Rohit Ghai, President at RSA Security, makes the case for moving away from prevention cybersecurity towards precision cybersecurity.
In his keynote presentation at RSA Conference 2017 Asia Pacific and Japan in Singapore on July 26, Rohit Ghai, President at RSA Security, made the case for moving away from prevention cybersecurity towards precision cybersecurity.
“The current threat landscape is unprecedented,” said Ghai, “the bad guys are more persistent, collaborative and bolder than ever before. They rarely get caught and they hide in plain sight with impunity.”
The attack surface is exponentially larger than ever before, he continued, siting “critical infrastructure and the internet of everything” as examples. “Software continues to swallow the world. Companies that have no history of writing code are suddenly writing trillions lines of code”, he said with concern.
Ghai claimed that the destiny of the cyber-defender is defined by the cyber-attacker and forever doomed to be one step behind. “For decades, we have bemoaned the attacker’s advantage. Now, it’s time to figure out our sustainable advantage.” The sustainable advantage, he argued, “is our knowledge of our business contacts.”
Ghai argued that paying attention to the psychology of defense, not just the technology of defense, will give cybersecurity professionals an advantage.
His advice for adopting precision cybersecurity was as follows:
- Make risk visible and manage it. Figure out what risk is worth taking, and educate your board about this.
- Work together with other cyber-defenders, both humans and machines.
- Remember that one size does not fit all in cybersecurity.
- Engage business teams to build a comprehensive risk register for both the vertical industry and the specific business.
- Use your security posture to protect what matters most.
- Work closer with IT teams to build security into the structure to make it more resilient.
- Adopt a risk dial for convenience based on risk.
- Use language that people can understand. Quantify metrics to show how bad things are and show whether they’re getting better or worse.
- Learn how to communicate with clarity to the board and the business. Boards want to know the impact of an attack, not the methodology.