Serg Nvns - Fotolia

RSA president calls for business-driven security

A business-centric rather than one-size-fits-all approach to cyber security will help organisations mitigate cyber attacks that have become bolder than ever

With cyber threat actors getting bolder than ever and hiding in plain sight with impunity, organisations should harness the one advantage they have over their adversaries – the deep insights they have about their business.

“The one and only asymmetric advantage that we have is knowledge of our business context – and that is the central idea behind business-driven security,” said Rohit Ghai, president of RSA Security.

Speaking at the RSA Conference Asia Pacific and Japan, held at the Sands Convention and Exhibition Centre in Singapore today, Ghai said a business-driven approach to security could help organisations “prioritise ruthlessly” and focus on what matters.

Likening this approach to how modern medicine is looking to improve people’s overall wellbeing rather than just treating illnesses, Ghai said the cyber security fraternity needed to shift its focus from threat management to risk management.

“The goal is not to create an unhackable world, but a safer world,” he said. “The mission is not to eradicate risks, but to make risks visible. Our job is to allow our business stakeholders to take command of all risks and figure out which risks are worth taking.”

Giving Singapore as an example, Ghai said the city-state – which recently topped a United Nations cyber security index – had implemented a risk-based cyber security strategy and defined its cyber security goals more holistically and precisely than others.

Indeed, precision is key in a business-driven security strategy, said Ghai, noting that like precision medicine, which examines a patient’s biomarkers, genetic makeup, family health history and lifestyle to prevent disease, precision in cyber security requires organisations to focus on their operating environment.

“A bank transitioning into the future and a pharmaceutical company that is in the advanced stages of a clinical trial are vastly different,” he said. “Their attack surface and attack vectors are different, so why do we persist with a one-size-fits-all approach in cyber security?”

Instead, Ghai called for cyber security professionals to engage business teams to mine for business context and build a comprehensive risk register for their business and industry. “Use that to inform your security posture and protect what matters most – this is like taking your genome and family history into account,” he said.

Read more about cyber security in APAC

Cyber security and IT teams should also work more closely together to make IT infrastructure more resilient to cyber attacks through measures such as encryption and micro-segmentation, said Ghai. Organisations should also feed machine learning algorithms with information about their IT infrastructure that is already being captured by systems management tools, he added.

“By acting precisely, we can proactively manage risks, improve the speed of detection and response, and move to a model where we can dial up or dial down the level of friction and inconvenience based on risk,” he said.

For a business-driven security strategy to succeed, cyber security professionals should also engage with company boards by using well-understood business language and not technical jargon, said Ghai.

“Boards of directors do not care whether an attack uses cross-site scripting or SQL injection – they want to know the impact on reputation, customers and the bottom line,” he said. “You need to build better metrics and KPIs [key performance indicators] so you can say whether things are getting better or worse.”

Read more on IT risk management