The FAIR Institute welcomes Dr. Zulfikar Ramzan, CTO of RSA Security, to the Board of the Institute. If you’ve heard Zully speak at an RSA event (or seen his Chalk Talk videos), you know him as a big-picture thinker on cybersecurity based on unusually broad career experience, starting with a PhD from MIT focused on cryptography, and expanding to online fraud, web and network security, and more at Symantec, Sourcefire, Cisco, Elastic, and, since 2015, at RSA. He also holds more than 50 patents in software security.
Under his leadership, RSA launched the RSA Archer/RiskLens integration that brings a FAIR cyber risk quantification application to the most popular GRC solution, with more FAIR-powered capabilities to come.
A conversation with Zully…
Q: How did you first get interested in cyber?
A: For me, the critical point came in high school [The Bronx High School of Science]. The school got a set of internet-enabled systems, a big deal back in the early to mid ‘90s, and they were administered by some teachers who had not read the manual for security. It was a fertile ground for any of us who wanted to explore how systems worked—hacking in the traditional sense of the word, not like black-hat hacking now.
Then I read the classic book The Cuckoo’s Egg, about how an astrophysicist tracked down a KGB hacker starting from a small accounting discrepancy, and that really inspired me at that time.
Q: Who was a mentor along the way?
A: The biggest one would be Ron Rivest, the “R” in RSA. He was my PhD adviser in grad school. It was a phenomenal experience to attempt to learn as much as I could from him. I would have a conversation with him for 10 minutes, then spend the next three hours decrypting the conversation to understand all the wisdom that was decoded in there.
Q: How would you describe your job as CTO at RSA Security?
A: RSA has a broad portfolio. Part of what makes the job exciting is that there’s so much to learn. It’s my job to try to make sense of how those pieces fit together, and what the overall cohesive story looks like. A big part of my job is thinking about how we go to market, what’s the common vision around the products and then to develop a strategy about what we do next.
Another big part of the job is meeting with customers and partners to understand the market, and then to take that knowledge and try to direct our technology strategy. I also have the pleasure of running RSA Labs that spins out amazing work. They take some of my random ideas and some of their random ideas and make cohesive products in a short amount of time.
Q: You wrote a post on LinkedIn arguing that the biggest breaches don’t come from complex attacks but “concepts we’ve been discussing for a couple of decades” like spearfishing. Why can’t the cybersecurity profession seem to advance beyond that?
A: That’s a phenomenal question and where the FAIR risk model comes in. If I’m a CISO and I identify a system that has a vulnerability that needs to be patched, I’m typically not allowed to patch that system. I may have to work with CIO or the line of business to carry out actual work which means I have to convince that person that this issue is important enough and needs to be addressed.
The problem is that often security practitioners talk about their world in very technical terms, whereas a line of business owner or the C-suite or the Board is thinking about a different set of questions: What is my exposure to loss? What’s the overall impact on the reputation or the brand?
And to me that’s the problem we’ve got to solve for. If a critical system goes down, it has implications for our operational uptime, and if I can show the actual loss we are going to be dealing with, all of a sudden, I can have a conversation about business value with the other person.
When I do that, what I’m really talking about is risk, in a formal sense. I’m looking at not just the likelihood that something can happen but also what is the probable loss associated with that event. If we can move the conversation to talking about risks instead of threats and vulnerabilities, we will go a long way forward.
But more importantly, we need to be able to do so with a common understanding of what risk means and a common and consistent way of evaluating and addressing risk. That’s where the FAIR standard plays a key role. I think that FAIR is just a phenomenal program for being able to develop a consistent and rigorous methodology to reason about and measure and mitigate your cyber risk.
Q: How do you think the FAIR approach will break through the current cybersecurity mentality?
A: Being able to see some early wins. As with any similar framework, it takes a few days of intense work to get started. Once you walk people through that initial hurdle – and that can be done in a workshop for a few days – they’ll be able to see the value.
Q: Are there some market forces driving organizations towards a FAIR-aligned approach?
A: Every company now recognizes the need to engage in some form of digital transformation. With digital transformation comes some degree of digital risk. On the flip side, one can help drive the other. A hundred years ago, we would have been talking about a dangerous new technology called the car but we put on compensating controls around those risks like better brakes and mirrors to see behind us and the car went on to transform the world.
I believe that digital risk is going to be an important issue. The real challenge in my mind is getting people to realize that. What we’re struggling with in the industry now is selling people on the idea that there are ways to meaningfully quantify digital risk.
I had a customer conversation recently with the CISO at a major hospital and he told me that his biggest risk is ransomware. The problem is, ransomware is not a risk, as anyone in the FAIR Institute can tell you. If you’re not talking about risk correctly at the outset, how are you going to be able to mitigate risk?
So there has to be a period of education. Again, that’s where the FAIR Institute comes in. On the other hand, I can’t imagine how you can have any type of security program or risk management program in this environment without a basic methodology in place. To me, this is foundational.
The FAIR Institute now numbers more than 3,000 risk professionals. Join us to learn and network around the cyber risk revolution. Membership is free. Attend the annual FAIR Conference, October 16-17 to hear the latest thinking and applications in cyber risk economics.