BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
SAN FRANCISCO -- The opening keynote at RSA Conference 2017 reminds enterprises that not only do cyberattacks have far-reaching ripple effects, but each collaborative security decision made -- from design to implementation -- affects the future just as much.
The buzzword Zulfikar Ramzan, CTO of RSA, used was "business-driven security," but his bigger themes for the keynote were cooperation, collaborative security and security by design.
"What's true of nature is true of us: Actions and decisions create ripple effects with consequences that profoundly impact our lives. And the chaos resulting from these ripples offers both immense challenges and incredible opportunities," Ramzan said in his keynote. "Don't draw lines that separate different fields; draw connections that bring them together. In my experience, today's security professionals must also draw connections between security details and business objectives."
Ramzan said the small decisions made every day could have "massive downstream effects." He noted the potential risks of autonomous cars being hacked en masse, the chaos that could result from a cyberattack on public infrastructure, and even mentioned the possible effect the Democratic National Convention hack may have had on the U.S. presidential election.
"Did that attack change the course of the U.S. presidential election? Who knows? But, it definitely changed the discourse that followed," Ramzan said. "That attack created a ripple that ultimately rocked the foundation of democracy. It demonstrates the problem isn't limited to the initial cyberattacks we face; our problem is the long-tail chaos it creates."
Ramzan equated a cyberattack to a natural disaster, like the 2011 earthquake in the Tohoku region of Japan, which had a massive initial effect, but also far-reaching aftereffects because of the damage to the Fukushima nuclear power plant.
Ramzan said the best way forward was through collaborative security, where each person -- "whether you develop code, write policies, manage teams or run businesses" -- understands they are important to overall security design. These sentiments of collaboration and personal responsibility were echoed in following keynotes from Brad Smith, president and chief legal officer at Microsoft, and Christopher Young, senior vice president and general manager for Intel Security.
Young used the analogy of the 1992 men's Olympic basketball team -- the Dream Team -- and how each player did their part to create a better whole. "Work together and work smarter to make real change," Young said.
Zulfikar RamzanCTO, RSA
Ramzan expressed hope that security could get better: "Innovation invites exploitation, but, remember, we are fighting with human ingenuity, which is a powerful thing."
To drive home this idea of collaborative security, Ramzan surprised the RSAC 2017 audience by inviting Michael Dell, founder and CEO of Dell Technologies, to the stage to describe his experiences.
Dell noted that "CEOs aren't talking about cross-site scripting or malware injection; they're talking about the business risks. And for them, it's really a business issue, and they want to know how to secure their environment." He described how the explosion of the internet of things is creating a whole new landscape for business opportunity, but also security risk, because "IT is breaking out of IT and becoming BT -- business technology."
Collaboration between business and security
Ramzan said a main aim is to create "a joint venture between business and security," and he offered three suggestions to do so. First was to "treat risk as a science and not a dark art", which is to say every business should have a methodology in place for formal risk assessment. Second was to "simplify what you control." Ramzan said enterprise shouldn't have a "no vendor left behind policy," but rather should consolidate the number of vendors used and integrate them.
"You're not picking a vendor for their product," Ramzan said. "You're picking a vendor for a long-term relationship."
Lastly, Ramzan said enterprise needs to "plan for chaos you cannot control" by only leveraging available resources, having a workable budget for an incident response plan to handle unexpected costs and making sure teams work together for collaborative security.
"An incident response plan isn't a wish list. It sounds obvious, but it's such a common mistake. Don't put empty fire extinguishers in every hallway," Ramzan said. "An incident response plan without budget authority is a fairy tale ... IT, finance, legal, sales and marketing all play critical roles during an incident, and they must work together."
In summation, Ramzan said the chaos that comes from a cyberattack can create "amazing moments of truth and forces progress that can be painful." If enterprise can embrace the uncertainty, learn and work together, we may find order in chaos and improve security.
"Chaos doesn't just happen to us; it happens for us. Laid in the depths of chaos are the opportunities to adapt, learn and grow. And, finally, we can't just look within. Instead, we must look to each other for clarity, for advice, for inspiration," Ramzan said. "Will we work together across the public and private sectors to ensure that our organizations, our infrastructure and our social institutions remain resilient? What ripples will you create?"
Learn how manufacturers are collaborating to secure process-control systems.
Find out about RSA's new Business Driven Security platform.
Follow more RSAC 2017 coverage.