Amit Yoran, President of RSA - the security division of EMC recently said that IT security has failed, and that new answers lie in a mindset approach and not technology. Amit explained to Ivor Soans that it is time to change the security conversation around businesses, while also discussing the role of government in cyber security, the balance between privacy and security, backdoors in software that countries like India are worried about, the security challenges that IoT brings and on his vision of the new RSA for a new era in security.
Is there a sense of despair around the security industry? Despite all we seem to be throwing at the problem, the problem seems to be getting worse with newer and ever more advanced threats and compromises that are constantly one step ahead of security?
I don't think there's a sense of despair. The whole purpose of my statement was to start changing the conversation because our industry has been in a little bit of a rut with an approach that says, "If I only had one more thing, if I only buy the next big thing, if I only buy the next firewall, if I only buy the next anti-malware thing, if I only buy the next gadget/gizmo/anti-virus, then I will be safe." The way technology works today and the way threat actors work, the fundamental truth is that you won't be safe. But I don't think the conclusion is despair. The answer is to think differently. Apply these next-generation protections--that's a good move, but realise that you still may get compromised. And if you are still going to get compromised, then what? That's the fundamental shift we need to start making in the industry. How do I start thinking about security differently--not just about protecting everything at all costs and hoping for the best, but how do I monitor differently, detect differently, respond differently, clean up differently, and how do I prioritise differently? That's where the security industry to go through a rapid maturation.
You proposed five steps as a way forward. What is the cost of implementing these steps for organisations?
This is not about ‘deploy these five steps and you will be safe.’ This is about a mindset, a process. I would counter with--what is the cost of not doing these things? We help organisations do an incident response and we find artefacts that have been in a compromised state for as long as seven years. We have criminals running around in their environment, collecting information, knowing what their negotiating positions are on various topics. You have to take a business risk management approach--figure out what really matters, where you apply the right protection and controls, what is the right method in monitoring and response. It isn't a 4-dollars-and-12-cents and we're done. It's to think about the problem differently.
One of the tensions in security is the balance between privacy and security. Risk and privacy means different things in different cultures, age groups, etc. How do we balance this?
I don't think we can make a big enough deal of privacy. In every conversation we need to keep privacy at the forefront of our mindsets, because it is all too easy to let it slip and once we let it slip it is incredibly difficult to galvanise energy and momentum to introduce privacy enhancements. That said we cannot have privacy without having security. There are tradeoffs that have to be considered that are not mutually exclusive. Even when you move forward with security capabilities, you can do so in ways that are much more respectful of privacy and sensitivity to privacy issues. RSA puts our monitoring products through the Safe Harbour process, so we have an incredible level of granularity and we provide best practices and guidance to customers on how they can implement the best visibility possible and at the same time provide the greatest protection for privacy. So we can actually make determinations about what not to observe because of privacy sensitivities, or observe but leave encrypted and not provide access to unless certain conditions are met. So it's not a one-size-fits-all--either have privacy or security. Security is not optional, but privacy needs to be the first thought at all times.
What should be the role of government when it comes to security?
In the US and in every nation, there is a need to have an ongoing public dialogue about the role of government in cyber. Undeniably, every nation collects information and intelligence online, just as every organised criminal operates monetisation efforts online. Outside of that, there are perhaps some functions where the government can add value. But government is not the answer. The government doesn't build the technologies, buy and operate the technologies, develop the protective solutions to cyber challenges. You have to be very explicit about what the role of government is in the cyber domain. Governments do have a role to play, first and foremost in the area of threat intelligence. Governments collect intelligence, stuff that can be helpful to the private sector in developing better technologies or operating technologies in more secure ways. The government is also a big user and consumer of technology. If you define stronger security requirements for your own needs that will help increase functionality in products and the private sector will benefit from having those improved security capabilities. Also in transparency. It is hard for people making risk management decisions and investment decisions to know without knowing what compromises are occurring, what is being attacked, what is being compromised, how are the attackers breaking in, which companies are being broken into; it's hard to make investment decisions around what protections each company should deploy. So having better transparency will help the market overall achieve a better state of equilibrium, because right now, clearly there's a mismatch between the security market and the reality of what is happening.
India is very worried about backdoors in the software and technologies we use. How do you see that considering RSA was also accused of this some time ago?
At RSA 2014 we were very clear through the accusations--the standards had some flaws in it, but it was more of a media issue than anything else. RSA does not work with any government in any way, shape or form, and will not work with any government, in any way, shape or form, or any organisation, to weaken the security we provide to our customers. So let's take RSA off the table--do not, will not, absolutely will not. If and when I get fired, you'll have to ask whoever replaces me, but that's not something we are interested in doing. And personally too, I am a strong civil libertarian and so, even at a very deep, personal level, this is not a path that RSA would ever consider. Now with the behaviour of governments online, if they are leveraging security technologies or technology companies as a method of collecting intelligence or conducting intelligence or any sort of covert activity, I would say that is a dangerous move for the companies concerned and their shareholders, but also for the future of the Internet and the future of technology, because you see some significant moves towards Balkanisation of the Internet and creating barriers that might lead to long term threats to this incredible opportunity for the world.
Could you comment on your plans to tie up with telcos for monitoring in the APAC region, and also on any possible investment plans in India?
We are pursuing multiple relationships with telcos, many or all of which have significant operations in India. And we do have expansion plans in India in our work and development teams. But I can't comment beyond that.
You've said that RSA is re-engineering across the board and by this time next year it won't be the same RSA the industry has known for decades? Could you throw more light on that?
This is about first and foremost the industry and where the industry needs to go. RSA is going through a pretty radical transformation. We started under our former Executive Chairman Art Coviello's leadership, doing a strategic review of where we saw the security industry going, the challenges customers were facing and by understanding how going forward we could expect those challenges and the threat landscape to evolve. And then, what about our portfolio -- in a technology company which is acquisitive by nature and has been around for 30 years, you end up with a large portfolio of capabilities; how do those products line up with the future and where are the opportunities in the markets we play in that we will be best-of-breed. And we've made a decision about many products--many of them very good--that we are no longer selling. We support them in our contracts, but we won't sell them anymore, because they are not part of our future. We've doubled or tripled our development resources in other key opportunities like the Identity Management and Authentication as a Service capability, the advanced threat monitoring, the advanced security operations centre that we offer and the Governance, Risk and Compliance (GRC) platform that we offer. In those areas we are significantly increasing our level of investment. We've also radically changed how we are structured internally--changes in leadership, etc. In fact, to highlight the point, we're no longer selling the crypto product lines that are a name sake of RSA. It's a very different future for us.
We've seen so many attacks and that leads to customer information. But when do you expect to see an entire city's IT go down, or a national power grid?
Much of the public regulatory regime is focused on breach notification that affects personally identifiable information. The cynic in me would say because personally identifiable information affects voters and voters affect government decision and action, but nonetheless, most of it is focused on personally identifiable information. And there we have a lot of breach notifications happen because they trigger these regulations. There does not exist as stringent a requirement to do breach notifications for breaches that do not affect personally identifiable notifications. And so many, many breaches go unreported and on top of that, many even go undetected. I think there are some significant things happening that never see the light of day. Which is why I said earlier that part of the role of government in free market economies is to create transparency so that people can make better informed decisions about risk and investment decisions.
What are the security challenges that the Internet of Things (IoT) brings to the table?
I wish I could ask this question! IoT is the next generation of security challenges. IoT is an area where society is running headlong into because of the amazing efficiencies that can be gained, quality of life enhancements, etc, but we are also exposing ourselves to a level and type of risk we have not seen in any way, shape or form before and hence I am very concerned about the security implications of IoT.
Updated Date: Jun 26, 2015 18:33:54 IST