Listen carefully around the halls of the Moscone Center and you could hear a shift in the buzz at this year’s RSA Conference, compared to years past. The roots of this leading infosecurity gathering were in cryptography, and it’s long had a technical bent.
But this year, the chatter tipped: less “cross-site scripting” and “malware injection” and more “business risk”, as if everybody needed to step back and reconsider their value to their organizations.
It started with the opening keynote by Dr. Zulfikar Ramzan, CTO for RSA, who urged the crowd to rethink strategy, and “start by adopting a business-driven security strategy. Because security isn’t just a technology problem. It’s a business problem.”
Ramzan suggested three action items:
- “Treat risk as a science, not a dark art…Formal risk frameworks like FAIR or Bowtie can help tremendously…Every organization should be using a consistent and rigorous methodology to reason about their risks.”
- “Simplify what you control… Tame chaos by consolidating and integrating your vendors.” In other words, zero in on the ROI of each vendor and triage accordingly.
- “Plan for the chaos you cannot control, using ABC: availability, budget and collaboration.” In particular, Ramzan advised, don’t wait till crisis hits to communicate with the rest of the business about the aims, goals and needs of your security program.
Ramzan got some heavyweight backup on stage from Michael Dell (who acquired RSA in 2016). Dell said the number one issue plaguing corporate leadership now is information security: “They’re concerned about the complexity of their security posture and how they can manage the risks…For them it’s really a business issue and they want to know how it can be addressed.”
At RSAC 2017, noticeably more sessions covered how to improve risk management, particularly through the FAIR framework. Chris Patteson, IT Director at FedEx, presented a case study on his team’s preparations for a severe cyber attack, based on FAIR. He flashed a slide at the audience with an image of the FAIR book, Measuring and Managing Information Risk, and the message:
“Read the book!
“Know what is critical!
“Start the conversation with the business!”
And, of course, there was the well-attended FAIR Institute breakfast…
John P. Carlin, a government cyber-security pioneer as chief of staff for the FBI and head of the National Security Division of the Department of Justice, told how he helped move the FBI to a quantitative, risk-based analysis that “fundamentally shifted the approach the United States government is taking when it comes to counterintelligence risks.” In fact, Carlin said, if the Feds had only had a “FAIR-like model, we should have spotted [the] risk sooner” of the Russian hack on the Democratic National Committee.
FAIR model creator Jack Jones led attendees through a discussion on “Being a Risk-Aligned Leader”. Jack in particular pointed out the roadblocks created by a lack of rigorous, standard terminology in the infosecurity profession. “If we’re suffering from this challenge in terminology, there’s no way we’re going to be risk-aligned as an organization or as individuals. …The key to good risk analysis and risk measurement is getting clarity around what’s in scope and what’s out of scope.”
But with all the buzz at the conference about focusing the profession on business risk, came a downside: opportunistic vendors. As Jack Jones explained:
“As the risk space heats up in our industry, you’re going to see more and more technologies claiming to do risk.
"And you’re going to see some of them being blindingly simple to use. And if it’s blindingly simple to use, that should be a flag of caution because the risk landscape just doesn’t lend itself to that.
“People want to just plug something in, get a dashboard and say ‘we’re done’. Well, that’s just never going to stand up.“
For serious professionals looking to quantify cybersecurity risk in business terms, check out all that FAIR offers.