AI, Integration, Data, and Transparency: RSA’s Rohit Ghai Answers Crucial Cybersecurity Questions

A look at AI, Integration, Data, and Transparency when it comes to cybersecurity with RSA’s Rohit Ghai.

This is the second in a series of pieces that address crucial questions in cybersecurity that I spoke to with industry leaders during the RSA 2018 Conference and updated with new ideas in the run-up to RSA 2019 in San Francisco. These questions built on my previous work, in which I’ve written about the need for companies to adopt a portfolio approach to their cybersecurity needs modeled on financial investments, so that companies use their limited amount of resources on products that prioritize and solve their greatest needs, while ensuring they have coverage across all threats that could affect the entire business. The full-depth of that analysis is available at Early Adopter Research, my company’s research site, under the “Creating a Balanced Cybersecurity Portfolio” research mission. They are especially relevant now in the lead up to RSA 2019 and the questions I plan to ask this year.

This article is based on my interview with RSA’s very own Rohit Ghai and his perspective on these large areas of focus in the cybersecurity realm.

How can you make the components of a cybersecurity portfolio work better together?

Last year, a story on NPR discussed how wildfires in California have led to a blossoming outburst of wildflowers that are growing amongst the ashes. This seemed to me an apt analogy for the overwhelming number of cybersecurity products now on the market, all of which seem intended to address one small component of the threat landscape. This makes it challenging for companies, as they have to search to find the products that best meet their needs and then figure out orchestration of the individual products on their own, as there is no central integration available.

How do you solve this problem? Ghai emphasized a concept he called “pervasive visibility.”

“Before you layer technology on top to do analytics, glean insight or perform orchestration to act upon that insight, first you have to normalize the data and bring it into a common data platform,” he told me. “And we call that pervasive visibility. And you need to have pervasive visibility both on the security operations side as well as on the risk side of the story. Because either/or doesn’t cut it. It’s the combination of risk and cybersecurity that will solve problems and guide us in the right direction. Because if we are only looking at security incidents, we are being very reactive.”

With this approach, companies can get ahead of their problems in a proactive manner.

Yet this doesn’t solve the integration problem. And Ghai agreed with me that the burden of this integration can’t fall on the customer. He sees some hope with the progress of standardization but believes it will likely occur to slowly to make an immediate change. Instead, he advocated for a reference architecture that can be instantiated with lots of point-to-point integrations that then eventually become standardized and abstracted.

It has been hard to integrate a portfolio of cybersecurity systems. Has the time come for CISOs to insist on integrated solutions?

RSA takes an integrated approach to digital risk management, but unfortunately, we are seeing a lot of organizations develop their internal practices in silos, and when your IT, cybersecurity, and risk management teams aren’t on the same page, it creates blind spots. This is especially true when businesses adopt new and disruptive technologies like AI and cloud, or even adopt a modern, dynamic workforce. Without the right steps to integrate people, processes and technology, companies can introduce digital risks that need to be managed alongside their growing digital footprint.

What do you see as the value of AI going forward?

Given all the claims about AI out there right now, I think it remains imperative to approach the topic in general with a level of skepticism that helps to separate fact from fiction. Thus, I asked Ghai about what he believed AI could provide now and into the future.

For him, the most important point is whether the AI provides standalone value or augments the capacity of the human. “In cybersecurity, the terrain is always shifting on you because the hacker is changing your environment. So the question to ask is how does this technology accommodate the ever-changing terrain and can it keep up?” he said. “My humble opinion is that we are still nascent in that journey, and therefore, the appropriate use of machine learning is to augment the capacity of the human defender, rather than allowing the machine defenders to fight alone. There are specific use cases, like spam detection or malware detection, which are more rules-oriented, where it can maybe work on a more standalone capacity. But in the SOC, I think it’s more augmenting the capacity of the human.”

What is your advice for using AI-based systems for cybersecurity and in general?

Adopting disruptive technologies like AI can help businesses accelerate growth, but organizations also need to be aware of the risks of digital transformation. There are digital risks associated with any new technology implementation—and the companies that are able to successfully manage these risks will see better results than the ones who lose the trust of their key users and customers through poor data and security practices.  

Can you future-proof your security with a cybersecurity data lake that prevents vendor lock-in, integrates more data, and supports more use cases?

As I’ve pointed out in my previous article in this series, cybersecurity data lakes are alive and well and have functioned (for a variety of reasons) much better than BI data lakes. Ghai concurred with this assessment. But what would be his ideal data lake or data storage architecture for cybersecurity?

“I would say if I were the CISO and I wanted a perfect answer here, I would want a solution that doesn’t get me into the weeds and the technology aspect of standing up a Hadoop infrastructure and the actual technology around analytics. I’d want a productized data lake,” he said. “What I would look at is faster time to value, so I’m focused on the right subset of the problem. And number two, I’d want a solution that powers the network effect of data. By bringing data from different elements into a common metadata model, this allows you to connect the dots, which is again, offering pervasive visibility.”

This can also help companies reduce the dwell time of attacks, which Ghai pointed out is one of the main threats of cybersecurity.     

How can you expand the business value you get from cybersecurity data?

I’ve really been compelled by the idea that we need to approach cybersecurity from an integrated medicine model, and I’ve written about this concept already. Too often, in cybersecurity, companies and products focus on treating the symptoms, but not the entire system. In this case, that means figuring out a way that cybersecurity can assist the business to do what it wants to do. Thus, it’s now really important to figure out how businesses can derive value from their cybersecurity data.

Ghai agreed wholeheartedly with this take — and even extended the medical analogy. “If you think of the timeline for medicine, there were two quantum changes in that industry,” he said. “The first one occurred when the focus shifted from illness to wellness. The objective is not to eradicate illness; it’s to ensure wellness. For us, that means not to dream of creating an unhackable world but to think about creating a world that is safer despite the existence of hacks and cyber-attacks.”

“The second evolution in the field of medicine was personalized medicine, when you realize that you have to apply medicine that is appropriate for your DNA constitution, your environmental factors, and the risks that you face. I think the analogy in the cybersecurity field is you take a risk-oriented view where you apply your business context and the broader context and you focus on reducing the business impact of cyber-attacks as opposed to living in a wishful world where cyber-attacks will not occur.”

Finally, I also asked Ghai three rapid-fire questions I think are pressing that are related to the cybersecurity industry right now.

What are the biggest myths about cybersecurity companies should be worried about?

Ghai had a positive perspective on this question. He told me that the biggest myth is that “we don’t have any asymmetric advantage. We do. Our understanding of our business context is our asymmetric advantage. We understand our business better than the hacker does. That tells us what’s most important right now so we can focus our energy on protecting what matters most, even as the hacker spends energy on a broader campaign and doesn’t know where the crown jewels are.  We know where the crown jewels are.”

He also highlighted one other myth—that too often companies ignore the small, 1%, gradual improvements to cybersecurity. “The aggregation of marginal gains is a powerful, potent force that can help improve our security posture,” he said.

What questions should CEOs and CISOs be asking of their security teams?

Because the C-suite isn’t always as involved in the minutiae of cybersecurity, I think it’s worth hearing what industry leaders think CEOs should be focused on when analyzing their company’s security. Ghai had three recommendations: “First, what’s our most significant cyber risk? Second, can you quantify that in terms of dollars and cents and what it means for my reputation or customer or financial risk? And third, what can the business stakeholders do to help you? They also have to extend a helping hand.”

Is it time for companies to be more public and transparent about how they manage cybersecurity risk?

We’re focused on helping manage these hidden digital risks—which can have very real consequences to businesses. For example, we’re seeing major backlash from consumers toward brands that aren’t transparent or secure with how they capture, store and use customer data, and it’s leading to a loss of customer trust. Businesses need to recognize that the data they use to power AI engines and new customer experiences is not just a business opportunity, but also a significant digital risk that needs to be addressed and communicated in a sustainable, transparent and programmatic way.