RSA’s CSO: Security should be adaptive and flex with the user
Risk can be measured and put to the test: this much is acceptable; that much is too much.
It all depends on what the organization is willing to accept and the role of the security professional is to provide the necessary guidance.
There was a time when security was more binary with yes or no answers. Talking to Shawn Edwards, it’s clear that the perception of risk and the resulting conversations with the C-suite have shifted over the years, leading to a different relationship between the security department and the rest of the business.
Edwards is vice-president and chief security officer at RSA, a cybersecurity and risk management solutions division of Dell Technologies. His responsibilities include RSA and security aspects of Dell’s other businesses as well.
Edwards has some interface with the physical side of security at RSA, but largely through Dell’s physical security program, which provides the entire organization with guards, travel advisories, etc.
“They cover all those elements for me, so it’s almost like a managed security service, but within the Dell family,” he explains.
Prior to joining Dell, he was at Visa for seven years, where he led their cyber defence program.
Risk and culture
In today’s security culture, physical and digital risk share a similar approach “in the sense that there’s a risk assessment, a risk evaluation and then there’s a risk appetite evaluation,” says Edwards.
“Physical risk would be a good example where there’s very low risk appetite, whereas perhaps with operational risk or business risk, you have to be a little bit innovative, therefore you’re willing to accept a little more risk. Where that delta is between what level you’re willing to accept and where your maturity level is today kind of dictates risk mitigation.”
For RSA, the concept of “digital risk management” is a big one. Edwards describes it as an “amplification” of risk. Given the speed of business and the rapid progress of digital technology, risk models need to keep pace with that velocity. It’s changed the conversation between security and business-focused aspects of the organization and created a new dynamic, he argues.
Edwards attends weekly leadership meetings that include RSA’s senior management. Not every conversation may pertain to security, “but the interesting thing is, I’m at that table and I’m having that conversation.”
If, for example the organization wants to move a product to the cloud, “right away, I know that’s happening and I can start educating them on the risks… Having that conversation early and often is really going to help solve a lot of problems.”
At RSA, the concept of “adaptive authentication” speaks to the idea that security can be both flexible and smart.
Edwards says the weakest points of a network tends to be the end points, i.e. people connected to the network via laptops or other devices.
“In my opinion, the greatest value and the greatest risk comes from where the human meets technology,” he says. With that understanding, security can adapt to human behaviour — people typically being creatures of habit.
“At RSA, we have a product called NetWitness. [It has] this capability called user and entity behaviour analytics,” says Edwards. “What that means is it understands that the person at the laptop always operates like this. They always come from this location or these locations. It understands behaviour — up at eight, ends at five. If all of a sudden at two o’clock in the morning from Uzbekistan they see a login, that’s an anomaly.”
Authentication and security should be smart enough to flag unusual behaviour, as well as recognize that people, while often predictable in their work and network access habits, do not all view security the same way. The easier you make security for the end user, says Edwards, the more likely you are to win their acceptance.
“If I have to type in my PIN, I’m OK with that,” he says by way of example. “But if I can do the facial recognition instead, that’s easier. I do want that frictionless experience as well, but I still want the security. I’m willing to sacrifice certain things — maybe my thumbprint or my face — in order to actually gain that frictionless experience. Some people may not…. Authentication has to flex with the people that are using it.”