RSA 2017: The Case for Business-Driven Security

January 18, 2019  Nicola (Nick) Sanna

Three things struck me most at this year's RSA Conference:

  1. It keeps growing: 45,000 people attended this year;
  2. The call for business-driven security;
  3. The continued proliferation of specialized security offerings. 

Of all three, the case for business-driven security made by Dr. Zulfikar Ramzan, CTO at RSA Security, during the opening keynote was certainly the highlight of the conference for me.

The need for business-driven security

To explain the need for business-driven security, Ramzan spoke about the long tail of chaos and associated consequences that can follow cyber security events. As an example of chaos, he referred to the technological impact on the 2016 US presidential election. “Consider the cyberattack on the Democratic National Committee. Did it change the course of the US presidential election? Who knows? But it definitely changed the discourse of what followed. It was mainstream front-page news and rocked the foundations of democracy. It demonstrates that our problem isn’t limited to initial cyber-attacks. Our problem is the long tail of chaos they create.”

This long tail of chaos also affects organizations that have digitalized their core business processes over the past two decades, as that innovation invited exploitation by an increasing number of threat actors. This chaos provides the opportunity for leaders of a new type to emerge, "business-driven security leaders", that can tame this chaos and sit at the same table with their business counterparts to define the security and business-enabling strategies that are right for the organization.

Ramzan offered three very actionable pieces of advice for taming the chaos:

  1. Treat cyber risk as a science, not a dark art. "Use scenario analysis. Think things through all the way to the end. Then come back to the beginning and ask yourself "what if?". While predicting the future is hard, formal risk models like FAIR and bow-tie can help tremendously." He continued: "Every organization should be using a consistent and rigorous methodology to reason about their risk."
  2. Simplify what you control. “I talked to a CISO who has 84 different security vendors. How do you manage that many vendors? How do you justify to your board and executive suite, the ROI from each of these vendors? Consolidate your vendors. Double down on vendors who work well. Ditch everyone else.”
  3. Plan for the chaos you can’t control. “Incident response must have availability, budget and collaboration. Availability: only leverage available resources. Incident response isn’t a wish list. Budget: there will be unexpected costs, so get the budget authority. Without it, incident response is a fairytale. Collaboration: collaborate with finance, legal, sales, communications. A security crisis is not the time for introductions.”

At the end of the opening keynote, Michael Dell joined Ramzan on stage and added that “security is now the number one issue that plagues businesses and boards, concerned about the complexity of their security posture and how to manage risk.”

The keynote gave me great hope that the wider industry might be getting serious about moving from a technology-based approach to cybersecurity to a business-driven approach and that the 'dark ages', where cyber risk was deemed to be too complicated to be analyzed in financial terms, are coming to an end. Cyber risk economics is here, and players like RiskLens who have been working with some of the most innovative companies in the world to pave the way, can only rejoice about these developments that will enable cost-efficient decision-making and make the world safer.

How RiskLens can help you become a business-driven security leader

RiskLens is already helping many security leaders in a variety of industry verticals to:

  • Articulate cyber risk and the various forms of business loss in a language that the business understands: dollars and cents.
  • Optimize their vendors list by conducting cost/benefit analyses of their cyber security investments.
  • Justify their security budgets by assessing the possible impact of both preventative and recovery controls.
  • Meet regulatory requirements to conduct consistent and rigorous cyber risk assessments.

The RiskLens Cyber Risk Quantification application is purpose-built on the principles of both risk models referenced by Ramzan above, FAIR and bow-tie. RiskLens applies them for scoping, analyzing and reporting on both individual and enterprise-level cyber risk scenarios.

Contact us today to discover how you can get a seat at the business table and enable financially-driven business decision-making.