Serg Nvns - Fotolia
With cyber threat actors getting bolder than ever and hiding in plain sight with impunity, organisations should harness the one advantage they have over their adversaries – the deep insights they have about their business.
“The one and only asymmetric advantage that we have is knowledge of our business context – and that is the central idea behind business-driven security,” said Rohit Ghai, president of RSA Security.
Speaking at the RSA Conference Asia Pacific and Japan, held at the Sands Convention and Exhibition Centre in Singapore today, Ghai said a business-driven approach to security could help organisations “prioritise ruthlessly” and focus on what matters.
Likening this approach to how modern medicine is looking to improve people’s overall wellbeing rather than just treating illnesses, Ghai said the cyber security fraternity needed to shift its focus from threat management to risk management.
“The goal is not to create an unhackable world, but a safer world,” he said. “The mission is not to eradicate risks, but to make risks visible. Our job is to allow our business stakeholders to take command of all risks and figure out which risks are worth taking.”
Giving Singapore as an example, Ghai said the city-state – which recently topped a United Nations cyber security index – had implemented a risk-based cyber security strategy and defined its cyber security goals more holistically and precisely than others.
Indeed, precision is key in a business-driven security strategy, said Ghai, noting that like precision medicine, which examines a patient’s biomarkers, genetic makeup, family health history and lifestyle to prevent disease, precision in cyber security requires organisations to focus on their operating environment.
“A bank transitioning into the future and a pharmaceutical company that is in the advanced stages of a clinical trial are vastly different,” he said. “Their attack surface and attack vectors are different, so why do we persist with a one-size-fits-all approach in cyber security?”
Instead, Ghai called for cyber security professionals to engage business teams to mine for business context and build a comprehensive risk register for their business and industry. “Use that to inform your security posture and protect what matters most – this is like taking your genome and family history into account,” he said.
Read more about cyber security in APAC
- The computer networks of two universities in Singapore were breached in April 2017 by hackers looking to steal information related to government or research.
- Threat intelligence feeds provide valuable information to help identify incidents quickly, but only if they are part of an intelligence-driven security programme.
- WannaCry’s spread in Asia-Pacific accounted for just 10% of detections worldwide, indicating the ransomware’s limited reach in the region.
- Singapore and Australia will conduct joint cyber security exercises, among a raft of measures to secure critical infrastructure and bolster cyber security know-how.
Cyber security and IT teams should also work more closely together to make IT infrastructure more resilient to cyber attacks through measures such as encryption and micro-segmentation, said Ghai. Organisations should also feed machine learning algorithms with information about their IT infrastructure that is already being captured by systems management tools, he added.
“By acting precisely, we can proactively manage risks, improve the speed of detection and response, and move to a model where we can dial up or dial down the level of friction and inconvenience based on risk,” he said.
For a business-driven security strategy to succeed, cyber security professionals should also engage with company boards by using well-understood business language and not technical jargon, said Ghai.
“Boards of directors do not care whether an attack uses cross-site scripting or SQL injection – they want to know the impact on reputation, customers and the bottom line,” he said. “You need to build better metrics and KPIs [key performance indicators] so you can say whether things are getting better or worse.”