Security

RSA CTO: It’s Time To Concentrate On Business-Driven Security

Sam Pudwell joined Silicon UK as a reporter in December 2016. As well as being the resident Cloud aficionado, he covers areas such as cyber security, government IT and sports technology, with the aim of going to as many events as possible.

RSA 2017: Cyber security isn’t a technology issue, it’s a business issue

Understanding the business implications of potential security breaches and attacks is vital in today’s digital environment, according to RSA’s chief technology officer (CTO) Zulfikar Ramzan.

Kicking off the keynote sessions at RSA Conference 2017 in San Francisco yesterday, Ramzan spoke about the relationship between cyber security and business objectives in a world where chaos reigns supreme.

“Today’s security professionals must draw connections between security details and business objectives,” he said, stressing the importance of adopting a business-driven approach because “security isn’t just a technology problem, it’s a business problem.”

RSA 2017

Business focus

Referring to something he called “the gap of grief”, Ramzan highlighted how the inability to draw connections between security details and business metrics will hold companies back when it comes to addressing the “complex cyber security issues” of the future.

“Any ambitions enterprise is truly a joint venture between business and security,” he said. “Executives don’t care if an incident involves SQL injection or cross-site scripting, they just want to understand the business implications.”

Dell RSA

Dell founder and CEO Michael Dell – who made a surprise appearance during the keynote – agreed. CEOs are “talking about the business risks” of digital transformation, he said, attempting to embrace the opportunities of a digital future while at the same time keeping their environments secure.

For any organisation looking to build such a strategy, Ramzan offered three suggestions. First: “Treat risk as a science, not a dark art.”  Through processes such as scenario analysis, businesses should think things through all the way to the end, always asking the question ‘what if?’ and being sure to use a “consistent and rigorous methodology”.

The second step is to “simplify what you control”, i.e. consolidate and integrate vendors so that you don’t end up with a disparate mix of platforms and services. “Don’t adopt a ‘no vendor left behind’ policy,” Ramzan said. “Double down on vendors who work well and ditch everyone else.”

And finally, “plan for the chaos you cannot control” by implementing an incident response plan that follows the ABCs: Availability, i.e. only leveraging the resources available; budget, making sure you are able to account for unexpected costs; collaboration, as the likes of IT, finance, legal and sales “all play critical roles during an incident and must work together”.

“These steps ultimately let you tame chaos,” said Ramzan, and in a world where vehicles are being hacked and device flaws are being leveraged by cyber criminals seemingly every day, chaos is never far away.

What happened in cyber security in 2016? Take our quiz and find out!