Business-driven security: Putting intent back into execution

RSA’s newly minted president, Rohit Ghai kicked off the annual conference’s APJ leg in Singapore with the idea that cybersecurity should change their approach towards cyber threats.

The landscape is becoming more treacherous by the day with ever more attacks in every form, every second of every day. “The attack surface is now exponentially larger; it’s not just IT, it’s also operational technologies, and data and critical infrastructures and the Internet of Everything,” said Rohit during his opening keynote at RSA APJ at Marina Bay Sands this afternoon.

He further described, “We now have the ‘joy’ of worrying over our refrigerators doing things it should not, ” and he rightly pointed out that over the next decade, trillions of code would be from industries that have contributed none in the past decade – consumer electronics and even other sectors like healthcare, insurance, finance and many more, are scrambling to plug themselves into the World Wide Web and participate in the Internet of Things, so that they will be able to offer convenience and sticky experiences to their users.

What is going to happen when all these multitudes of applications, start to come online?

Rohit Ghai addresses RSA APJ attendees

After a bracing round of statistics about threats and attacks that would and should scare the living day lights out of businesses, Rohit introduced RSA’s (maybe) new notion about Precision security that would be driven by the business-side of an organisation.

The onus has to shift towards the business

But is the business up to the challenge of driving their organisation’s security posture?

Management boards and C-suites tend to view cybersecurity as a compliance requirement, a list of to-do’s to tick off and not much more.

At the sidelines of the conference, IDC’s APAC VP of its Security Practice, Simon Piff, had explained cybersecurity spending in organisations do not tend to increase much. “You know the cost of a breach, but not the ROI of a cybersecurity investment.”

Hence, RSA’s proposal of a prescriptive type of ‘Precision Security’ that would work by prioritising already limited resources.

How?

Apparently by leveraging cybersecurity’s advantage which is each business’ knowledge of their own unique business context. Different context like timing of product releases, security awareness level of employee base and so on, should factor into a business’ security strategy.

“Business-driven security can help you prioritise ruthlessly and focus on precisely what matters,” said Rohit. This inevitably means taking command of all risks to the business and figuring out what risk is worth taking; dialing up or down, the level of friction and convenience based on that.

Translating cyber risk to business risk

For this to happen, business needs to play a bigger role, and the boundaries between different IT teams need to break down.

Some examples that Rohit gave were for security teams to engage with the business team and build a comprehensive risk register, as well as to get close to other IT teams (network, storage, servers etc.) and work on tighter integrations with them so as to build a resilient infrastructure, for example by implementing encryption or micro-segmentation.

RSA believes that identity is the most consequential threat vector. Rohit said, “Interaction between people and technology, is the highest point of vulnerability.  And a consequential trend is the convergence of cybersecurity (cyber risk) and risk management (business risk). The intersection of that is an opportunity called business-driven security.”

He also thought that the story about risk management has been playing out in the industry for a while.

Since time immemorial, business and IT have had difficulty understanding each other.  This has led to a gap in communications and IT project executions that lack intent and desired business outcomes. Decision makers and boards of directors are only concerned with a cyber breach’s impact upon business reputation, customers and the bottom line, and IT which usually speak a different language have not much success communicating the criticality of a bigger cybersescurity budget.

Interestingly, the attendance level of C-suites and management level execs to RSA conferences is very high, but Rohit was open that this segment’s engagement with and adoption of risk management solutions is only at 10-percent.

(Thus journalistvis a guest of RSA’s to RSA APJ Conference in Singapore)