CBR spoke to RSA CSO, Niloofar Razi Howe, and CTO Zulfikar Ramzan about how organisations should be approaching cybersecurity at this point in time.
The profile of cyber attacks is growing rapidly across the globe in light of major attacks such as the WannaCry ransomware. While awareness is increasing, however, businesses must prioritise risks to be able to defend ourselves at all.
According to RSA CTO Zulfikar Ramzan, some organisations approach cybersecurity with the mind set to plug every gap, seal every crack, and pursue every anomaly – in reality this could prove fatal. Mr Ramzan gave CBR an analogy to explain how he believes the world must approach cyber security.
“There is actually a perfect example in the medical realm. If you think about when you go see a doctor, you don’t go and see a doctor for every symptom we have. If we did we would literally be seeing a doctor constantly, getting labs run all the time, many of which would lead us to false conclusions. We really focus on the things that can kill us, heart disease, cancer, all the major issues, and maybe routinely test for those.”
The anxiety that would be caused by a form of cyber hypochondria would be crippling in a business setting, and could result in a great deal of misplaced capital, eventually making the situation more convoluted. This outlook supports the RSA mission of business driven security, focussing on viewing security from a perspective of risk.
Gone are the days of an impenetrable shell surrounding an organisation, and business leaders must realise that like the human body, infections get in, but it is cardiac arrest we must worry about.
Mr Ramzan said: “We have taken a risk based view of medicine, I think we are in a situation now where we have to take a similar risk based view of cyber security because ultimately we can’t protect every digital asset we have, we can’t respond to every single threat that occurs, simply because it is going to be too much, so we have to be very careful of what we prioritise.”
Also speaking with CBR was RSA CSO Niloofar Razi Howe, who also supported this view held by Ramzan, arguing that although awareness is much more widespread there needs to be the capability to correctly identify threats.
“I think awareness is definitely a piece of it, and there is no question that today everybody hears about cybersecurity and understands that it is an existential risk, in all aspects of our lives. The question of how you secure yourself in that sort of environment really matters, and knowing that you can’t protect everything. If you try to protect everything, you protect nothing.”
Protecting an organisation is not as simple as just knowing what poses a significant cyber risk and what does not, as a host of vendors have entered the space all offering options for gaining security within the complex threat landscape.
Mrs Howe was able to detail the extent of this problem that organisations in need of protection are facing, she said:
“My good friends in the venture capital industry have made our market really interesting, in the sense that now we have 1500 companies and there is no other market that looks like us. We have 30 plus market segments, and every time something new comes up you have a game of clones where 10, 15, 20, 30, 70 competitors get funded. We live in a world where you have a lot of features that are pretending to be products that are pretending to be companies.”
“Over time that is going to shake itself out, because customers need solutions, they need platform solutions, so, that’s one piece of it. The second piece of it is that security is actually really hard, and doing it right is very difficult, and proving that you are actually making a difference.”
Identifying another factor that is fuelling the cybersecurity fire, Howe brought passwords and identity into the spotlight. She also noted that while threats are increasing, we are also demanding limitless connectivity, also straining our weak password capabilities.
“We code wrong, we patch wrong, we configure systems incorrectly, our passwords are terrible, and sometimes we use the same passwords for our email that we use for our most critical applications, and we are today demanding to be able to access any application, from any device, at any time, from anywhere in the world, and that is a very difficult environment to secure.” Said Howe.
The picture painted by Howe is one of cyber security chaos, we are adding to the problem with a lack of precision and consistency; this includes being lapse with passwords and coding. Our own failures are not solely to blame, as from her experience in venture capital, there are too many vendors flooding the space.
The viewpoints of Mr Ramzan and Mrs Howe point to a general re-evaluation of how organisations approach security, we must be more accurate in our testing of threats, and ultimately approach the problem from a business risk standpoint.