Episode 11: Information Superiority is Your Cybersecurity

0:00 [MUSIC PLAYING]

0:01 WOMAN: Luminaries, talking to the brightest minds in tech.

0:05 MAN: We have always believed that if we built the right technology, we could amplify and enhance and enable human progress. And when I look at what lies ahead, I realize that we’ve really just barely begun.

0:23 WOMAN: Your hosts are Mark Schaefer and Douglas Karr.

0:29 MARK SCHAEFER: Welcome everyone, to another episode of Luminaries, where we’re talking to the brightest minds in tech. This is Mark Schaefer with my co-host the “efu-sive”– effusive–

0:42 DOUGLAS Karr: [LAUGHING]

0:42 MARK SCHAEFER: –effusive Douglas Karr. Are you refusive, effusive, or reclusive?

0:48 DOUGLAS Karr: [LAUGHING]

0:51 I am reclusive.

0:53 MARK SCHAEFER: You are reclusive today?

0:54 DOUGLAS Karr: Yes.

0:55 MARK SCHAEFER: What an interesting show we have. We’re going to be mining the dark corners of the web, the scary parts of the web. We’re going to be talking about cybersecurity. And our guest today is Dr. Zulfikar Ramzan. He is the chief technology officer for RSA. Dr. Ramzan has been working in the area of cybersecurity for much of his career. You can go online, see him being interviewed by CNBC and many other news programs because he’s not just smart– to quote Derek Zoolander, “He’s really, really ridiculously good looking.”

1:38 [LAUGHTER]

1:41 DR. RAMZAN: I like you already.

1:41 MARK SCHAEFER: He’s worked on cryptography. Yeah, yeah. Go ahead. Just come on in, Dr. Ramzan. Yeah. If you like that, just go with it.

1:50 So anyway, he is an expert in cryptography, malware phishing, online fraud, web application security, network security. And we are so delighted to have you on the program.

2:05 DR. RAMZAN: Well, thank you for having me.

2:09 MARK SCHAEFER: He’s a man of few words.

2:12 DR. RAMZAN: Always a pleasure.

2:12 DOUGLAS Karr: We should probably add that he was on the good side of all of those things, right Mark?

2:16 MARK SCHAEFER: Yes, absolutely.

2:17 DOUGLAS Karr: [LAUGHING] Not on the evil side.

2:21 DR. RAMZAN: Absolutely.

2:22 DOUGLAS Karr: Dr. Ramzan, when I read your profile, I saw that you enjoy both poker and chess. So I figured the first question, we would keep this lighthearted. But I couldn’t help but wonder whether that really has an impact on your career choice and your direction at RSA. Isn’t cybersecurity very much like a poker game?

2:41 DR. RAMZAN: Yeah. There are many similarities and overlaps between cybersecurity and poker. I think the biggest one is that thinking around risk and understanding when you make good decisions around risk. So in poker, ultimately when you’re playing a hand, it’s really about making sure you make the right decision at the time given the information you have, which is often not complete. You’re typically dealing with partial information scenarios.

3:04 And your goal is to decide how much you want to invest in a particular hand, relative to what you think you can get back in return for that investment. And that’s really what security is ultimately about. You’re typically dealing with partial information scenarios. You’re trying to make the right decisions and the right investments. But you’re also up against a sentient adversary, a threat actor who’s trying to modify their behaviors constantly to trip you up and to trick you.

3:27 And in poker, it’s very similar. If you try to play poker and took the same strategy, played the same predictable way, you would get killed. You would have all your money taken away from you within about 15 minutes of the game. And the same thing is true in cybersecurity. If you try to use the same approaches to deal with today’s threats, you would just be in a world of hurt tomorrow because the threat landscape is constantly evolving. And we have to be able to keep on top of that.

3:50 MARK SCHAEFER: I recently had lunch with a cybersecurity professional. And he was lamenting that he felt like he was fighting a losing battle. He said, there are eight bad guys for every one of us trying to do good things on the internet.

4:06 And I got to attend Dell World each of the last three or four years. And every session I went to, the last question seemed to be something about well, what are the implications of cybersecurity, especially now in the age of the internet of things, artificial intelligence? Devices are getting smarter. We’re creating all these new entry points for hackers. We’re creating potentially more and more opportunities for the bad guys. Can you give us some hope?

4:4 0DOUGLAS Karr: [LAUGHING]

4:42 DR. RAMZAN: [CHUCKLING] Well, yeah. I think the way to think about it is that certainly at times in this field, given what you’re up against, given how motivated some of these bad guys are– and bad girls as well, I’m sure it’s both– who are trying to go after some of your most precious data, trying to wreak havoc of all sorts. It’s very easy to get down, in terms of the uphill battle we constantly face.

5:01 But I think on the flip side, I mean, one of the saving graces in all of this is that at the end of the day, the one advantage we have over threat actors is that we understand our environment better. We typically know what’s really important in our environment. And there’s a lot we can do if we can really exploit that information intelligently.

5:17 We, for example, know what our most critical infrastructure is, what are our most critical servers are, where our most critical data is. We can make a better effort to protect our resources in more intelligent ways. It’s not like the bad guys get in on day one, and by day two they’re already in your most critical assets. It can take weeks, maybe even months for threat actors to find their way around your environment. The one advantage we have is we know our environment better than they do, in theory.

5:43 And so I think the key for us as an industry is to really keep on that trend to make sure we have information superiority, in terms of knowing where our most critical assets are. And obviously the problems, they get much more confusing as we look at things like IOT. We’re seeing microservices take off. The notion of what an asset is is becoming much more ephemeral, much more short lived. And being able to navigate in an increasingly complex world is going to be tricky, but I don’t think we have lost our ability to do so successfully. I think if we take the right approach and we think about the problem in a systematic fashion, and think about it sanely and safely, we can do a lot in terms of what we already have today.

6:24 MARK SCHAEFER: You said something interesting there. Could you tell a little bit more about– you said assets today are not so long lasting, they’re ephemeral. What do you mean by that? That’s interesting.

6:35 DR. RAMZAN: Well, you think about it. A number of years ago, if you talked about an asset, that might be a physical server inside of a data center. It would be something that you could maybe put your hands on. It was very tangible in nature.

6:47 Nowadays an asset could be a single container instance that runs for a few minutes, or maybe even a few seconds, and is gone afterwards.

6:55 DOUGLAS Karr: Wow.

6:55 DR. RAMZAN: So what we’re actually talking about today is not this well-known, well-defined concept of a physical asset. We have many virtual assets that are just up and running, they do their job, and they go away. If you think about something like IOT, we have all of these devices that are coming onto our network, many of which are going to be traded out, are only going to be on the network for a short amount of time.

7:15 And so the approach of trying to think about our assets in a very manual or very traditional fashion is no longer going to scale in a world where there are just so many assets that are just coming and going as they please. So we have to take new approaches, maybe predicated on interesting concepts or on AI or machine learning, to be able to understand what our most critical assets are. And using that understanding, we can then think about what it is we need to do to protect those assets in an intelligent way.

7:41 DOUGLAS Karr: In your speeches, you consistently reference the business-driven approach to security. What do you believe is the balance of business processes versus technology that a company needs to implement to mitigate the risks associated?

7:58 DR. RAMZAN: Yeah. When you think about it for a moment– and technology in general has always been, or should always be, driven by the needs of the business. We typically have a business problem we’re trying to solve, and we might use technology to help solve that business problem. Now, that might be something that’s maybe paradoxical for someone like me to say. I’m a technologist at heart and it’s strange for me to be able to talk about the idea that business is actually the driver, but it always has been.

8:19 If you think about just technology in general, when people want it to be more agile, they may move technology and start using applications– the cloud, for example. When people want to be able to have people work from anywhere, you may want to have more mobile devices in your environment. So generally speaking, technology has been invented to solve a business problem.

8:36 The same thing has to apply to security. When you think about it for a moment, you have to start off with understanding what your most critical assets are. What am I really trying to protect? Who am I trying to protect it against? And once you understand what you’re trying to protect and what matters most, that in turn should drive your security strategy and dictate what technologies you might need to implement that security strategy.

8:56 What I think happens today in many cases, quite frankly, is people do it backwards. They’re almost trying to have the technology drive the overall strategy as opposed to the other way around. It’s almost like trying to let the terrain dictate the map versus having the map dictate the terrain. The reality is if I look at a map, if I don’t see something– if I’m looking at a map and the map tells me there should be a mountain ahead of me, and I look straight ahead, I don’t see a mountain, I’m not going to pretend there’s a mountain there because the map says there’s one there. What I’ve got to do is look at the terrain ahead of me and then have that determine what my strategy map ought to look like.

9:29 MARK SCHAEFER: That’s so interesting. So let’s talk about the strategy a little bit and executing on this strategy. There’s a lot of discussion about where the focus of that strategy should be. Should it be on investing in technological solutions or better trained human resources? How do we crack the code on this? Where should a customer invest, in the tech or human resources and training?

10:01 DR. RAMZAN: Yeah. I’ve heard a lot of security professionals talk about the idea that humans have a flawed operating system. At the end of the day, when you look at most attacks of significance, they typically boil down to at some point finding the human vulnerability, being able to trick an individual person into making a security decision that goes against their better interests. But I think that’s a bit of a flawed way of thinking about security. The reality is that even if we were to spend all of our money on education of individual end users and trying to get them trained and so on and so forth, I don’t know if that would actually raise much awareness on the part of typical end users to make correct security decisions, given what they understand about the world around them. I think it’s too much to expect, individual end users to know how to make critical security decisions that are often very complex in nature, often very nuanced, often requiring knowledge that they may not actually possess.

10:50 I think it’s actually much more incumbent on technology vendors to design security solutions that obviate the need for humans to make critical security decisions, that really enable them to do what they need to do to get their jobs done without really creating all these land mines that they have to sidestep. And that to me is the biggest challenge. And I’m not saying we should spend zero on education. I think there’s probably some amount of money you can spend on education that would be very helpful and give you good returns, but I think those returns are diminishing at a rapid pace. And if we don’t account for the fact that those diminishing returns exist, it’s very easy to get swayed into the idea of trying to raise awareness through education.

11:25 So I think on the one hand, it’s a good thing to be able to raise awareness. On the other hand, I don’t know that user education or spending money on those types of initiatives is going to raise awareness as much people think because of the complexity of the environment around them. So I think we have to spend a little money raising awareness. But I think the bulk of the spend should really be on how you get better technology in place to reduce the number of decisions humans have to make around their security.

11:48 MARK SCHAEFER: Well, one human-induced issue these days is regulations. I work as a marketing consultant and a lot of my customers are concerned about the GDPR, the General Data Protection Regulations that are coming out of Europe. So how is this impacting your business, your customers, or their strategies changing? Or is this simply business as usual that you’re already prepared for what’s being thrown at us with these new regulations?

12:25 DR. RAMZAN: I think it depends on the customer. I mean, some of our customers are certainly knee deep into understanding the implications of GDPR, for example, and some of the other compliance regimes that are coming around the corner. For them, it could be a matter of really putting a price tag, a dollar value, on what it means to fail when it comes to security. I think that’s creating a notion where security becomes much more of a business concern rather than a pure technology concern as we talked about earlier.

12:51 Now some of our customers, quite frankly, are ignoring GDPR. Some of them are maybe based only in the US. They don’t believe that their data is going to be touching things outside the US. They don’t believe that EU citizens are going to be impacted, but I think they do. And so they’re taking a bit of a different approach. But the vast majority of our customers, the ones who have business either externally or who have end users who are operating externally, are taking it very seriously.

13:14 Now I think one unique thing about GDPR and some of the more recent attempts at regulation, in contrast to what’s happened in the past, is that they’re much more descriptive rather than prescriptive. If you look historically at regulations, what typically happens– regulations are very much a dirty word in cybersecurity. They were really about– here’s four things you’ve got to do. If you just check these four boxes, you’ll be compliant and you can go about your business. And we all know that’s not the right way to think about security. Security is not a product, it’s a process. It’s not just about being able to check a few boxes off and say you’re done.

13:46 Nowadays when you look at something like GDPR, the wording is intentionally more vague, in terms of how you should achieve your objective. It’s much more about what it wants you to be able to achieve. So it’s more about saying things like, we want you to be able to report a critical breach within 72 hours of when it occurs. We don’t really care what tools you put in place to enable that type of reporting and that type of capability. This is the goal we want you to be able to achieve.

14:13 And so I think as a result, it’s a step in the right direction in terms of moving us away from that checklist mentality, much more towards the mentality of really having compliance be a byproduct of security, or vice versa. So in an ideal world, if you do the right things from a security perspective, you should be able to meet your compliance regulations and vice versa in an ideal world.

14:34 I don’t think we live in an ideal world today. I think a lot of the historical compliance regimes aren’t necessarily coincident with security. But I think we have to get there at some point. And I think we are seeing a convergence between security and compliance. And more broadly, security and risk convergence, where people are thinking about security in terms of their overall risk posture.

14:52 MARK SCHAEFER: So are you suggesting that it might make sense for other regions of the world to adopt these minimum standards like this?

15:00 DR. RAMZAN: Well, I think so. I think we would be better off if people took a more rigorous view of security across the world and if there was more uniformity to how we think of our regulations. One of the challenges of regulations today is it’s often an alphabet soup where you have slightly different requirements written in slightly different ways.

15:17 And it’s a big challenge for large organizations, of which Dell is one, to reconcile all these different regulations and think about how they can move their business forward, in light of the variety of constraints they have to deal with. So to me, I think what it comes down to is being able to understand and have a uniform framework for saying, if I do these types of things or if I think about security in these types of ways, I’ll be compliant across a wide variety of compliance regimes.

15:45 DOUGLAS Karr: One of the things I like that you’re saying here, Doctor, is you’re speaking plain English. [LAUGHING]

15:52 DR. RAMZAN: [LAUGHING]

15:53 DOUGLAS Karr: And we hear, of course– in technology we hear tons of buzzwords. And in cybersecurity specifically, tons of buzzwords. Shiny new vendors, technology, threats, everybody clamoring for attention. How does our audience evaluate the buzz to better understand what we truly need to do to protect ourselves, our families, our customers?

16:17 DR. RAMZAN: That’s really obviously one of the biggest challenges, I think, when I talk to customers of Dell, customers of RSA, that they struggle with all the time. And the reality is that we’re seeing all these new buzzwords enter the IT lexicon. There’s all this venture capital funding of these startups. And so our customers are being inundated with this alphabet soup of vendors and new technologies. And they’ve got to be able to navigate this fairly complex terrain.

16:40 And so what I tell them is, look, there’s four questions you want to ask. The first question you want to ask when it comes to one of these new innovation buzzwords is, is it really innovative? Are we talking about a concept that is really brand new or is it something that’s actually been around for quite a while and has been done in other settings?

16:56 So for example, something like machine learning or AI. Machine learning, AI, have been around for a long time. Machine learning, for example, has been defined probably over half a century ago. And so the idea of calling it something brand new would be a misnomer. So that’s the first thing to ask yourself, is it really innovative?

17:13 The second thing to really ask yourself is does this technology distinctly solve a problem? Is there some unique problem it is solving that cannot be solved by some other more basic mechanism? And here, for example, I’ll point out the concept of blockchain. Obviously blockchain, bitcoin, these have been terms that are getting an enormous amount of attention in the media. And I feel like everywhere I turn, someone in the Starbucks is talking about buying bitcoin or what blockchain means.

17:40 But one of the questions you have to ask yourself is, look, if you’re trying to apply blockchain to a particular problem, are you really just trying to take a hammer and trying to look for a nail? Or is there some other more basic way to solve that problem? And I’ll give you one example.

17:53 I was cold called by a vendor in the IT space, a blockchain vendor, if you will. And they were trying to tell me about how they were using blockchain to solve some particular problem. And I dug in for more details. And one of things it turns out they were doing is that they were using blockchain to solve a problem in which it was in a very close, very centralized setting, settings that are not really ideally suited to what blockchain was designed to do.

18:17 And I said, well, maybe it’s a basic question, but can’t you solve that same problem using a database? Why do you need a blockchain? And they had no answer for that. And I wasn’t trying to play trip the vendor up, I was genuinely curious about what they were trying to do. And it was a scary thought that here we were talking about these crazy concepts, and there was no reason to use some heavy duty sledgehammer to crack open what was really just an egg that had been around for a long time.

18:44 So the second question is really, does it solve a distinct problem? The third question I think you have to ask yourself is, to what extent, or what else do you need? How does overall thing fit into an end-to-end solution? The reality is that a shiny new technology may be good at solving one particular aspect of a problem, but it’s rarely going to be a complete, comprehensive, end-to-end solution in and of itself. You’ve got to understand what pieces are missing and whether you could actually fill those pieces or fit those pieces into your framework in more intelligent ways.

19:12 Then the final question to ask yourself are what are the key assumptions that are required for making this technology successful? So I’ll give you, for example, machine learning as an example. Machine learning requires having good data. So you could have the best machine learning algorithm in the world, but if you don’t have a process for finding good data as part of using that algorithm, it’s going to be garbage in, garbage out. You can’t make good wine from bad grapes.

19:35 So if you look at these four concepts, the idea is, is it innovative? Does it a distinct problem? Is it part of an end-to-end solution and how does it fit into an end-to-end solution? And then finally, what are the key assumptions needed to make it successful? Those key four words– innovative, distinctive, end-to-end, and assumption– form the word IDEA. And so I think that if you want to have a good sense of what it is you need to do, embrace innovation in your environment, you should use the IDEA framework to ask yourself some of the right questions and really think about what it means for that innovation to work well for your particular problem domain.

20:09 MARK SCHAEFER: That’s awesome– your acronym for that was IDEA. See, I wrote a book. My acronym in the book was BADASS. I’m clearly not as classy as you. I’m not kidding either. So we’re going to have to start winding it down, unfortunately. This has been so incredibly interesting and I’ve just learned so much from you.

20:34 But I’d like to switch it up a little bit. What’s it like to work in cybersecurity? If we’ve got some people out there saying, oh man, this sounds so fascinating, I’d like to explore a career in this area. Is it really stressful? Has it changed you as a person? What advice would you give to somebody who’s interested in a career in cybersecurity?

21:01 DR. RAMZAN: I think this is an amazing field. And I think the stakes are only going to get higher and higher. I think we can use all the help we can get to address one of the biggest problems that’s facing our society. As our overall reliance on technology gets bigger and bigger, we’ve got to be able to use that technology with confidence and able to do what we need to do with that technology. And we can’t do that without a fundamental underpinning of safety, of security, of really trust in the infrastructure we’re relying upon.

21:27 So I think number one, I would say this is an incredibly important field. Number two, I think it’s a field in which there’s never a dull moment. You always have to be learning. You’ve got to be adapting constantly because the bad guys and the bad girls are adapting all the time to figure out what it is they want to do. So we’ve got to be able to meet that adaptive personality with our own level of adaptation. We’ve got to be able to innovate on our end as well.

21:49 In terms of whether I think it’s stressful, I think the reality is that when you look at most people who are in cybersecurity, everything we do I think is very mission driven. And people who are in this field are in it because they truly believe and truly love what they do. And they want to be able to make the world a better place. And I think when you are in an environment where your colleagues and the people you work with are similarly mission driven, I can’t think of a better environment to be in than that.

22:12 So I think from those three reasons– the fact that it’s critical problem, you have mission-driven people, and it’s an area where things are changing constantly. There’s so much room for innovation and new thinking. I would be hesitant to tell anybody, I think– to me, this is the field to be in right now.

22:30 MARK SCHAEFER: Great answer. Love that.

22:34 DOUGLAS Karr: To follow up on that, we’ve learned a ton in this short podcast. I’m curious what you think of the odds. Are they ultimately stacked against us or are you optimistic about the long-term destiny of cybersecurity?

22:47 DR. RAMZAN: I’m pretty optimistic in general. Maybe that’s because I’m an optimistic person overall. But I feel that at the end of the day, even though we do have these challenges, I think we have to understand the nature of what problem we’re trying to solve. I don’t think we’re going to get rid of cybercrime, just like we’re not going to get rid of crime in general. But I think we can do a lot in terms of making the streets much safer. And in this case, I mean the cyber streets or the virtual streets.

23:08 Because the reality is that people today, even though there are risks out there in their environment, are able to navigate those risks successfully everyday. We get in our cars, we go to work, we go to restaurants, we spend time with our friends and our family despite the fact there are many risks around us. I think we can get to a similar state when it comes to the cyber world, where even though there are risks around us, we can navigate that world with confidence, we can understand what it is we need to look for, and we can put the right safeguards in place to be able to navigate that road successfully.

23:39 That’s not to be confused with the fact that we solve this problem by any stretch of the imagination. We have so much more work to do on our end. But I think that’s what makes this field exciting. And to me, I believe that we are going to be able to continue to hold our own against threat actors out there. And I think we’ll be able to do a lot. So I’m very optimistic about what the future has to bring, but even though, that optimism should not cause anyone to rest on their laurels. We’ve got a lot of work to do to get us to a state where we can have confidence in a connected world.

24:05 MARK SCHAEFER: Wow. This has been such an honor hosting you. And I just want to thank you for really your very balanced and eloquent and insightful view of cybersecurity today. And also thanks for being such a good sport.

24:19 [LAUGHTER]

24:21 DR. RAMZAN: It was a pleasure.

24:23 MARK SCHAEFER: No, the pleasure’s been ours. This has absolutely been a delight and so interesting. And I want to thank all of you for listening. We never take that for granted. We appreciate every single one of you. It’s such a gift that you’re spending your time with us. So thank you so very much. We hope you’ll consider subscribing to Luminaries on iTunes or the distribution service of your choice. Maybe leave us a review, we’d love to hear from you. And until next time, this is Mark Schaefer and Douglas Karr signing off for Luminaries, where we talk to the brightest minds in tech.

25:06 WOMAN: Luminaries, talking to the brightest minds in tech, a podcast series from Dell Technologies.

25:12 [MUSIC PLAYING]