monsitj - Fotolia

WannaCry shows validity of risk-based security, says RSA head

WannaCry and other recent cyber attacks underline the importance of adopting a risk-based approach to security, says RSA president

Recent cyber attacks have provided several proofpoints that security is not simply a technology problem, but a business risk issue, according to RSA president Rohit Ghai.

“With WannaCry, for example, the vulnerability was known, so it was an issue with people, process and technology in terms of making sure systems were patched,” he told Computer Weekly.

Ghai said the discipline of risk management is the recipe for mitigating the risk, which is a key part of RSA’s business-driven security strategy that was highlighted at the 2017 RSA Conference in February.

“Business-driven security is about the convergence of security and risk management,” he said, adding that, after four months at the helm of RSA, he is even more committed to this approach.

“Organisations need to take command of all risk – not just cyber risk – and have a framework, process and a set of tools to support those efforts in taking a risk-based approach,” said Ghai.

“As inconvenient as WannaCry was, it has been helpful in educating our customers, as well as learning ourselves in terms of how they are thinking about the convergence of cyber security and risk.”

In this context, Ghai sees the role of RSA as helping organisations to connect all their IT to the risks they face, to help them prioritise where to put their limited resources.

Asked what he brings to RSA, Ghai said that as someone with a business background, he has a “deeper conviction” around the notion of applying a business lens to cyber security.

In the past, security and IT have been viewed as peripheral to business, he said, but business stakeholders are beginning to appreciate the challenges of the other side.

“Both sides want better alignment of the goals, they want to move faster to advance the business agenda of their organisations, and they are being forced to collaborate,” said Ghai.

“The challenge is that they speak different languages and don’t always have all the tools they need to communicate effectively with each other, which is where RSA has a role to play.

“I feel an increasing responsibility to bridge the gap between the business side and the cyber security teams to enable them to talk to each other and collaborate.”

RSA must get smarter

Secondly, Ghai said he believes RSA has to be more in tune with the digital future and get smarter about how the world is changing in terms of new business models, infrastructure and architecture.

This means having to think about security in the context of the internet of things (IoT) and attacks that go after targets such as power grids and factories, not just data.

“We also need to get smarter about changing stakeholder expectations because in the digital future there is likely to be less tolerance for any friction in accessing IT systems and resources,” he said.

Once again there needs to be a risk-based approach, said Ghai. “This means that when I am signing on to access the lunch menu, it should be frictionless compared with accessing financial results in terms of authentication requirements,” he said.

“A risk-based approach means the technology should be intelligent enough, based on business context, to apply the appropriate level of friction to strike the best balance between the convenience that users expect and ensuring security.”

Ghai said these are some of the initiatives he wants to drive at RSA as part of efforts to take a less binary approach that recognises that the world is not black and white.

“There is also a lot of grey, and for that you need technologies to manage risk, using new technologies such as machine learning and artificial intelligence to dial up or dial down friction as required,” he said.

Ghai is also committed to continuing RSA’s cross-industry collaboration. “There are more bad guys than ever before, so the good guys have got to band together,” he said.

Read more about risk-based security

  • UK businesses need to adopt a risk-based approach to cyber security spending to ensure the best ROI and most appropriate data protection, says industry expert Michael Dieroff.
  • Implement a simple process to identify, analyse and prioritise risk without significant investment in time or money, says security industry veteran Peter Wood.
  • A risk-based approach to security allows organisations to focus their efforts on the software and the business functions it supports.

In addition to hosting the RSA Conference in several regions around the world, Ghai said RSA is also an active member of industry initiatives such as the Cyber Threat Alliance and entering agreements with the likes of Nato to collaborate and exchange cyber threat intelligence.

“We are also continually driving what we call community intelligence among our customers,” he said. “A good example of that is our fraud suite, which takes advantage of the network effect because it gets smarter as more companies use it, drawing on threat intelligence from all.”

Taking a broader ecosystem approach to innovation is another of Ghai’s missions, and already RSA is partnering more with other organisations. He gives the example of a big systems integrator contributing its intellectual property to RSA’s Archer governance, risk and compliance (GRC) platform.

“We are looking to create an exchange and a marketplace of innovation around the Archer platform where partners can contribute their IP and solutions,” he said. “It is an ecosystem approach to innovation.”

Ghai is also seeking to evolve RSA’s go-to-market approach. The goal, is to make it “seamless and convenient” for customers to do business with RSA, he said.

“We have a lot of different products and we need specialisation in all of them, but customers should have a unified interface with us, so we are investing in evolving our go-to-market strategy to take a more customer-oriented view and providing a holistic, seamless interface for our customers to interact with us and not let our own organisational structure and the need for specialisation get in the way,” he said.

Also, Ghai is seeking to bolster the role of channel partners in taking RSA products and services to market to reduce the reliance on internal staff in this capacity.

“The third go-to-market change that I want to drive – and it’s still early days – is what I call ‘digital go-to-market’, which refers to customers being able to interact with us through our digital storefronts to experience our technologies, do POCs [proof of concept trials] and have conversations about how products and services can be better utilised or should evolve to meet their needs,” he said.

Cultural shift

Ghai said this represents a cultural shift at RSA to a more proactive way of interacting with customers, with the emphasis on business benefit and value. “From being a classic on-premise organisation, we are moving to being more of a SaaS [software as a service] and digital organisation going forward,” he said.

Shortly before Ghai took the helm at RSA, the company became part of the Dell Technologies Group with Dell’s acquisition of EMC, the previous parent company of RSA.

Asked how RSA is fitting into the Dell Technologies Group, Ghai said it is already working with other companies in the group to incorporate RSA identity management technology for authenticating users into their endpoint products.

“The biggest benefit for RSA is Dell’s strategic relationships with customers, especially in light of the fact that most organisations want to do business with fewer suppliers and they want to have fewer trusted advisers,” he said.

“By virtue of its size, Dell Technologies is on the shortlist for being a trusted adviser for the top companies on the planet, so that is the biggest benefit we get in terms of having access to the C-suite of those companies.”

Similarly, organisations are able to tap into the security expertise of RSA and its sister organisation DellSecureWorks, through a single relationship with Dell Technologies.

The EU’s GDPR (General Data Protection Regulation) is one of the hot topics in the UK at present, said Ghai, as organisations decide what to prioritise between now and the deadline for compliance of 25 May 2018.

“GDPR is essentially about data-handling processes and identity assurance in terms of who has access to data,” he said.

Role in GDPR

Asked about RSA’s role in this regard, Ghai said that first, RSA’s Archer GRC portfolio will be able to operationalise and orchestrate GDPR-related processes to instil the discipline required to ensure the right-handling of data for compliance.

Second, he said RSA’s identity and access management (IAM) portfolio can ensure that the right people have access to the right data.

Third, Ghai said RSA’s NetWitness technology can help organisations gain complete visibility of their data, including data in cloud environments.

“Organisations need the ability to shine a light on all data-related activities and the ability to do forensics if a data breach incident does occur,” he said.

Jonathan Gill, vice-president for Europe, the Middle East and Africa at RSA, said GDPR is a classic application of business-driven security, which is about making the right decision in the context of the business and the finite resources available.

“Our unique combination of technology enables organisations to respond to a threat, regulatory change or business opportunity by turning the lights on to make the right choices and accept the appropriate amount of risk for a particular business,” he said.

“This is what business-driven security does, and GDPR is a good use case of that – as is every threat and vulnerability – by bringing it back to the root cause of the problem, which is balancing the threats, opportunities and resources.”

Read more on Hackers and cybercrime prevention

Data Center
Data Management