We are talking to a top university of Korea, Indonesia and so on. RSA has even sponsored joint R&D in the field of Cybersecurity. We did one recently in Singapore for critical infra.

DC: In a comment earlier, you mentioned how critical it is to automate the incident response (IR) mechanism. What kind of automation does a typical SOC require?

Nigel: It is very simple: The more we automate, the more we integrate and the easier it is to run the SOC operations. For example, in Temasek Polytechnic Singapore, we have built a live SOC, which manages five campuses of the institution. The automation helps in segregating the really ‘critical incidents’ from the ‘not so critical’ ones so that the security teams can focus on the events needing urgent attention. Even the shift schedule is automated so that when one shift leaves and the other one comes in, they would know exactly which incidents are being followed and at what level has the investigation reached.

DC: How do you view the Governments and their Cybersecurity postures in this region? How does RSA work with different governments?

Nigel: It’s interesting to observe the Cybersecurity postures of various countries, which also indicates the maturity of their Cybersecurity policies. The United States, where 85% of the federal government is a RSA customer, has a decently matured Cybersecurity posture. In APJ you will find different countries at different stages. If we look at India, its Cybersecurity policy is governed by an approximately 8-year old document, which needs to undergo a change because in Cybersecurity eight years means a lifetime. In Australia, the government has just passed the Privacy Amendment Bill 2016, which establishes a mandatory data breach notification for all. In Philippines the government has just augmented its data protection act. If a company loses customer data, they not only have to pay heavy monetary penalty, but also the CEO of that company can be imprisoned for up to two years. In Japan while the Cybersecurity posture is high, the current government has decided to infuse approximately US$ 300 million in enhancing their Cybersecurity posture before the Tokyo 2020 Olympics. Therefore, the maturity of different countries in APJ is at different points. But over the last five years, most governments are updating their Cybersecurity policies and enhancing their posture.

RSA has a big push in the government sector across the world and specifically in the APJ region and to augment it further we have invested in a specialist for the APJ region.

DC: While there are governmental laws and legislations to protect customer data and privacy, the implementation is pretty flawed and there is always an escape route. Do you see some of the governments ensuring a stricter implementation?

Nigel: You’re absolutely right. Laws and legislation is just one part of creating a stronger Cybersecurity posture. It’s the enforcement of those laws, which makes a difference. Some countries are better at it than others. For example, the data protection law of Philippines came out three years ago but there was little or no enforcement.            It’s only six months ago that the government created an enforcement team consisting of three judges. This team is responsible for enforcing whether the laws are being followed or not. If they are found guilty, there are serious penalties levied on them. Similarly with the new bill, Australian government has also come up with heavy penalties for those who are not complying. Serious or repeated interferences with the privacy of an individual attract a maximum penalty of $360,000 for individuals and $1,800,000 for corporates. In Singapore too, these penalties are very strict. Every government has to take this approach and it has to be their top agenda.

DC: How do you see governments across APJ working to build SOCs to mitigate the growing Cybersecurity threats?

Nigel: I personally see two types of models being followed by the governments across the APJ region. Some countries are going for a centralized model where they build a central SOC, which gets data from different departments to help the CERTS do the necessary investigations and take corrective action. In some countries, each department has its own SOC. In this case, the larger departments are able to build a state of the art SOC but the smaller departments end up taking a piecemeal approach. Both models have their pros and cons. However, it is good to have a central SOC. If an incident takes place in one department, the others can be alerted and corrective actions can be taken.         


Related Tags - RSA, Cybersecurity, Nigel Ng, Archer, Risk Management, Incident Response, Skills

Subscribe to our newsletter for all the latest updates and special offers.

Click Here To view archive additions

Older Entries

Monday, April 14th, 2014 02:55:00 PM Heartbleed - Bruce Schneier, CTO
Sunday, April 27th, 2014 09:10:00 AM Heartbleed FAQs - Richard Henderson, Security Strategist FortiGuard Labs
View All