Getty Images/iStockphoto

RSA Security bets on digital risk management

RSA Security chief predicts that managing digital risk is set to become increasingly important to organisations as they complete their journeys to digital transformation

In the two years since announcing its business-driven security strategy, RSA Security has begun evolving that strategy to focus more on managing digital risk, according to company president Rohit Ghai.

While parent company Dell Technologies continues to power the digital transformation of companies, the mission and purpose of RSA Security has evolved to helping customers manage digital risk, he told Computer Weekly on a recent visit to London ahead of RSA Conference 2019  in San Francisco.

“In any journey to the digital future, there is risk along the way, and we believe digital risk will be the largest facet of risk going forward, so we want to help customers manage it with a business-driven approach because this is a business issue, not a technology issue,” he said.

According to Ghai, RSA Security does not have to explain the concept of digital risk. “Companies understand that embracing digital technologies entails risk because they are grappling with it, and we are getting a lot more resonance with the managing digital risk approach than we did with business-driven security,” he said.

RSA Security recognises that managing digital risk is a promising nascent market, and it is investing in an effort to get a head start and a first-mover advantage, but Ghai believes that RSA Security already has competencies in the key areas of integrated risk management and cyber security.

“That is why we feel RSA is uniquely positioned to serve customer needs in this area because we have a leadership position in those two areas,” he said.

The investment in developing the company’s digital risk management capability is mainly in building a digital risk platform.

“We are moving in the direction of a digital native platform served from the cloud. We have made the investment and the yield of those investments will come in the next few years, but it is early days,” said Ghai, adding that RSA Security feels well-positioned and is betting on the hypothesis that the digital risk management market will be an “attractive and vibrant” one.  

Observing that there is currently an overall erosion of trust globally, Ghai described the business climate as “a little volatile”. Although volatility usually means there is some reluctance to make bold moves, which tends to slow down the formation of new markets, he said that now is the time to act.

“I believe it is the perfect opportunity to take trust head on and be the force that reinstates trust in a world that is getting a little fractured. If the world is more digital, then the way to reinstate trust is to de-risk the path to digital. That is what it will take, and it’s a big challenge, but the time is now.”

Asked whether it is also time for organisations to start preparing for cryptography in a post-quantum world, when today’s encryption algorithms are expected to become vulnerable to cracking by quantum computers, Ghai said quantum computing will be a force both for the person trying to break the cryptography as well as for the cryptographic algorithms themselves.

“In many ways it is like Moore’s Law. As computing power has progressed over the years, it is not one side or the other. The good and the bad side both benefit from the progress, and it will be the same with quantum computing,” he said.

Ghai said one of the inventors of the RSA algorithm, Ron Rivest, made the point that even as quantum computing develops, it will balance itself out because it can be used for cryptography with much larger keys that are harder to decrypt.

Although it will still be some time before quantum computers pose any threat to existing encryption algorithms, he said it is an issue organisations that depend on encryption should keep in mind and ensure they are prepared when the time comes.

However, Ghai said there are other innovations that can occur that obviate the need for cryptography in terms of ensuring secure communications. “As much as quantum computing is developing, there are alternative approaches which would also be good to keep in your peripheral vision as you think about your strategy going forward,” he added.

As examples of these alternative approaches, he cited distributed ledger technology and blockchain, which have use cases that can address some of the business needs, as well as using biometrics and machine learning (ML) for assuring identity.

“We believe the shift to risk-based analysis, using machine learning that can reason over vast quantities of data to assess your level of risk, thereby informing your authentication and other business needs. So machine learning, artificial intelligence (AI) and blockchain technology are examples of alternative technologies that can come to the rescue,” he said.

Many within the information security community believe that in the digital era, authentication will become increasingly important. Asked about RSA’s thinking in this regard, Ghai said a risk-based approach is critical.

“In the digital world, you need to optimise for security, speed and convenience. To do that, you can’t have a binary, one-size-fits all approach. You need an approach, where based on the level of risk, you are placing less or more friction in terms of the transaction.  

“Second, you need a continuous model where you are not just checking at the point of entry. You have to assure security throughout the life of the transaction. Once again, ML and AI can be very helpful in this area,” he said.

For more than a decade, Ghai said RSA has had a risk-based authentication offering for mitigating fraud for consumers. “We have taken inspiration from that business to consumer solution and brought that risk engine over to the enterprise, and now using that risk-based authentication for business to employee identity and access management use cases as well,” he said.

Looking to the future, Ghai said RSA Security is also doing research in terms of identity of things as opposed to just identity of people.

“In the future, actors on the network will increasingly not just be people, but a mixture of people and things and we need to assure the identity of things as well,” he said.

Read more about digital risk

  • Cyber security and risk management among top business priorities for 2019.
  • Mid-sized firms taking risks to get digital.
  • Digitised companies must find the balance between the benefits and risks that come with rapidly advancing IT innovation.
  • UK lags behind Europe in digital risk awareness, study shows.

Next Steps

What is risk management and why is it important?

Read more on IT risk management