After the shocking disruptions caused by WannaCry, the massive and immediate financial losses incurred because of NotPetya, and the sad and continued trend of each new year being "The Year of the Breach," the 50,000 cybersecurity practitioners and vendors gathered for the RSA Conference in San Francisco this week were ready for some good, uplifting post-2017 news. RSA President Rohit Ghai brought it, in a keynote address on “the cybersecurity silver linings” and he included the movement to risk quantification, mentioning the FAIR risk model by name.
The cybersecurity profession has come to “the end of the silver bullet fantasy,” Ghai said. “We’re no longer lusting after the latest in gizmos.” Instead, the industry is looking for the “aggregation of marginal gains, the little things” that make up “cyber hygiene.”
Along with the sweating the details, Ghai sees a new focus on risk, particularly, helping organizations stay in the “Goldilocks zone” between “complacency and recklessness.” Cybersecurity hits that zone through “business driven security” (an RSA trademarked phrase). Although Ghai didn’t make the comparison, that’s usually seen in contrast to compliance-driven security, checking off lists from standard frameworks.
As proof of how business concerns are now driving cybersecurity, he pointed to the rise of cyber insurance purchases, “already in the billions.”
“More importantly, though, we are maturing in terms of quantifying cyber risk with standards like FAIR and Bowtie. Cyber risk quantification is a hot field and an essential tool for business folks to decipher cybersecurity and understand it in terms of dollars and cents, a language they understand…"
“Now, by prioritizing incidents based on business context and focusing on the crown jewels of the organization - the most important people, systems, processes - we have a recipe for cyber joy” – which he defined as “the feeling that you get when you kick a hacker’s behind.”
“Our knowledge of our business context is the one and only asymmetric advantage that we, the good guys, have.”
Ghai had two more silver linings: “The Quicksilver Law of Cyber Defense,” named for the Marvel Comics character, who’s so fast he always arrives ahead of the bad guys – in the cyber world, that’s enabled by tech fixes that build an intelligent SOC, like AI and UEBA. And “The Magic of Sterling Teamwork” which takes contributions from outside the SOC, including business stakeholders, policy makers, regulators, universities. “Cyber incidents now put everyone’s career at stake from the chairperson of the board to the CTO on down.”