RSAC17: Infosec pros must help create business-driven security, says RSA CTO
The inability to draw connections between security details and business metrics is one of the biggest challenges facing most companies, according to RSA CTO Zulfikar Ramzan
Information security (infosec) professionals must draw connections between security details and business objectives, said Zulfikar Ramzan, chief technology officer at RSA.
“I call this concept business-driven security,” he told the opening session of the 2017 RSA Conference in San Francisco.
Using the analogy of a pebble creating ripples that have far-reaching effects, he said each information security professional has important ripples to create.
“You can be the business-driven security leaders your organisations need in a time when chaos constantly up-ends expectations and redraws boundaries,” he said.
“In chaos theory, the well-known butterfly effect tells us that small, localised changes can have dramatic downstream impacts in complex, inter-connected systems.”
Ramzan said it is unknown if the cyber attacks on the Democratic National Committee (DNC) changed the course of the US presidential election, but it definitely changed the discourse that followed.
Those attacks, he said, became mainstream, front page news and initiated a ripple that ultimately rocked the foundations of US democracy.
“It demonstrates that our problem is not limited to the initial cyber attacks we face, but the long tail of chaos they create.”
Ramzan said innovation invites exploitation, and he reminded the audience of infosec professionals that, in reality, they are fighting human ingenuity, which he said was “a powerful thing”.
But the challenge is that business must embrace innovation to succeed in today’s digital world. “As security professionals, your job is to navigate the resulting chaos,” he said.
However, Ramzan said he believed success lies in embracing a business-led security strategy because security is not just a technology problem.
“Security is a business problem and the inability to draw connections between security details and business metrics is what I call ‘the gap of grief’,” he said.
Ramzan said corporate executives do not care if an incident involved SQL injection or cross-site scripting, but would like to know the business implications.
“Defending an enterprise is truly a joint venture between business and security,” he said, challenging each security professional to create a ripple to help build a business-driven cyber security strategy.
‘Tame chaos’ to reduce risk
According to Ramzan, this can be achieved using three approaches. First, he said, treat risk as a science and not a dark art.
“Use scenario analysis. Think things through all the way to the end. Then go back to the beginning and ask yourself, ‘what if?’. Every organisation should be using a consistent and rigorous methodology to reason about their risks,” he said.
Second, Ramzan recommended that organisations simplify what they control, citing an example of an organisation that has 84 security suppliers.
“How do you manage that many suppliers? How do you justify to your board and your executive suite the return on investment from each of these suppliers?
“You can’t. Consolidate your suppliers. Don’t adopt a ‘no supplier left behind policy’, instead double down on suppliers who work well and ditch the rest,” he said.
Ramzan said it is important not to draw lines between security exclusion, security inclusion and business risk management, but draw connections instead.
“When these technologies draw on business context from each other, they can priortise the incidents that ultimately matter the most,” he said.
According to Ramzan, organisations can “tame chaos” by consolidating and integrating security suppliers.
Read more about digital transformation
- The security elements of business IT, the internet of things and operational technology are now all deeply interconnected, claims Martin Kuppinger
- Digital transformation is not easy and requires not just the right technology, but also the right investment, people and engagement.
- The digital business transformation is steadily making its way to manufacturing, but an expert panel advises that strong leadership is needed to reach full potential.
- We’re headed towards systems of systems, meaning we will need a secure and trusted ecosystem from the sensor to the user, says security firm Exceet.
Third, he said organisations should plan for the chaos they cannot control by having an incident response plan that ensures availability of necessary resources, flexible budget and collaboration across all relevant parts of the organisation.
“Only use available resources, because an incident response plan is not a wish list. It sounds obvious, and yet it is a common mistake. Don’t put empty fire extinguishers in every hallway.
“A response plan needs budget because there will be unexpected costs. In fact, an incident response plan without budget authority is a fairy tale.
“IT, finance, legal, marketing and other departments all play critical roles during an incident and they must work together,” he said.
Although these approaches are aimed at “taming” chaos, Ramzan said, at the same time, chaos has the ability to “create amazing moments of truth” and to force progress, which can be “painful”.
Ramzan said it is important for infosec professionals to “walk through fear, embrace uncertainty and make difficult decisions” because human nature propels us to find order in chaos.
“In the depths of chaos are amazing opportunities to adapt, learn and grow, but to find them you can’t just look within. Instead, we must turn to each other for clarity, advice and inspiration.
“That is why this conference was created: to foster connections that strengthen our abilities to tackle the complex cyber security challenges on the horizon,” he said.
Creating ripples
Ramzan challenged infosec professionals to ask themselves some difficult questions: whether they believe in making the world safer, in collaboration across sectors or in the power of diversity.
“Can we address the complex cyber security challenges on the horizon and the massive staffing crunch that faces our industry and plagues it, if we continue to alienate more than half the population across gender, race and culture? No,” he said.
“This year, we held our inaugural cyber security and diversity session at the RSA Conference, and I am asking you to join that conversation,” he added.
Ramzan also challenged his audience to lead by example to inspire future generations. “mentorship can create perpetual ripples,” he said, citing the mentorship he received as a PhD student from RSA co-founder Ronald Rivest as an example.
“After co-inventing the RSA algorithm 40 years ago, Ron Rivest kept mentoring, kept innovating and he kept teaching,” said Ramzan.
He thanked Rivest for giving him the opportunity to “create ripples” and reiterated his challenge to his audience, asking them to think about what ripples each of them could create.
Dell says security is a ‘top business issue’
Ramzan was then joined on stage by Michael Dell, founder and CEO of Dell Technologies, which acquired EMC and its security division RSA in September 2016.
At the time of the acquisition, RSA said it would retain its autonomy, although it expected to benefit from being part of the world’s largest privately controlled technology company.
Michael Dell said security is a top issue facing businesses. “When I talk to CEOs and boards, security is an issue of high concern. They are concerned about the complexity of their security posture and how they can manage the business risks,” he said.
Asked how he sees IT changing and how that affects information security, Michael Dell said IT is becoming “business technology”. At the same time, he added, the cost of making something “intelligent” is approaching zero and the number of connected nodes is exploding to hundreds of billions.
“The amount of data created around that – and this digital transformation with all the computer science overlaid on top of that data with artificial intelligence, deep learning and machine learning – present a tremendous opportunity, but at the same time it has to be done securely,” he said.
Despite the security concerns, Michael Dell said there is also a fair bit of optimism among business leaders for 2017.
“In the annual World Economic Forum poll, for the first time, the global economy was not one of the top five concerns. So there is some good news there for customers and our industry.
“There is a real thirst for digital transformation and investment is following and that presents the opportunity to change all sectors of society tremendously. But it has to be done securely and we feel like we are enabling this next wave of human progress,” he said.
