UPDATED 13:41 EDT / MARCH 02 2020

SECURITY

As RSA opens a new chapter, Rohit Ghai sees security’s strength in the human element

When it chose “Human Element” as the central theme of its annual U.S. conference, RSA Security LLC must have gazed deep into a crystal ball and foreseen the near-term future.

RSA’s annual U.S. conference, held last week in San Francisco, opened with the deadly coronavirus spreading rapidly and affecting thousands of people around the globe. It was also mere days after the company’s employees learned that RSA had been sold by Dell Technologies Inc. to the private equity firm Symphony Technology Group for over $2 billion.

In a world of machine-driven intelligence and “viruses” that infect networks instead of people, February’s headlines were an important reminder that humans still control the narrative.

rsac2020-rohitghai-stage

“It is stories that make us human,” said Rohit Ghai (pictured), president of RSA. “I feel that we have lost control of the narrative as an industry, and we need to take that back and make sure we clarify the role of all the human characters in our story. Until we change the narrative, we have no shot at changing reality.”

Ghai spoke with Jeff Frick, host of theCUBE, SiliconANGLE Media’s mobile livestreaming studio, during the RSA Conference in San Francisco. They discussed the recent sale of RSA, celebrating success and denying financial gain for attackers, increasingly sophisticated hacking tools, a need for diversity and the latest threats confronting the cybersecurity community.

This week, theCUBE features Rohit Ghai as its Guest of the Week.

Agile and independent

RSA was founded in the late 1970s when three MIT students — Ronald Rivest, Adi Shamir and Leonard Adleman — developed a data encryption formula using a combination of public and private keys. Although the company is best known for its SecurID authentication tokens, it also provides solutions for governance, incident event management, threat detection, and compliance.

Dell gained control of RSA in 2016 when it purchased EMC Corp. There had been rising speculation that RSA would be sold, as Dell’s VMware Inc. steadily grew its own security division, as exemplified by the acquisition of Carbon Black Inc. for $2.1 billion last year.

“It clarified the swim lanes for Dell Technologies to focus on intrinsic security and RSA can focus on managing digital and cyber risk,” Ghai said. “We’re excited about the opportunity to become agile and independent and play in a smaller company setting to pursue our future.”

Celebrating success

Ghai’s recipe for changing the security narrative is part celebration of the industry’s successes and part denial of financial gain for threat actors. Defeating a denial-of-service attack or successfully defending against daily threats at an almost unimaginable scale qualify as victories in a perilous digital world.

One executive with FortiGuard Labs disclosed during the RSA conference that his firm monitored 10 million attacks per minute or over 100 billion events every day.

“We can celebrate our successes at a collective level,” Ghai said. “Just like we put out breach reports in terms of what the statistics are and where they’re emanating from, we can talk about defensive strategies that are working at a collective level as an industry and share best practices, recipes to win.”

The financial side may prove to be a bit more challenging. Estimates are that ransomware attacks alone cost government agencies and businesses over $7.5 billion in 2019. At one RSA conference presentation last week, a security researcher from Trend Micro Inc. said that subscription tools for launching denial of service attacks were available on the Dark Web for as low as $40 per month.

“We don’t have to win for the hacker to lose,” Ghai said. “Seventy-one percent of breaches are motivated by financial gain. If we deny financial gain to the hackers, we make them lose.”

Countering deep fakes and fostering inclusion

In his keynote presentation last week, Ghai described how the chief executive of one company had been tricked into wiring $243,000 to a hacker’s fraudulent account by a “deep fake” audio recording of another executive’s voice.

Deep fake technology has been rapidly advancing and could soon become a potent and more widespread tool, according to researchers from McAfee Inc. This will place more pressure on information-technology organizations to pick up the slack, as unsuspecting end users become more easily exploited by bad actors.

“They’re using all of these sophisticated attacks,” Ghai said. “We cannot rely on the end user to discern through these, it’s unfair for us to think of them as the first line of defense. IT has to step up in that regard.”

The cybersecurity industry is also suffering from both a skills shortage and a diversity gap. The unfilled security job shortfall has now reached 4 million, according to a recent report.

From a diversity standpoint, cybersecurity continues to lag behind. Research has indicated that women comprised only 20% of the global cybersecurity workforce by the end of 2019 and, in a separate survey, 65% self-identified as Caucasian. The industry must move beyond its single-minded “science, technology, engineering and math” focus and find ways to draw more people from diverse backgrounds, according to Ghai.

“We need to move from a culture of elitism to a culture of inclusion,” Ghai said. “Let’s stop being STEM snobs, and let’s be more inclusive and garner the entire spectrum of the diverse talent pool that we have available.”

New areas of attack

While the tech community has been focused on reducing the attack surface by limiting areas of exposure, there is still pressure to innovate and rapidly adopt new technologies. In many ways, this feeds a vicious cycle because as some doors are closed, new ones are opened and threat actors march boldly in.

“For a long time, they’ve seen us being unprepared in terms of reducing the attack surface and then they go after new aspects,” Gahi noted. “What are those? Internet of things, operational technology, data, and the edge. These are areas where there is a lot of activity.”

Can the cybersecurity industry ultimately create a safer digital world in the future? While no one is prepared to declare victory, Ghai remains optimistic that bright minds and innovative ideas will win out.

In his keynote address during RSA last week, Ghai pointed to the historical example of Mary Mallon, a cook in New York during the early 1900s who was found to be a carrier of typhoid fever. The discovery earned her the label of “Typhoid Mary.”

“We need to consider the people who cook the food rather than those who consume it,” Ghai told the gathering. “IT is certainly cooking up delicious digital recipes, but they had better wash their hands.”

Here’s the complete video interview, part of of SiliconANGLE’s and theCUBE’s coverage of the RSA Conference:

Photos: SiliconANGLE

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU