‘Link technology to the business risk’
Traditional approaches to security no longer work in a digital world and deploying various security technologies does not guarantee complete security. Rajnish Gupta, Sales Director, RSA India, says one must link the technology assets to the business risks and take a platform approach to security.
Q. The traditional approach to security no longer works in a digital world. There are new threat vectors and business networks are more interconnected. What is the new approach to security?
Short answer: Identify your critical business assets and give these a risk score. Create a risk profile. Then monitor the critical assets rather than trying to pay attention to a flood of alerts. Deploy orchestration around it to understand your risk posture at any given point of time. It’s not about having so much technology to control your security posture. Take a platform approach to manage your security technologies and alerts.
Rajnish Gupta: It’s about connecting the technology to the business risk or the business context. One should think about the impact to the business, should there be a security breach. If you can link the technology detail to the business risk, you will be able to manage your security posture and infrastructure in a much better way. This is what we call business-driven security.
It is about finding what is critical to you and assigning a critical position to that. Identify your critical assets and link those to the business risks. Give a risk score to your assets and monitor the critical assets regularly rather than trying to pay attention to a flood of alerts.
The CEO or board member is not interested in knowing about the technicalities of the breach. They just want to know about the impact of the breach and what was lost.
You need to have a platform approach to manage your security.
Q. In February this year you announced the RSA Risk & Cybersecurity practice. How does it help in operationalizing business driven security?
Rajnish Gupta: Any engagement that we do goes beyond the product conversation. It has a people-technology aspect. We have tried to do some consulting to advise companies how to do incident response. We advise them how to create their processes around cyber defense. RSA is trying to create awareness on those aspects.
Q. We now have thousands of things being connected to the network in the Internet of things. How has Identity Access Management evolved over the years?
Rajnish Gupta: Identity has become the weakest link in the security chain. Traditionally, IAM solutions have taken a technology approach. That has not worked out and the deployments have taken a long time to complete. The approach to IAM has changed from technology-oriented to governance-oriented. The business must know what kind of access people in the organization have, even when they change roles. Have the old access privileges been revoked when someone moves on?
The authentication method has also changed from a traditional VPN or token-based one to multi-factor authentication. You can have biometrics with iris scanning and facial recognition today. There is also seamless authentication between the on-premise application and the cloud-based application.
Q. Which are your target verticals in India? Can you name some of the companies who are using RSA security solutions?
Rajnish Gupta: We have a predominant presence in BFSI, IT/ITES and Government/PSU. HDFC Bank uses our fraud risk intelligence solution to secure online transactions. The solution does risk profiling and risk assessment based on user behavior. Many public sector banks in India are using this solution. The IT/ITES companies such as GenPact are using our SOC (NetWitness) and GRC (RSA Archer) solutions.