As part of the Distinguished CEO Series co-organised by CIO Academy Asia and RSA on the 24th of July, CIO Academy Asia hosted a special Executive Lunch Roundtable with Rohit Ghai, President, RSA. Technology experts and practitioners from various industries were gathered to share their thoughts and questions and recommend best practices to rethink digital security in today’s world of increased cybersecurity risks and threats.

Rethinking Risk Management Strategies in the Digital Age

The modern-day organisation has deeply embedded digital capabilities within its core business, so much so that business critical assets can no longer exist without some form of a digital footprint. The lines between traditional business risks and cyber risks have blurred. At the same time, there is a rapidly evolving threat landscape led by a new breed of empowered threat actors.

While technology capabilities like the Internet of Things, the Cloud and edge computing are providing new business opportunities for organisations, these connected platforms introduce new risks as well. According to a report published by IHS Markit [1], a global business information provider, the number of connected edge devices is projected to cross 31bn by the end of 2018. The meteoric growth in edge devices compounded by the accelerating improvements in computation and storage capabilities and high-speed networks that are connected to core-business operations have rendered traditional ‘castle and moat’ cybersecurity strategies obsolete.

A business-driven approach to managing cyber-risks

Sharing his perspectives on the current state of affairs in the global cybersecurity landscape and the best practices to help organisations deal with the evolving cyber-risks is Rohit Ghai, President of RSA, a Dell Technologies business.

“As an organisation, you can either avoid risk or manage risk. However, in today’s world, avoiding risk is impossible.” said Ghai.

Large data breaches from this past year have resulted in organizations taking a major hit to their reputation and losing trust among customers.

While it is impossible to cover all the gaps with limited resources, Ghai advised that organisations today should adopt business driven security in managing cyber risks. Ghai relates the modern-day cybersecurity strategy to a defence strategy used in competitive basketball as the professionals call it – “Protecting the paint” – where defence is heaviest right below the net where it is most risky, which is typically the painted portion of the court. Digital leaders must identify where the “paint” is within the organisation – or what is commonly known as the organisation’s ‘Crown Jewels’ – where the most critical data and business operations are deployed and where the risk factors are the highest, so that the right measure of resources can be allocated to protect business-critical assets.

A case in point is the recent cyber-attack on Singapore’s largest group of healthcare institutions, SingHealth. It was reported that 1.5 million non-medical records were stolen from SingHealth’s database – among those affected was Singapore’s Prime Minister Lee Hsien Loong, who’s personal particulars and outpatient medication data were ‘specifically and repeatedly’ targeted. While highly sensitive medical data like diagnosis, tests results or doctor’s notes, were not stolen, SingHealth has taken steps to enhance cybersecurity measures to protect critical medical information. Singapore’s Cyber Security Agency of Singapore (CSA) has also made commitments to strengthen cybersecurity measures in sectors outside of healthcare, especially for organisations with Critical Information Infrastructure (CII) systems in place.

Collaboration is the name of the game in cyber-defence

(a) Information sharing for collective learning

Not only are the tools in detection, threat response and data recovery improving, greater information sharing about past threat incidences and data-breaches help organisations stay ahead of threat actors and their tactics. Facilitating information sharing can be enforced by a policy driven approach, like that of the newly ratified Singapore Cybersecurity Bill which mandates cybersecurity incidences related to Critical Information Infrastructure (CII) to be reported to the government. Private sector organisations are now called to champion community driven information sharing – one that allows organisations to learn from a collective pool of past incidences but protects contributors from attacker retribution or legal recourse.

(b) Defence must be played as a team

Cyber security is a team sport — between IT, the Board and other stakeholders to address cyber risk. CIOs have to play a pivotal role in managing cyber risks alongside driving forward the digital transformation agenda. Embedding processes, expertise and tools to deal with risks associated with new digital projects ensures that organisations develop cyber resiliency as they transform to embed digital within their core business.

With all the talk about making cybersecurity a board level issue, The Global State of Information Security Survey 2018(PWC) showed that only 45% of the 9,500 executives from 122 countries said that their boards actively participate in setting security budgets. While 87% of information security leaders indicated the need to increase IT security budgets by at least 25%, only 12% of those surveyed by Ernst & Young said they were confident of receiving budget increments.

Reaching a consensus with some 20 Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs), Ghai pointed out that Boards are not digitally-savvy and it is the responsibility of the information security leaders to quantify the cyber risks in business terms. Translating cyber risks into financial or reputational risks with the help of accepted risk-quantification frameworks like the “Factor Analysis of Information Risk”, or FAIR, puts it into perspective for the board and strengthens the case for more investments to be made in cybersecurity.

“The team work approach is key because a pure technology approach will not work. The bad guys have all the tools and technology, so you can’t beat them with the technology stick.” Ghai emphasized.

(c) Strengthening cross-border collaborations

Adding to the complexity in cyber-risk management in the globalised order of business are the fragmented regulatory standards in data privacy and data sovereignty. At some level, non-consistent regulatory requirements across sovereign nations come in the way of effective cyber-defence. Multi-lateral consensus between nation states are important to harmonise regulatory standards and facilitate information sharing.

One of the major roadblocks to effective information sharing and cross-border collaboration is the lack of trust between contributors – the unwillingness to share information largely stems from the sensitive nature of data and the national security or critical business interests that the data may carry.

Citing the example of the Cloud Act in the USA, Ghai said that this law legalises data sharing across borders to counter terrorism; however, cross-border data collaboration of this kind is still early and nascent.

P. Ramakrishna, CEO, CIO Academy Asia, pointed out that in ASEAN, Singapore has been promoting cross-border collaboration and building collective intelligence among the ASEAN nations. Derek Gooh, CISO, Ministry of National Development, Government of Singapore, said that a number of moving parts must be coordinated in achieving successful cross-border collaboration on top of the constant challenge of data sovereignty. The technology is always there to support such efforts, but conservative policy-making have and will continue to keep up the headwinds.

Is Artificial Intelligence & Blockchain paving the way for better cybersecurity?

On the topic of protecting identities and data, organisations and even some government agencies have recently turned to blockchain as a solution.

Today, Estonia’s population of 1.3M population and roughly another 50,000 e-residents gain access most of its government services digitally and rely on blockchain encryption to secure and control access to citizen data. For example, health records of Estonians are consolidated across multiple health agencies and securely stored on a central cloud database with blockchain encryption. As blockchain offers a high level of data provenance, citizens are able to log in with a unique public key and view which medical professional has access their data and detect any unauthorised access. Singapore’s financial services sector has also embarked on a proof-of-concept project named Project “UBIN”, to facilitate interbank transfer through Distributed Ledger Technology (DLT), which has been proposed to be more secure and much more cost efficient.

Ghai expressed concerns over scalability, considering that many large scale blockchain deployments, bitcoin and Ethereum as one form of it, struggle to match the rate of transactions that established payments companies like VISA and Mastercard can achieve. “Blockchain has a lot of promise for a lot of things for trial and a distributed system, but will it scale at the national level (for national IDs, for example),” asked Ghai. For blockchain to realise its potential, a little bit more maturity and proof-point is required.

Cybersecurity companies are making creative use of Machine Learning capabilities by training its algorithms on a vast catalogue of malicious programmes and subsequently applied to live networks to detect potential threats and the presence of malware. While Machine Learning could potentially detect threats much more efficiently than the human eye could scan, much of the capabilities today require a frequent refresh of training data to reflect the latest versions of malware especially from cyber attackers who have learnt to ‘game the system’.

Ghai also noted some of the fundamental technology shifts that information security leaders need to embrace in today’s highly connected world.

1. Network telemetry today provides a strategic viewpoint on potential cyber threats
2. Software defined zero-trust network architecture is crucial to consistently verify access across the network
3. Compliance standards for third party connectivity vendors are necessary to upkeep cyber-hygiene and minimise the introduction of vulnerabilities

Keep It Simple, Stupid. 

Keep it simple, stupid, or the “KISS” approach, has grown in popularity among information security leaders as they manage an increasingly complex stack of cybersecurity tools. With nearly 1,400 vendors in every niche domain, the solutions offerings has never been more fragmented.

Because of this, organisations now face the challenge of managing one-too-many vendors to meet their cybersecurity needs.  Through the use of APIs to establish connectivity between independent security applications, RSA’s NetWitness Platform is one such platform that allows Information Security teams to address sophisticated cyber threat events through a single pane of glass.

The modern-day Security Operations Center (SOC), which is known as a centralized unit that deals with security issues on an organisational and technical level, needs to go through a rethink as well.

According to Ghai, a SOC is absolutely required to detect and respond quickly to security threats, but it does not necessarily have to be developed and operated in-house. A SOC does little to keep the bad guys out, the focus is for organisations to minimise dwell time and respond effectively.

The SOC needs to achieve pervasive visibility into systems and automated action to remediate and recover.  In all this, the weakest link continues to be the human users within the organisation. Hence, the SOC not only needs to know what is happening on the technology dimension, but also the human dimension.

RSA’s approach is to aggregate the fragmentation—data centres, endpoints, logs—get all that into a common data platform and have an analysis and orchestration layer on top of it. An automated response to quarantine infected machines is also an integral part of RSA’s platform.

Conclusion

Incidents like the SingHealth data breach make us sit up and rethink our digital security strategy. The data breach is a reminder that despite best efforts, cyber-hacks will happen. Organisations have to keep pace with the digital changes sweeping across industry sectors and learn, from collective intelligence and past incidences, to better deal with new cyber-threats and recover quickly from cyber-attacks.

While limited resources may not allow information security leaders to have access to the best-of-breed talent and tools, developing a deep understanding about the organisation’s core business and knowing where the “paint” sets a strong foundation for effective risk management in the digital age.

[1] The Internet of Things: a movement, not a market (IHS Markit, 2017)
[2] Revitalizing privacy and trust in a data-driven world (PriceWaterhouseCoopers, 2018)