#RSAC: Make Security a Business and a Technical Issue

Security is both a business and a technical issue, especially as businesses become more digital and have technical controls embedded into software.

Speaking at the Cloud Security Alliance (CSA) summit at the RSA Conference in San Francisco, Phil Venables, board director and a senior advisor for risk and cybersecurity at Goldman Sachs Bank, said that to treat cybersecurity as just a business issue is important, but “to say it is not also a technology issue is a disservice” to those digital businesses.

Venables said there are three ways that cyber can be a business risk:

Enterprise Integration — Make this part of the fabric of business decision making.

  • Embed risk considerations into the enterprise governance apparatus.
  • Conduct risk assessments and establish a risk appetite.
  • Relentlessly integrate risk considerations into all business processes: strategic, capital, people, product.


Technology Integration — Make this a core part of how technology is built and operated, and secure products, not just security products.

  • Recognize that basic and relentless controls, hygiene/operational discipline are essential.
  • Embed automation/iterative improvement into the heart of tech delivery. Continuously monitor control effectiveness, presence, and operation.
  • Strive for ambient controls—in preference to expecting employees/customers to be a significant line of defense

Venables recommended embedding security into your processes, using standards like those created by the CSA, and creating an environment of products that “are not jammed in after the fact.” He said: “Think about embedding control across the life cycle.”

Resilience and Recovery — Plan for failure and constantly exercise and drill.

  • Detect early, respond decisively, formalize accountability, and test constantly.
  • Limit the blast radius of potential events through business and technology process adjustment.
  • Integrate cybersecurity incident response with operational resilience.

Venables said there should be a consideration of how to maximize your response efforts. “Treating security as a first-class risk is about doing the simple things that have to be exercised relentlessly over many years,” he said, saying that security is “not a project that finishes anytime soon” but is a perpetual part of the business DNA.

Looking forward, Venables said there are five areas of focus:

  1. Software security and reliability
  2. Usable security and ambient control
  3. Continuous assurance—continuous monitoring—provable security
  4. Operational resilience
  5. Adjacent benefits


He concluded by saying that as many organizations and customers become accidental software developers, we “need to make sure security is baked in.” He said that as users are enabled with tools and controls to increase software reliability, the user experience has to be considered, as it is a part of the supply chain.

What’s Hot on Infosecurity Magazine?