RSA CTO on risk, changing mind-sets and staying ahead
By Gabey Goh July 23, 2015
- Today’s CTO has to play a dual role, one internal and one external
- At RSA, it also includes being ahead of the cybersecurity curve
STEPPING into the role of chief technology officer (CTO) at RSA, the security division of EMC Corp, marks a homecoming of sorts for Dr Zulfikar Ramzan (pic above).
“When I was a graduate student, my advisor was Ron Rivest, the co-founder of RSA – the ‘R’ in RSA. So it’s a bit like coming home to the academic family business.
“I’ve always dreamed of being in RSA one day in a senior role, so this is full circle for me,” he told Digital News Asia (DNA) on the sidelines of the RSA Conference Asia Pacific & Japan (RSAC APJ) 2015 taking place this week in Singapore.
Ramzan holds a PhD in Electrical Engineering and Computer Science from the Massachusetts Institute of Technology.
Having clocked less than six months in his new role, he said that his focus in the early stages is to develop himself in the company and fulfil the dual roles he believes a CTO must play.
The first is the external facing role, which involves speaking with all the various stakeholders and understanding where market is going, and what the key trends are.
The second is internal facing, where Ramzan and his team have to figure out what changes should be made within RSA itself to make sure that the company is always relevant in the industry, doing the right kinds of things, and solving the right kinds of problems.
“We have to think ahead about that because if we wait for a trend to become prominent [before jumping] on it, then it’s too late to address it – it takes time to develop the technology and get it to market,” he said.
“So for me, my charter is to make sure that RSA always stays on top of the kinds of problems that are at the forefront of the minds of our customers, even to the point of being a bit ahead of where customers need us to be because they’re going to rely on us to figure out what the next thing is going to be.
“That’s a heavy responsibility,” he added.
Staying ahead and in the know
That focus on trying to stay ahead of the curve is an important one for RSA and the security industry at large, given the rapidly changing nature of the threat landscape and the growing sophistication of attackers.
It is also fuelling an era of unprecedented growth opportunities for the industry, as organisations increasingly look toward upgrading their investments and improving their security strategies.
In its Cybersecurity Market report, Cybersecurity Ventures said that worldwide spending on information security is expected to reach US$76.9 billion in 2015, according to a forecast from research firm Gartner.
In addition, a report from Markets and Markets estimated the market would grow to US$155.74 billion by 2019, at a compound annual growth rate (CAGR) of 10.3% from 2014 to 2019.
In the Asia Pacific region, spending on critical infrastructure security is set to hit US$22 billion by 2020, according to ABI Research’s Cybersecurity Strategies for Critical Infrastructure Market Research.
The research firm noted that active campaigns in cyberespionage and cyber-warfare plague nation-states and private sector organisations in the Asia Pacific region. Digitally advanced industries and emerging knowledge economies are lucrative targets for hostile cyber-threat actors, fuelled by political ideals or financial gain.
“The market for cybersecurity services is highly varied. Domestic vendors will feature highly in northeast Asian markets such as Japan, South Korea, and China,” said Michela Menting, practice director for the Digital Security at ABI Research.
“However, there is significant opportunity for foreign security vendors to penetrate in markets [such as] Australia, New Zealand, Malaysia, Indonesia, Thailand, and India.”
According to RSA’s Ramzan, attackers on average are more sophisticated and what would be considered a sophisticated attack five years ago is today considered a mainstream one.
“To me, the biggest shift beyond the growing popularity of cybersecurity, is the idea that you can no longer just focus on preventive measures anymore.
“A lot of the companies in the past have tried to build taller castle walls and dig deeper moats. That’s not a bad strategy to take, but you shouldn’t spend all your efforts on building bigger walls because good adversaries will find ways around those walls.
“And once they get through, if you look at all the major breaches today, the issue has not been that they got breached, the issue is that they didn’t know the extent of the breach and what happened from that point onward,” he said.
Ramzan said that this lack of insight has been demonstrated repeatedly, from the announcement in June that the US Office of Personnel Management had been the target of a data breach with varying reports of the extent of the damage, to the more recent breach of Ashley Madison, the site that lets spouses cheat on their partners, with the potential exposure of the personal details of 37 million customers.
“What’s intriguing is that they don’t understand what has happened. They know they’ve been breached but they don’t have a full sense of the scope of the breach.
“The key to managing these incidents is getting visibility once the attacker gets through the front door.
“If you think about a typical attacker, for example if you’re robbing a bank, the goal is not about getting through the front door but to walk out the backdoor with the money.
“And so getting in through the front door is not difficult, but we want to make sure that we know what they’re doing once they’re in, and if they do make it to the money, that they only walk away with a few bills instead of the entire vault,” he explained.
Ramzan said that this is a problem area that more vendors are addressing, and more companies have to think about.
And while security budgets are being increased, the fact remains that organisations still work with limited resources and a technology innovation cycle that could burn holes in even the deepest of pockets.
Ramzan believes that part of the issue is that fundamentally, organisations want to ensure the best use of resources, which could lead to hesitation.
“So from our perspective, don't spend all your money in one place. Spend about a third on prevention, a third on detection and a third on response – the actual spread would be unique to every customer.
“And if you find yourself too ‘out of whack’ or not balanced in coping with security issues, then it's a sign that you’re not using your resources efficiently,” he said.
Be the hunter
Another piece of advice typically given to customers is to get out of the business of being reactive when it comes to issues, and to switch to hunting for issues rather than being hunted.
“By that, I mean using threat intelligence feeds to see what issues are out there and looking for those artefacts within the environment.
“I know it sounds complex, but it turns out that you can do some basic hunting with a very limited skills set,” he said.
Ramzan said that RSA recently worked with a member of a customer’s IT staff, an employee with no background in cybersecurity but with some interest in it.
“We trained him, within two weeks, to actually hunt malware. This is the kind of problem where you don’t really need to have deep cybersecurity expertise.
“You can learn to do a lot of the basic things quickly, but if you do, it provides a tremendous amount of value that can be realised right away,” he said.
Machine learning and future forward
But what about the role of machine learning and automation, touted to be the game-changer in dealing with the non-stop flow of threats by recognising patterns and reacting to a new, unseen threat based on past know-how?
The area of machine learning is a topic Ramzan has long held a deep interest in, and was another reason why he sought out Rivest at MIT as he too had an interest in both fields.
Prior to joining RSA, Ramzan was CTO of Elastica, where he leveraged machine learning technologies and natural language processing to enable customers to more securely access and use cloud services.
“Machine learning is not a silver bullet but a tool with strengths and weaknesses,” he told DNA.
“It still requires having good data to work with, and still requires some human element to make some adjustments and to think about whether the algorithms are producing the right kinds of things.
“The strength of machine learning is that it’s largely automated in the sense that it can take this data and figure out what the rules ought to be – but you got to make sure that it’s making sensible rules,” he added.
Beyond that, Ramzan has observed that a lot of machine learning techniques are still focused on prevention and early detection, and while those techniques are strong, can ultimately be bypassed by a clever adversary.
“Ultimately, all these techniques are doing is generating rules – and you can figure out techniques and ways around those rules and make adjustments.
“So I haven’t seen a single technology today that uses machine learning that can’t be somehow bypassed by a willing and motivated attacker.
“That being said, it does move the needle a bit and gives us better protection and detection – but it’s not going to give us the ability to do intelligent response or figure out what happened in the aftermath of an attack,” he said.
With machine learning gaining in popularity and many companies focusing on the ‘buzzword’ parts of the field such as neural networks, Ramzan always poses the same question to them: Where are you getting your data?
“Because if you don’t have the right data then it doesn’t matter what algorithm you have, it’s going to be garbage-in and garbage-out.
“If they can’t answer that question intelligently, then I know they don’t have the right people on staff.
“Putting things together is one thing, but actually understanding the mathematics behind it, that’s a very rare skill to have,” he said.
But while the field of machine learning continues to expand and mature, Ramzan will be focused on three key areas as RSA’s new CTO: The first being identity – not just authentication but aspects of lifecycle management and governance to reduce identity risks for customers.
The second is advanced security operations, especially the use of analytics and how to marry the interplay of security and data science to enable better insights, visibility and decision-making.
“The final area is the whole ‘how do we take action from this information?’ and how we translate IT security risk up to organisational risk, because nowadays, more organisations are caring about these issues and they are top-down concerns from CEOs (chief executive officers) and board members,” said Ramzan.
“You want to talk about security but these guys understand risk, so you have to translate those concepts back to that for them. This is where the whole area of governance, risk and compliance is of great importance to me,” he added.
Security startups need to look at ‘hard problems’
Security industry needs to abandon fear and trepidation: RSA chief
Adaptive identities coming to forefront of security: RSA
Security chiefs call for investments in ‘transformative’ technologies
Signatures are passé, you need AI to StopTheHacker
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.