RSA Singapore Conference 2017, the fifth annual Asia event, set the stage for security practitioners, lawmakers, law enforcement forces, policy makers and others to bring about a change in their thought process. This goal was clearly stated by RSA President Rohit Ghai in his opening keynote, suggesting that practitioners draw parallels from other industries such as healthcare to bring about change, as cybersecurity is at the brink of the precipice, much in need of a revolution.
Ghai's keynote, 'The Precision Advantage' made the case for change and shared one central idea for all practitioners to consider.
"The industry is aware of the growing number of sophisticated criminals. But what more can we do about them? That is the real question that RSA needs to address."
The question is: Did this idea resonate with security practitioners in attendance, and are they ready to learn lessons from the healthcare industry to bring in the much needed change?
Growing Threat Landscape
It was visible to me that practitioners agreed with Ghai on the threat landscape changing because of bad guys who are more persistent, more collaborative and bolder than ever.
"Cybercriminals virtually never get caught - best case, single digit percentage; and they hide in plain sight with impunity," Ghai says.
But the practitioners, speaking anonymously to me, say Ghai only stated the obvious. The industry is aware of the growing number of sophisticated criminals. But what more can we do about them? That is the real question.
"Business-Driven Security" - I keep hearing this refrain at most forums, and RSA has been pushing this concept. As Ghai reiterates: "By moving from conventional security to 'business-driven' security, we can reap the same benefits as healthcare, as it moved from conventional to precision medicine."
Drawing similarities with healthcare, he says cybercrime can become:
- Preventive: As attack campaigns rise, we can prevent more from having business impact
- Personalized: In a world where we personalize everything from cell phones to shopping lists, move from a one-size-fits-all model to a very targeted approach unique to the organizations we serve
- Participatory: We can have an order of magnitude, more engagement and be on the same page as our business stakeholders.
Security practitioners agreed with Ghai, but they also want more definitive answers and a realistic approach. One senior security practitioner from Cybersecurity Agency of Singapore told me: "The concept is not new - most CISOs are experiencing the fact that the rise in attack campaigns impacts business and are engaging with business stakeholders. However, an effective framework to involve the board and enable the business develop the capacity to use intelligence and understand risk is a must."
Security Evolution: Threat to Risk
Ghai says there is an immediate need to shift from threat management to risk management. The goal is not to create an un-hackable world, but a safer one.
"The mission is not to eradicate risk, but to make risk visible, mine for it, prioritize and manage it," he says. "Our job is to allow the business to take command of all risk and figure out what risk is worth taking."
A practitioner Darshan Chavan, CISO from SBI Mutual Fund says, "It sounds easy, [but] it's not easy to get the business to take command of all risk or map risks. It's not the priority."
I agree - in most industries, the business is hardly clued in to security risk management functions; often, it's side-lined.
What's the Change? The Precision Advantage
It's fascinating to see Ghai draw parallels from healthcare to cybersecurity, a paradigm shift.
He says we should take inspiration from medicine. As the adversary is as relentless, as ubiquitous, as polymorphic, as adaptive as a virus. And the speed of detection and response can mean the difference between disaster and wellbeing, life and death, he argues.
Ghai says security practitioners must observe the benefits of precision medicine, which deeply examines individuals, their genome, biomarkers, family history, environment and lifestyle. This is used to develop treatments that precisely meet your requirements.
"Bringing this precision to security is absolutely critical; applying some of those ideas, a must," says Ghai.
Tying together human and machine is critical, he says, offering these tips:
- Engage with the Business Teams - the C-suite and boards of directors must get smarter about the business context to build a comprehensive risk-registry for their vertical. This is like taking one's genomic and family history into account;
- Get Closer to Other IT teams - work with them to sediment security into the infrastructure to make it more resilient, like encryption and micro-segmentation;
- Give your Machine Learning and AI System a Head Start - feed them with what IT provisioning and systems management tools already know, akin to factoring in lifestyle and environmental information in medicine.
The idea: to influence the security fraternity into making a swift change in the way they do things and get more precise in their approach.
By acting precisely, one can:
- Proactively manage risk;
- Improve speed of detection and response;
- Move from a defense-in-depth all the time model to one where we dial up or down the inconvenience we impose on people, based on the level of risk
While a collaborative approach is recommended to ensure good cybersecurity, it is evident that security practitioners need a realistic approach in defining an effective risk framework to engage with the board and enable them to understand risk.