Compared to managing security within a perimeter a decade or so ago, the CISO’s office today faces the daunting task of managing the “digital risk” of an extended enterprise which has no perimeter at all. Having a myopic approach to security and solely depending on technology to safeguard data and business crown jewels is a defunct approach.
Rohit Ghai, President RSA (A Dell Technologies business) spoke to Rahul Neel Mani, Editor of DynamicCISO.com at the ongoing RSA APJ Conference in Singapore on a wide variety of issues.
Key Highlights:
Industry’s objective should be to make the digital world safer
Cybersecurity is a battle of ingenuity
Industry shall follow simple principles of “cyber-hygiene” and “security by design”
Vendors shall stop selling security on behest of fear; they shall sell on behest of business value
It’s time to look at a ‘risk-centric’ and ‘data-centric’ view of business to mitigate digital risk
Security is a team sport; they need to play it with stakeholders.
The risk and security offices need to team together in managing the digital risk
CISOs today are smothered with love. They need to learn the art of being an effective communicator
Below is a compilation of excerpts from the conversation:
DCISO: In spite of daily disclosures on massive data breaches, and lethal discoveries, the optimism of the industry is intact. What reason will you attribute to this optimism?
Rohit Ghai: Industry’s optimism stems from its enormous efforts that go into normalising the impact of incidents that take place. If we take the attack surface as a denominator and rationalise the number of breaches versus their impact on business, we have made immense progress. But that doesn’t mean we should rest on our laurels. While we’ve made progress, the fight is getting harder. The objective is not to eye for an unhackable world, but to make the digital world safer. That’s how the optimism of the industry should be measured.
DCISO: So, you are, in a way, saying that the technology breakthroughs will help prevent the unforeseeable attacks, and breaches?
RG: Handling cybersecurity or digital security requires a different approach than just depending on technology alone. While we all know it’s a combination of People, Process and Technology, it’s also a battle of ingenuity.
Who’s smarter – the attacker, or the defender?
Technology is no more a preserve of good guys. The bad guys also have access to the most sophisticated tech. If we are resorting to the technology to seek a balance, that’s wishful thinking. But the defenders do have an asymmetric advantage – advantage of understanding their business context. We know our business better than the attackers. At every moment in time, we should know what’s most important to protect and security posture should be accordingly made adaptable and dynamic. It takes a lot of time and broadening of surface for bad guys to penetrate into an organisation. Industry, and practitioners should use this advantage in their favour.
DCISO: World Economic Forum 2018 has, for the first time, put “cyber” as one of the top 5 risks in terms of likelihood. Researchers also say that by 2021, there will be at least one “zero-day” attack every day. This seems unstoppable. How do you, as RSA, prepare the organisations with solid, credible defense?
RG: Everything that we do in the cyber space starts with “resilience”. To reduce the attack surface, we need to focus on two things:
- Anything being build new, should have security by design.
- The industry shall look at “cyber hygiene.”
This is basic fleet learning. Let’s not be so foolish to fall prey at least to the known vulnerabilities. Let the business not be impacted by exploits for which we already have a solutions/patches. That’s why I advocate to implement cyber resiliency to reduce the attack surface. Once the basics are covered, one needs to have an adaptive “Security Operations” that enable us to race with the bad guys and curtail their dwell time with a faster “detection and response”. Here is when application of machine learning and AI comes to play – to enable faster intelligence and response. Finally, there’s a need for an integrated “risk management solution” to translate cyber risk into business risk – protecting the crown jewels.
DCISO: While the attack surface may be growing, the fact remains that most exploits take place on vulnerabilities already known. How do companies fall prey to such vulnerabilities?
RG: I want to be very direct and frank here. The reality is that cybersecurity industry has glamourized things that create sensation. The answers to most problems lie in the basic “cyber hygiene.” Take into account the breaches that have occurred in past and you will realize that mostly vulnerabilities that were exploited there was already a solution/patch available. It’s a head scratcher. The industry has successfully sold at the behest of fear. We have to change that thinking and sell at the behest of business value. That’s the transition industry needs to go through. Customers today want to do business with fewer, trusted vendors who aren’t trying to scare them but are trying to advise them on how to manage digital risk.
DCSIO: You think vendors, who sell on behest of fear, are really able to make the cut?
RG: The reason for this is that we have, for decades, gotten away without having an explicit ROI scrutiny. The excuse that it’s impossible to get a return on cybersecurity investment, has been there for quite long. Most of the time nothing bad happens. And that’s the value technology providers exploit in their favour. How would anyone be able to prove whether its due to technology deployment or otherwise that a breach hasn’t occurred? Also, detecting a breach isn’t a definite scenario even today. Anyone can be lulled with a false sense of security while bad guys might be dwelling into the network waiting for the right opportunity to strike. Industry did get away without demonstrating value or quantifying risk. But as the times change, the focus will be on quantification of risk and demonstrating business value of security investment.
DCISO: At times, it’s perplexing to hear various types of risks – cyber, business, financial, business, people. Whose responsibility is “Risk”, whichever type it may be?
RG: A matured organisation will have a chief risk officer (CRO), who reports outside of IT and in some cases directly to the CEO/board. That’s an ideal hierarchy, an ideal scenario.
The boards today ask CEOs to drive digital transformation but at the same time they look at the Risk Officer and CISO to manage the digital risk. They look for a balance between moving forward with digital transformation but are also equally keen on having a paraphernalia which recognises and manages risks. Today, the risk and security offices need to team together in managing the digital risk.
DSCIO: As we embrace the new era of Industry2.0, and adopt both connected and autonomous environments, it will certainly broaden the attack surface. How can a CISO, in his/her limited capacity, cope up with this? Will technology come to their rescue?
RG: The recipe lies in taking a ‘risk-centric’ and a ‘data-centric’ view. The only asset and value across the enterprise systems is “data.” Therefore, our orientation needs to change. We need to protect the data and applications that render business processes. In order to do that, one also needs to prioritise. Not all data, and applications are on same level of criticality. They need to be prioritised basis their business value.
DCISO: How would one know what are their “Crown Jewels”?
RG: RSA Security offers a “digital maturity framework” to its customers. It has capability to ascertain both business asset and business process information and thus assign them the business priority. It helps orgs in computing a “weighted risk score” based on the understanding of business context.
Furthermore, there are two parts of this problem:
- Quantification of cyber risks?
- Translating it all into a language that boards and business stakeholders can understand
For this, RSA offers a solution called “cyber risk quantification”, which translates the weighted risk score and cyber risk quantification into financial terms.
It’s a combination of methodology and technology that we bring together for users that are keen to classify the data and adopt a risk-based approach to protect it.
DCISO: It’s the last line of defense where many CISOs surrender or feel helpless. Whether its endpoint, detection of an incident and the response, or similar situations. What’s the remedy here to have a saner approach to cybersecurity?
RG: The first thing a CISO needs to do is to talk to his peers in business. He shall partner with the risk officer and other key stakeholders. Security is a “team sport.” CISO feels helpless because they go at it alone. If they talk to IT to build a more resilient infra, and talk to business stakeholders to understand how to prioritise limited resources and bandwidth, they’d be more optimistic and capable in dealing with digital risk.
DCISO: Is CISO accorded that much importance in today’s context?
RG: Today the CISO is getting smothered with love. Everybody is asking for a CISO. The board of directors invite the CISOs to know what are they doing to secure the company from digital risks. While the business owners build the digital capabilities, they are also directed by the boards to talk to the CISO so that the latter is successful in guarding the data assets. The CISOs have the attention and the love today. Only thing they need to learn is how to communicate well and effectively with the stakeholders and ask for help in the right way.
DCISO: This question stems from your comment “CISOs need to learn how to communicate.” Most of them are good at tech but not-so-good at communication. Question is who should be a CISO? A communicator with some technology knowhow or otherwise?
RG: An ideal CISO need to have both technical and business capabilities. There are two scenarios:
Is it better to have someone from a business background who can learn technology?
Or is it good to have someone from a technical background who can catch up with business acumen?
Most of the CISOs have grown as practitioners and technology has been their key strength. I believe that’s still a good bet. They have been battle-hardened. They know what works and what doesn’t. In my opinion, it’s a better model to have a technical person enhance his business capability. They will have the duality of “battle-hardened” experience set, substantiated with business-capabilities to communicate well. It will be too hard for a “business-oriented” person to have a sense of risk required to run the cybersecurity operations.
DCISO: Quickly, what should security practitioners expect from RSA Security in next one year?
RG: In next one year, we intend to enhance our vision to bridge the gap between the security and risk office and deliver business-driven security solutions that allow collaboration between risk and security offices. This will strengthen both of them to work towards reducing the attack surface and contain the digital risk.