September 24, 2025 • 53 mins
In cybersecurity, identity has become the primary attack vector. We explore identity in CXOTalk 892, with the CEO of RSA Security, Rohit Ghai, who explains how stolen credentials, social engineering, and AI-enabled impersonation break defenses. And what boards, CISOs, and executives must do now.
What you’ll learn:
-- Why credential theft remains the #1 initial access vector and what “phishing resistant” MFA actually requires
-- How attackers bypass MFA via help desk social engineering and voice impersonation, and how to stop it
-- Managing identity across the joiner–mover–leaver lifecycle to close high-risk gaps
-- The “assume breach” mindset: zero trust, least privilege, and blast radius reduction
-- The CISO’s evolving mandate: business vs. technology, board communication, and risk quantification
-- AI in cyber: sword, shield, and attack surface, and the changing economics of attack vs. defense
-- Ransomware beyond backups: data theft, response playbooks, and legal/PR readiness
Who should watch:
Board members, CEOs, CISOs, CIOs, and security leaders who seek clear actions to improve resilience without slowing the business.
🔷 Show notes and resources: https://www.cxotalk.com/episode/rsa-security-ceo-ai-identity-board-level-cybersecurity
🔷 Newsletter: www.cxotalk.com/subscribe
🔷 LinkedIn: www.linkedin.com/company/cxotalk
🔷 Twitter: twitter.com/cxotalk
#Cybersecurity #IdentitySecurity #MFA #ZeroTrust #CISO #BoardGovernance #AI #Ransomware #RiskManagement #CXOTalk
00:00 🔐 Understanding Identity in Cybersecurity
03:51 ⚠️ How Identity is Breached
10:46 🛡️ Improving Identity Security
13:03 🔒 Social Engineering and MFA Vulnerabilities
16:02 🛡️ Protecting Personal Information and Identity
19:43 👩💼 The Evolving Role of CISOs in Cybersecurity
26:38 🔒 The Role of Regulation in Improving Data Privacy and Cybersecurity
28:51 🌐 Reframing Cybersecurity as Cyber Resilience
35:11 🛡️ Practical Recommendations for Combating Phishing and Social Engineering
38:00 🤖 The Role of AI in Cybersecurity
41:59 💰 Economics of AI in Cybersecurity
44:25 🏢 Board-Level Cybersecurity Strategy
49:08 🛡️ Understanding Ransomware and Response Framework
50:56 🔒 RSA Security's Focus Areas for Cybersecurity
52:47 📢 Closing Remarks and Call to Action
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Identity is foundational for private and secure computing,
but it's filled with challenges.Today on CXO talk number 892, we
explore AI identity and board level cybersecurity with the CEO
of RSA Security, Rohit Ghai. I'm your host, Michael Krigsman.
(00:24):
So let's get into it. We are a identity security
platform company. We serve the world's most
security sensitive organizations.
We provide solutions in the areaof identity and access
management and identity governance and administration,
balancing trust and business agility.
That's that's what we do, Michael.
When we talk about identity, tell us what that actually
(00:49):
means. Identity.
Think of it as a digital representation of a person, a
device or a system. So the actors on the network
could be any of those and, and adigital representation of that
is needed to again, control the,the, The Who, the what, the when
(01:10):
and the why questions around identity.
So The Who or what it is is look, can I prove
deterministically that it is indeed Michael that is trying to
access, you know, this, this, this IT resource.
So establishing that trust in terms of, you know, who you are
(01:31):
is what is referred to as authentication, right?
Are you who you're claiming to be?
And we have several solutions over the years.
You know, passwords was the mostbasic 1.
And you know, we have a bunch ofother technology now that is at
play to provide this layer of authentication.
The next piece is around authorization, which is the, you
know what and what can you access?
(01:52):
What systems, applications, dataare you allowed to access?
What rights do you have? What credentials do you have?
What privileges do you have? And then finally, the idea of
kind of managing the why, like why should Michael have access
to these resources? Because he has a certain role in
the organization, he has a certain job responsibility, you
(02:14):
know, so, so that's sort of the The Who, the what and the why.
And you know, touching on the when little bit, what has
happened over the years, Michael, is that, you know, the,
the, the typical pattern of the cyber threat actor is that they
find a way to get in. We have to resign ourselves to
(02:35):
the fact that we cannot keep them outside.
They're going to find a way to get in.
So our job really is twofold, which is to make sure, even
despite the fact that they get in, to make sure they can't move
literally inside the network. So we, we have to have this idea
of continuous trust, even if when they're inside the door,
inside the gate, we still have to monitor the behaviour of the
(02:59):
actor to make sure the right things are happening and
everything is legit over time and, and, and no nefarious
activity takes place. So that's, that's really the
overlay on top of The Who, the, you know, the what and the, and,
and the why, right? That, that traditionally has
been the problem of identity. That's what we do in the, in the
(03:21):
area of identity, It's all aboutthe digital representation, you
know, ensuring these, these questions and making sure the
right things are happening. And, and by the way, it's, it's,
you know, I might remind everybody that most cyber
incidents happen on the back of prudential compromise.
So identity, the line I like to use is identity is the most
(03:42):
attacked part of the attack surface.
That's how the bad guys are getting in.
So it's super, super critical intoday's world to improve your
cyber posture. What does that mean?
That identity is this core piece.
That's how people are getting in.
There's this report, Michael, inthe industry that, you know, all
the cyber professionals pay attention to which is the
(04:03):
Verizon data breach investigation report.
And year after year it, it, it does a great job of reporting
on, you know, what was the, whatis called the initial access
vector, What techniques did the threat actor use to, to get in?
And you know, I'll, I'll cite the latest one.
(04:25):
And then this has been true for the last decade that credential
compromise, meaning stolen credentials, either your
password got gassed or stolen oryour multi factor authentication
got compromised or somebody impersonated your biometric,
maybe your voice, etcetera, to to basically get in through the
(04:47):
door pretending to be you right,legitimate actor in the network.
So this, this idea that you know, identities the new
security perimeter and the and the initial access vector, it's
the number one initial access vector for the databridge
investigation report. The other thing I, I want to say
is that, you know, this doesn't just mean, you know, technical
(05:10):
means, it doesn't mean the threat actor is using very
sophisticated engineering or technology to break in.
You know, they're often using social engineering attacks to
actually, you know, kind of manipulate the human that
they're trying to impersonate orexploit, you know, to, to, to
get in. So it's been consistent for the
(05:32):
last decade that this is the number one initial access
vector. So it's the obvious thing
staring at us in terms of what we ought to do to improve our
security posture, which is to improve our identity security
posture. Kathleen Mitchell on LinkedIn
asks this question, which is fundamental, simple and basic.
(05:58):
And I think it's a little more complicated, which is how is
identity breached in the first place?
If you think about how we are manifesting identity, how are we
trying to manifest identity? It's through a credential, which
is, you know, in the past and even now painfully so, is a
(06:18):
password. It's, it's based on what you
know, right? So the way you log into a
computer or the way you log intoyour bank account or any of the
IT resource or, or, or control resource, let's call it, you
know, you have to, you have to share something that only you're
supposed to know a password or apass phrase.
(06:41):
That's one type of credentials. You know, it's a lot of
compromise actually happens justby, you know, the password
getting compromised. And the way that is happening is
either through a brute force attack that the threat actors
are basically just running through a dictionary attack,
what is called brute force just apply a lot of different
(07:03):
passwords to guess what the password might be.
But increasingly what they're doing is using sophisticated AI
technology to scour your digitaluniverse to figure out your
dog's name, your children's name, your address, your date of
birth, etcetera, from your digital shadow on the Internet
and then make a very educated guess in terms of what what that
(07:25):
credential might have been. So password compromise is one of
the ways that identity compromise might occur.
But that's not all right. There are other credentials that
we offer like multi factor authentication, which is hey,
it's not just what you know, butmaybe what you have or who you
(07:46):
are in terms of a biometric authentication, right.
So let's talk about what you have.
So a lot of times and RSA has been in this business of
offering what is called MFA, multi factor authentication,
where we provide either a physical hardware token for a
mobile phone based application that.
So if Kathleen is trying to log in and if Kathleen is in
(08:10):
possession of her phone, we can send a message to her phone with
a one time password, an alpha metal password that nobody knows
about, right? And then Kathleen can provide
that information to log in. But in this pattern, what has
happened is a lot of times the bad, bad actors can, you know,
(08:30):
execute what is called a man in the middle, attack the resource.
And then there is Kathleen and aphone.
They can intercept the communication between those two
whenever there is vulnerable type of communications.
As an example, SMS messages are very insecure.
So if if the the on time password is being sent over SMS,
(08:52):
they can actually exploit that and steal that over like, you
know, these unprotected channels.
They can actually, you know, do as you know, kind of, you know,
steal your you steal your, you know, the phone credentials to
actually pretend that this is your phone.
So there are technologies to compromise the cryptography and
(09:14):
the encryption or attack this, you know, the middle
communication, the man in the middle attack to defeat that
type of credential. And then finally, the type of,
you know, identity that is basedon biometrics in terms of who
you are, you know, and the perfect example here is a lot of
banks even today, painfully, they might use your voice to
(09:36):
authenticate you on your bank account.
And guess what? Today with the AI technology
that is available, you know, andAI can have access to maybe one
of the videos you posted on the Internet and they can mimic your
voice perfectly. So they will in their voice, in
your voice, talk to your, you know, bank and basically fool
(09:59):
them into thinking that it's Kathleen on the other side and
thereby defeat their, you know, biometric based identity
strategy. So there are multiple techniques
that the threat actor is now wielding to defeat and
compromise credentials and identity and thereby, you know,
(10:21):
get, get in, in, in a, you know,in an unexpected way and, and
cause harm. So that's just an explanation of
what what might happen there. Subscribe to the CXO Talk
newsletter, Go to cxotalk.com. Check it out.
We tremendous, we have tremendous shows that are coming
up, really just extraordinary shows.
(10:41):
So subscribe to our newsletter, join in, ask your questions.
So Kathleen follows up and we have a bunch of questions now
stacking up. So we're going to have to get to
those, but Kathleen follows up. So you know, what do we do with
MFA is not enough. So what do we do?
I'm not saying MFA is not enough.
MFA is a is an amazing solution to harden your harden your
(11:05):
attack surface. But the issue is all MFA is not
created equal. MFA codes, if they're sent over
SMS networks, over mobile networks, they are vulnerable.
That's not a good secure type ofMFA that is susceptible to SIM
swaps, account takeovers, or youknow, phone, you know, hijack,
(11:29):
hijacking of your phone number, all attacks that are relatively
easy to to execute and exploit. A phishing resistant MFA, an MFA
solution that has a strong cryptographic roots like an auto
say a physical token and an autosay soft token.
(11:54):
We call it a mobile based application.
They are not sending these one time passwords, these FML
credentials, if you will, over vulnerable networks.
They're sending them over highlysecure sessions that are
established between the resourceand and your and your MFA device
(12:15):
or or or your MFA token, if you will.
So MFA is is a highly recommended and highly effective
solution frankly to defeat many,many credential compromise
attacks. So one recommendation absolutely
adopt phishing resistant MFA that is not relying on mobile
(12:38):
based OTP one time passwords. Having said that, I also want to
add now getting to the fact thateven with MFA, the threat actor
is super smart. They know that RSA and a bunch
of other companies have designedtechnology that is not
vulnerable and it's strong MFA, phishing resistant MFA.
(13:02):
Guess what, when you can't beat it, you bypass it.
So that's what the threat actor is doing.
And how are they doing that? Well, they are doing that by
using attacks like the helpdesk exploit attack.
So about 3 years ago, you know, we had an incident at, at MGM,
(13:22):
one of the, and, and, and another casino in, in, in Vegas
where, you know, the way the threat actor got in is they
called the help desk for that organization pretending to be an
employee. And they said, I have lost my
MFA device and I urgently need to log in to my IT device
(13:47):
because I have a deadline. And this is a project that is
very important to our CEO. And therefore I need your help
to provision new credentials forme and help me access my, my
device and my IT resources. And thereby they use social
engineering via help desk scenario to bypass MFA.
(14:07):
They actually did have MFA, you know, provided to all their
employees and all their users, but it was bypassed through
social engineering techniques byfooling the help desk agent into
issuing an alternate credentialsby creating this fake sense of
urgency. So this is a very, very common
(14:29):
attack now, and it is even more and more sophisticated because
now it's maybe not a human calling the help desk, It's
maybe an AI impersonating the employee's voice, literally.
So the help desk, you know, is is is is you know, can be very
easily fooled because it sounds exactly like maybe somebody very
important in the organization. It might be the CF OS voice
(14:51):
calling the help desk and the help desk, you know, will
recognize the authority and be fearful and therefore, you know,
sometimes make the wrong decisions.
So that's how you know things get exploit.
So my recommendation back to what can we do?
Use MFA strong fishing resistantMFA 100% for 100% of your users.
(15:14):
Recommendation #2 Do not just obsess about authentication and
strong credentials. Think about managing the
identity throughout its life cycle.
You know, and, and, and preventing against these help
desk type of attacks by finding other identity security
(15:36):
solutions that protect identities even during these
types of like credential, what we call the joiner mover leave a
process. A new employee joined an
employee called the help desk, they got promoted.
They're leaving the organization.
We need to pay attention to managing those events in the
(15:57):
life cycle of an identity to assure security in today's
digital world. I want to just tell everybody
that you can ask your questions.When else will you have the
chance to ask the CEO of RSA Security pretty much whatever
you want. So take advantage of it, folks.
(16:18):
So let's jump over to Twitter, to X and Arsalan Khan is a
regular listener and he says this, I think this is related to
what you were just speaking about, Rohit.
He says as a consumer, we share our identity information,
credentials multiple times to various IT systems, the library,
(16:41):
grocery stores, banks and so on.We are only as safe as the least
safest system. And these are not in our
control. So what can, what can we?
What should we do? Any information that is
potentially identifying you as an individual, we need to share
(17:02):
it on a need to know basis. We have been as individuals,
especially as professionals in aworkforce setting, we've been
perhaps been too LAX in terms ofsharing our information because,
you know, as you said, you know,there is a legit reason many a
times for actually, you know, banks, Oregon or libraries or
(17:24):
others to kind of, you know, get, get access to that
information. I think we need to pay attention
to what is that organization or individual doing with the
information you're providing? Are they storing that in a, in a
Safeway? So the, the, the security, you
know, when we share, let's say our information with the bank,
(17:46):
our mother's maiden name, our, you know, date of birth,
etcetera. We need to pay attention to the
cybersecurity posture of that bank, their data privacy
statements that we often, you know, kind of glance very
quickly and, and agree to in, in, in sort of agreements that
we signed, etcetera. I think we need to pay attention
to are they doing the right things to keep your information
(18:11):
as private as it needs to be to assure security in today's
environment. So a, share on a need to know
basis B, pay attention to what the organization that you
provided the information to is doing to protect your
information and how are they, how good of a job are they doing
handling that information. So those are two two
(18:33):
recommendation and I have 1/3 which is look, if you're an IT
professional, do not rely simplyon an information based identity
system. This is the whole concept behind
multi factor authentication. Don't rely on one factor.
(18:53):
That's what literally multi factor means, right?
Do not rely on the knowledge based proofs of who you are,
your date of birth, your address, etcetera, etcetera.
Ask for your, you know, ask for other things like are you in
possession of the phone that is supposed to be yours?
Can we send FML password or codethat you can provide us, you
(19:18):
know, biometrics in terms of like scanning your, you know,
Face ID or or things like that. So always as an IT professional,
you have to use multitude of factors to assure identity.
Do not rely on just knowledge based information.
Those are three things that we can do to harden our
environments despite the need toshare information like like you
(19:41):
asked. So great question.
Thank you for that. Let's jump to a question from
Preeti Narayan on LinkedIn, who's asking about Cecil roles.
And she says this Cecil roles are among the most in demand
globally. Does this reflect a shift in how
(20:01):
organizations prioritize identity and AI risk at the
executive level? And will Siso demand rise
further? What I will say is the stature
of the SISO like you said is elevated now in today's today's
(20:23):
world of AI powered threats. And the reason is cyber risk is
now one of the top the risks in the what is called the risk
register for most organizations.You know, most public companies,
but also a lot of private companies have a practice around
(20:48):
risk management, which is to make sure that the organization
can deal with the risks that it faces and has sufficient
mitigation for those risks. Cyber risk is now a very, very
prominent part of that risk register.
And therefore the SISO stature in terms of advising the board
(21:09):
and the management teams on cyber risk and its implications
as well as the mitigating controls that the SISO is
recommending is one of the most consequential business decisions
that private or a public companytoday needs to make.
So what I would say is there is the, there is a huge demand for
(21:35):
the strategic Sysos that can translate the technology of
cybersecurity to the business implications of cybersecurity
for the board and management teams to act upon.
So I think that you know that weare, we are going to find, find
(21:57):
Sisos, you know, finding even more and more stature in
organizations, a larger voice, amore prominent voice.
And what I would say is that, you know, even at the board
level, you'll see a lot of demand for cybersecurity
(22:18):
expertise because not only do you need a strategic SISO, you
need a board and a management team that can understand what
the SISO is telling them. So you need a level of expertise
in order to govern the cyber risk that most organizations
face in today's climate. So should the SISO be a
(22:40):
technologist or a business person?
We're entering the ad of Sysos that maybe have a strong
business background with enough technology sort of capability to
drive teams that might be operational and technology
oriented. And therefore, I would frankly
(23:01):
ask for a Sysor to be more sort of, you know, 5149, you know,
more business than technology intoday's climate, because
cybersecurity is now a squarely a business problem more so than
it is a technology problem, right?
It's social engineering. It's in the world of AI, right?
So so so thinking about robust risk management approach to
(23:25):
cyber is is consequential to theefficacy of a sysso.
What kind of communication skills a sysso has and when they
communicate. And the reason I asked this is
not too long ago I approached 2 Cisos, 1 each from two of the
largest, most well known brands in the US independently.
(23:51):
And CISO number one said she wants to do it.
And then I started saying, well,it's live and we take questions
and she's like, no, no, no, I can't, can't do that.
CSO #2 said in my role. And I, I've known CSO #2 for a
long time. In my role, no way.
So what's the job of the CSO in terms of communication?
(24:12):
And is it too scary for a CSO tojoin something like this that's
live, that we take questions? Seisos have a dual role, as does
every cybersecurity professional.
If you think about cybersecurityas a business area, it's unique.
In other business areas, when wetalk about competition, you're
(24:34):
often thinking about other vendors that might offer a
similar solution that is competing for the love of the
customer with you. In cybersecurity, when we say
competition, it's the threat actor on the other side.
So the Siso has a dual role. One is to defeat the competition
(24:57):
on the other side and, and, and make sure you know, your
security posture is robust, thatyou have all the, you know, the
right technology and the processes to make sure your
cybersecurity is, is assured. But in addition to SISO has
another role. The threat actors are
collaborating. They're sharing information,
(25:19):
they're sharing malware, they'resharing ransomware tools that
are that they're using. We on the good side need to do
the same thing. We need to do a better job of
collaborating on the good side. So if once or so in the
financial services industry is noting that a certain type of
malware is is is prevalent or istrying to, you know, get access
(25:46):
to their environment, that information, sharing that
information with other companiesand other peer Sisos and other
cyber professionals is highly, highly valuable.
So my point is that I think there is a certain level of
transparency that the SISO needsto have with peers and we need
to lift all boats, not just protect our respective
(26:07):
organizations, but share our knowledge with peers and peer
organizations so we can lift allboats and defeat the threat
actor on the other side because that's who we are really
competing with in cyber, not notother peer companies.
Arsalan Khan comes back on Twitter and he says our identity
(26:29):
is spread across so many different systems and companies.
It's not just one single place. It's the entire ecosystem of, as
we were talking earlier, pretty much everybody that we do
business with. But most companies are not
(26:49):
transparent in how they deal with consumer data.
In fact, consumers have no clue until after a data breach
happens and I'll just add and sometimes a long time after that
data breach has happened. It is getting better and the
reason it's getting better is that the regulator is stepping
in, right? The regulator is mandating
responsible disclosures that if you get breached that as a
(27:12):
public company, for example, especially public companies,
there is real teeth in, in, in, in some of these regulations in
terms of responsible disclosure that you must, any material
breach or cyber incident, you must report right And and there
thereby protect your consumers and customers before their, you
know, information gets compromised perhaps.
(27:34):
So the regulator stepping in, things are getting better.
In addition, there is, you know,you know, it started the GDPR
and EU and then CCPA here, here in California and there's more
regulations around data privacy as well.
So yes, there is, it still remains a challenge more
broadly, but it is it is dramatically better than what it
used to be. And again, I go back to the same
(27:56):
recommendation. Let's not solely rely on the
privacy and the successful privacy of the information we've
shared because despite best conduct on part of organizations
that have that information, the bad guys can still get in.
We must reconcile with the reality that the bad guys will
(28:17):
always find a way to get in because sometimes they're
actually insiders, sometimes they're actually inside the
company. It's not that somebody bad on
the outside that's trying to getin.
It's just somebody on the inside.
It's an inside a threat issue. Therefore, do not rely on the,
the privacy of your information as the only mechanism that
(28:38):
you're going to use for cybersecurity.
So that's that's sort of my my headline summary on that
question. Sounds kind of hopeless.
Let me let me let me swivel thento a more optimistic picture,
Michael and and and all the all the audience.
(28:59):
Look, the way to approach this problem is framing our goal
properly. OK.
And I, I've often used a medicalanalogy to talk about the goal
is, you know, if you think aboutmedicine, you can frame the goal
in terms of like, we're going toeradicate disease.
That could be one goal, or you could say the goal is actually
(29:21):
Wellness and health despite the existence of disease.
So in cyber, we need to take a similar approach.
It's not about making sure that,you know, cyber incidents don't
happen because they will. It's about resilience.
I think we ought to actually redefine our industry, not as a
cybersecurity industry to be, but to be a cyber resilience
(29:41):
industry because the goal is digital Wellness.
It's not to make sure the threatactors are kept at Bay, but the
fact that even if they get in, there is limited risk or damage
to the business that they can perpetrate.
That's the goal. It's Wellness despite the
existence of the threat actor. And if you frame the problem
(30:01):
like that, it's not a hopeless situation at all.
In fact, it's it's, it's very tenable.
And you approach cybersecurity as a risk problem.
And I would love to talk about sort of, you know, the, the,
the, you know, how CE OS and boards ought to pay attention to
cyber, cyber as a risk problem, right?
It's about reducing risk. It's not about eradicating it
(30:24):
because that's untenable goal, right?
And, and, and, and that's, that's the hopeful narrative for
cyber, that it is absolutely possible and absolutely
attainable to have cyber health and digital health despite all
these threat actors, especially in a world of AI.
I think AI will be a massive, massive force that'll help the
(30:47):
good, good actors keep up with the threat actor.
So I'm, I'm actually an optimistas it pertains to the cyber, you
know, cyber landscape, if you will.
Let's take very quickly. Kathleen Mitchell comes back
with another really good question.
And then we need to talk about AI and we need to talk about
these board issues, both very, very important.
(31:10):
Kathleen says for smaller and mid sized businesses, how can
leaders move beyond just meetingcompliance requirements to make
cybersecurity a real competitiveadvantage, one that they'll
prioritize and invest in? The reality is, traditionally
(31:30):
smaller organizations have struggled to actually make
headway with cybersecurity. The reason being they simply
don't have the technical expertise of the teams to
actually deploy solutions. Having said that, I think there
is, you know, there is a couple of trends in the industry that
(31:55):
are really helpful to smaller organizations, which is managed
service providers. So you can actually now have
solution providers that are, youknow, that are providing full
end to end service in terms of helping smaller organizations
that don't have the human capital to manage cyber to do it
(32:16):
on their behalf and do it treated as a business problem.
The second thing is the advent of AI will will, I think,
hopefully foster the creation ofmore autonomous cyber solutions
where you don't need as many humans with hands on the wheel
to drive the cybersecurity truck, if you will, right.
So, so the the promise of AI, asI alluded to earlier, we've
(32:41):
always suffered on the good sideof the fight with the lack of
cyber talent. We don't have even enough good
humans to fight the good fight. And the bad guys only need to be
right once. We need to be right all the time
with AI. We can now to wield these
agentic digital workers on our behalf, on our side, to tip the
(33:08):
balance in our favour so that wecan do the things that we never
could do because we didn't have enough good humans on our side.
You can automate that, right? That's a massive, massive
tailwind for us on the, in the cybersecurity world that will
help specially smaller organizations and, and, and, and
(33:29):
I think, you know, I, I, you know, the other thing is I want
to commend some of the organizations, you know, here in
the, here in the US like SYSA, critical infrastructure security
agencies. So the government has done a
great job of elevating the knowledge, the know how and the
sensitivity to cybersecurity forsmaller organizations.
(33:50):
They have recipe books, they have great resources on
sysar.gov that smaller organizations can peruse and,
and, and consume to get smarter on the issues around
cybersecurity, as well as tools and techniques and prioritize
recommendations on what they cando to protect themselves.
(34:12):
So, so I think it's an emerging,you know, it's a, it's a world
that is getting much better in terms of cyber for smaller
organizations than it used to be, let's say five years ago.
For smaller companies, it's tough.
You know, CXO Talk, we're a small company and because of CXO
Talk we're attacked all the time.
(34:33):
I'm mean, I get attacks of phishing like very targeted and
our infrastructure was attacked and I was at a loss like what to
do? And, and actually I asked a
couple of former CXO talk guestswho were like, you know, top
security experts and we had a call and they gave me advice and
we were able to ultimately sort it out some, you know, a, a AWS
(34:57):
configuration issues and a bunchof other stuff, but it's tough
if you're a small company. It is tough and I would say
this, this social engineering type of attacks are especially
tough phishing, as you alluded to, Michael, they're like, you
know, relentless attacks and nowmore sophisticated because they
can impersonate, you know, your loved ones or or people in your
(35:21):
company, etcetera. So I have a couple of
recommendations in terms of like, what can you do to protect
yourself against phishing attacks, right?
For you know, so I, I, I've 3 macro recommendations #1 multi
phishing resistant, multi factorauthentication deployed for all
(35:47):
users. I think that can help.
So anytime you know that that isa baseline table stakes,
recommendation number 2 is we have to realize that these
product actors try to manipulateyou emotionally and create a
sense of urgency. Act now.
You must do this now, otherwise bad things are going to happen.
So anytime you sense any communication that tries to
(36:11):
ignite the sense of urgency, treat it with a lot of
suspicion. That's recommendation #2
recommendation #3 is that realize that deepfakes is the
air of deepfakes and what is called synthetic media.
You might get a video of your son or daughter in harm's way
that looks completely real asking for help and you might
(36:34):
kind of act on it. Do not act on, on, on media
alone, Voice, video things that things that might appear very
real with your loved ones or within your company.
Have an out of band mechanism toassure identity.
(36:55):
So if you have your children as an example or a family, you
might have a family password that if I ever call you asking
for help, if I have a flat tire,if your daughter says, hey, if I
you know, I have a flat tire, I need 50 bucks to, you know, pay
the towing company. Do not send the 50 bucks right
away. Ask your daughter for the family
(37:16):
password. So verify the other person
outside of you know what might be very realistic voice or
synthetic media that you know itmight sound or look exactly like
the the individual that you trust.
So do not establish trust based on you know media because they
are they can be compromised in the world of AI.
Have an out of band channel to assure.
(37:38):
So those are three quick recommendations and what you can
do to, I guess avoid getting fished if you will.
And Michael, you know you, I'm sure you're a big target.
I am. I'm famous in my company for
sending text messages asking forgift cards as Aceo.
So they get CEO text messages all the time.
My my colleagues in the company that asking for gift cards.
(38:00):
We have an AI question from Elizabeth Shaw on Twitter, and
I'm glad she is jumping in because we need to talk about
AI. And she says AI brings its own
issues. There's AI versus AIAI run amok.
How should companies consider AIfor cybersecurity and place
(38:22):
their trust in it? So the role of AI in all of
this? There are three dimensions to
AI. One is AI as a sword, right?
It's a, It's the attacker's tool.
So they're the threat actors aregoing to use AI to attack at
scale or hyper personal personalized impersonate, bypass
traditional defenses, create malware because you can do wipe
(38:45):
coding. So even technically inferior
threat actors can now code because AI can code on their
behalf. So it's, it's a, it's a sword.
Second thing is it's a shield onthe threat actor side, which is
we have not had enough humans tolook at all the incidents, all
the threats that are playing out.
(39:06):
We can do that. You know, we'll have digital
workers, software, robots that can do that job for us.
We can monitor synthetic media to look for signs for synthetic
media, right? Is this deepfake, right?
There are technologies that can do that, AI technologies, we
can, you know, monitor patterns for what is normal versus what
(39:27):
is normal, do predictive risk modelling, do incident
simulation and playbooks automation because of AI.
So that's the shield dimension. So sword dimensions, shield
dimension, but there is 1/3 dimension, which is what you
were touching on Elizabeth, which is AI as a, it's an act.
It's an, A part of the attack surface, right?
(39:49):
The turn actor might actually compromise the AI that you're
using by poisoning AI or, or doing, you know, you know, doing
nefarious prompt engineering or,you know, by actually ensuring
that you know that you're denialof service attacks.
(40:09):
So if AI is in a decision loop, let's say it's it's, you know,
approving. I don't know loan applications
for a bank. You know, they can actually, you
know, bombard and do a denial ofservice type attack to, to
confuse the AI, right? And, and, and 'cause that so AI
can be attacked. And therefore we as cyber
(40:31):
professionals need to do 2 things.
One is we have to embrace AI as a shield because we know that
the bad guys are using it as a sword.
So we better pick it up. We got to get more educated and
proficient on using AI. Otherwise we'll be left behind.
We cannot wait but then also adopt AI responsibly, right?
(40:52):
And and and don't trust AI blindly.
You have to have AI inside of guard rails.
Meaning you know any agentic AI you deploy in your environment,
make sure it has the guard railsof human defined workflows.
A human in the loop second second is you must have non
(41:13):
human identity solutions to makesure, just like you're
protecting human identities and making sure the human is has the
privilege to act on your digitalestate.
Don't allow AI agents to work autonomously without verifying
their identity. So you have to have non human
(41:36):
identity solutions that assure the identity of these AI agents
that are acting on your behalf. So that's that's what I would
say in terms of AI, those are kind of the three dimensions
that we must pay attention to. It is not just, you know, as a
probably a double edged sword. That is a, you know, it's also,
it's also, it's also the thing that is actually being attacked
(41:57):
by the sword. Can you talk a little about the
economics of AI? Or how does AI affect the
economics of cyberattacks? Cybersecurity is an economic
problem. At the end of the day, the cyber
threat actor is economically motivated and constrained just
like we are on this side. They don't have infinite
(42:20):
budgets, they don't have infinite resources either.
So the economics of AI based, you know, or cyber in the, in
the air of AI is that the cost of perpetrating a cyberattack is
going to go remarkably low, right?
So we have to recognize that reality.
(42:42):
In the past, we would say, oh, you know what, it takes a lot of
cost, a lot of expense to actually exploit, you know, zero
day attacks because it requires a lot of technical expertise and
hiring technical expert experts is is costly and so forth.
(43:02):
So we, we, we could make those assumptions.
Now we cannot do that because, you know, there is AI on the
other side and the cost of launching an attack is a lot
lower. So we cannot use economics or
cost as a deterrent. What we have to do is we have to
be smart about our Cron jewels. What the, what the threat actor
(43:25):
doesn't know is once they get in, they're trying to get to a
Cron jewels. We know where our Cron jewels
are. They don't.
So if we pay, if you know, so don't have a peanut butter
cybersecurity strategy of protecting everything.
Have a differentiated strategy where you have a robust
enterprise risk management framework where you have what
(43:47):
are the likelihood of cyber threats happening?
What is the impact of those cyber threats.
I would have this kind of matrixand the cyber threats that have
a high likelihood of happening and have a high impact are the
ones you look to mitigate and address, right?
And have this differentiated economical strategy of not
(44:10):
spending your money, if you will, to cover all bases, but to
cover the right bases and spend smartly.
Because the the economics as a deterrent strategy no longer
holds true in the in the AI era.Let's talk about board issues.
What is the role of a board versus the executive management
(44:34):
when it comes to dealing with these cybersecurity issues?
Let me frame it at a high level first.
I think the board sets the what and the why, which is what is
the acceptable level of risk, What are the strategic
priorities and how much are we going to fund to mitigate those
risks? The management teams on the how,
(44:59):
the tools, the processes and theexecution to actually achieve
those outcomes. So board, the what and the why
management, the how and the way the way this needs to play out
is, you know, and I'm on the risk committee of, of, of a few
public board and I've, I've, I've held those roles.
(45:20):
I've, I've kind of advised them on cyber security as a part of
that enterprise risk register. Like I said, the ERM strategy
for an organization is you take your risks and you place them on
this matrix of likelihood and, and the magnitude of impact.
You start with what is called inherent risk, which is if you
(45:41):
do nothing, what is the level ofrisk and you create this matrix,
Then you say, I am going to apply some controls.
I'm going to adopt MFA for everybody.
I'm going to do patch managementand I'm going to use, you know,
a zero trust micro segmentation tool that will protect my my
(46:04):
users from threat actors. Those are mitigating controls.
And then what you're left with is what is called residual risk,
right? So inherent risk apply
mitigating controls, remaining risk is residual risk.
And then the board has to make acall on what is that acceptable
level of risk? What's your risk appetite?
What's your risk tolerance? If you have a, if you're a
(46:26):
software vendor that provides a SAS solution, how much downtime
can you accept? Right.
And maybe the downtime that you can accept is 4 hours, in which
case you're spending, you know, instead of making sure you're
available all the time, what youwant to make sure is that if you
do get compromised, you can bring things back up in 4 hours.
The idea of resilience. So it's this fine balance
(46:49):
between managing risk, deciding what to avoid, what to reduce.
Sometimes you transfer risk by buying cyber insurance and what
risk are you going to accept? That's a board level topic,
right? That's what the risk committee
of a board needs to think about,needs to plan fully execute on
(47:11):
and then and then kind of task the management team to say this
is what we want in terms of, youknow, the mitigating controls
and this is the acceptable levelof risk.
You now go forth and execute on deploying the tools and the
processes to make sure we remainwithin that kind of realm of
(47:32):
risk that is acceptable to us asa company.
That's kind of the division of labour, if you will, between the
board and the management that you were touching on, Michael.
You just described a very sensible and and general risk
management framework that's applicable, of course, in many
kinds of circumstances. However, when it comes to
(47:53):
cybersecurity, there's also thistechnology element.
And so how can board members make the intelligent decisions
about that residual risk when they don't necessarily
understand the underlying technology that's driving the
whole thing? I don't think the board needs to
be steeped in the technology of cyber.
They need to be steeped in the risk of cyber.
(48:16):
They need to understand that a ransomware attack, you know,
what's a typical ransomware attack and you know, what's the,
what's, you know, for my ilk of company, my size of company,
what are the kind of, you know, if, if, if something like that
were to happen in our environment, do we have the
playbooks to kind of restore ourservices and, and what's the
type of ransom demand we might hear etcetera.
(48:38):
So they have to think about the business aspect to cyber, not
the technical aspect to cyber. But they do need to be aware of
the types of technical threats that exist.
But they don't need to worry about the how.
In one minute, can you briefly describe the life cycle of a
ransomware attack? I pointed out because the
consequences can be so drum companies have gone out of
(49:00):
business because of this. Ransomware is a very nefarious
type of attack because it's changed the game on us, right?
It in the past, the bad guys would get in, they would steal
stuff and take it out. Data, you know, information,
things of that nature. In this case, what they do is
they get in, they disrupt your environment and pause it.
You know, they might encrypt your data.
(49:21):
They don't steal it. It's still there, but it's not
encrypted, so you can't access it or they might, you know, kind
of disrupt your operations as inyou can't run your trains
because they have kind of, you know, the, you know, they're
kind of lock the lock the go button for the train and then
demand ransom. So the, the, the, the life cycle
(49:43):
you, what you need to think about from a ransomware thing is
what can you do before, during and after a ransomware attack?
A, a board needs to think about that framework.
And there are things you can do in terms of the before, which
is, you know, the, the, the policy, the, the, the, you know,
(50:03):
the business cartridity plan that shows even if they get in
and if they, let's say, encrypt the data, how quickly can be
restored from a backup copy? Is everything protected?
So before investing identity backup segmentation, response
planning during you have to focus on containing fast,
communicating clearly, restoringquickly.
(50:26):
And then after a ransomware attack, you learn adapting
harden. That's sort of the framework
that you should be thinking about if you do happen to, you
know, face a ransomware situation, but do not pay ransom
right off the bat because it only encourages the bad guys to
do more. Think about, you know, unless,
unless your hands are tied and you, you know, the, the, the
(50:47):
damage is so consequential and, and, and, and that you that you
have to that's should be a matter of last resort.
Where's RSA Security investing over the next 12 to 18 months?
We are focused on what we call the three PS of of cyber in FY
in 2025. We think that that's the most
(51:09):
important things to focus on fororganization.
The three PS of identity security, password less posture
management and platformization passwords.
We've talked about the cost, complexity and the vulnerability
aspect of passwords. Passwords need to die.
You need to adopt to a password less world to and and all
(51:31):
password less solutions aren't created equal.
So, you know, embrace enterpriseready password less solution
because passwords are not, you know, not the right tool for an
AI powered cyber threat landscape #2 Posture management.
Like I said, that's how the bad guys are getting in.
So best way to improve your security posture is to improve
(51:54):
your identity security posture. Do the users have more
entitlement than they do? Do you have offering accounts
that come? People have left the company,
they're still, they're still accounts.
So cleaning up the digital debris and the sort of, you
know, tightening up your identity posture using AI is
(52:14):
investment area #2 and platformization.
The bad guys are exploiting the the gaps between our tools.
Best of breed strategy in identity isn't working anymore.
You need solutions that have shared context that can defeat,
you know, this modern third attacks that the, that the, you
(52:34):
know, the bad bad guys are throwing at us.
So those are the three areas of focus for RSA and and that's how
we believe we can make a difference in terms of keeping
the most secure companies aroundthe world secure.
OK. Rohit Ghai, CEO of RSA Security,
thank you so much for taking your time to be with us.
(52:55):
This was great. Thank you, Michael.
Everybody, thank you for watching.
Before you go, subscribe to the CXO Talk newsletter, Go to
cxotalk.com, check it out, read tremendous.
We have tremendous shows that are coming up, really just
extraordinary shows. So subscribe to our newsletter,
(53:15):
join in, ask your questions, andwe'll see you again next time.
Take care, everybody.
Identity is foundational for private and secure computing,
but it's filled with challenges.Today on CXO talk number 892, we
explore AI identity and board level cybersecurity with the CEO
of RSA Security, Rohit Ghai. I'm your host, Michael Krigsman.
(00:24):
So let's get into it. We are a identity security
platform company. We serve the world's most
security sensitive organizations.
We provide solutions in the areaof identity and access
management and identity governance and administration,
balancing trust and business agility.
That's that's what we do, Michael.
When we talk about identity, tell us what that actually
(00:49):
means. Identity.
Think of it as a digital representation of a person, a
device or a system. So the actors on the network
could be any of those and, and adigital representation of that
is needed to again, control the,the, The Who, the what, the when
(01:10):
and the why questions around identity.
So The Who or what it is is look, can I prove
deterministically that it is indeed Michael that is trying to
access, you know, this, this, this IT resource.
So establishing that trust in terms of, you know, who you are
(01:31):
is what is referred to as authentication, right?
Are you who you're claiming to be?
And we have several solutions over the years.
You know, passwords was the mostbasic 1.
And you know, we have a bunch ofother technology now that is at
play to provide this layer of authentication.
The next piece is around authorization, which is the, you
know what and what can you access?
(01:52):
What systems, applications, dataare you allowed to access?
What rights do you have? What credentials do you have?
What privileges do you have? And then finally, the idea of
kind of managing the why, like why should Michael have access
to these resources? Because he has a certain role in
the organization, he has a certain job responsibility, you
(02:14):
know, so, so that's sort of the The Who, the what and the why.
And you know, touching on the when little bit, what has
happened over the years, Michael, is that, you know, the,
the, the typical pattern of the cyber threat actor is that they
find a way to get in. We have to resign ourselves to
(02:35):
the fact that we cannot keep them outside.
They're going to find a way to get in.
So our job really is twofold, which is to make sure, even
despite the fact that they get in, to make sure they can't move
literally inside the network. So we, we have to have this idea
of continuous trust, even if when they're inside the door,
inside the gate, we still have to monitor the behaviour of the
(02:59):
actor to make sure the right things are happening and
everything is legit over time and, and, and no nefarious
activity takes place. So that's, that's really the
overlay on top of The Who, the, you know, the what and the, and,
and the why, right? That, that traditionally has
been the problem of identity. That's what we do in the, in the
(03:21):
area of identity, It's all aboutthe digital representation, you
know, ensuring these, these questions and making sure the
right things are happening. And, and by the way, it's, it's,
you know, I might remind everybody that most cyber
incidents happen on the back of prudential compromise.
So identity, the line I like to use is identity is the most
(03:42):
attacked part of the attack surface.
That's how the bad guys are getting in.
So it's super, super critical intoday's world to improve your
cyber posture. What does that mean?
That identity is this core piece.
That's how people are getting in.
There's this report, Michael, inthe industry that, you know, all
the cyber professionals pay attention to which is the
(04:03):
Verizon data breach investigation report.
And year after year it, it, it does a great job of reporting
on, you know, what was the, whatis called the initial access
vector, What techniques did the threat actor use to, to get in?
And you know, I'll, I'll cite the latest one.
(04:25):
And then this has been true for the last decade that credential
compromise, meaning stolen credentials, either your
password got gassed or stolen oryour multi factor authentication
got compromised or somebody impersonated your biometric,
maybe your voice, etcetera, to to basically get in through the
(04:47):
door pretending to be you right,legitimate actor in the network.
So this, this idea that you know, identities the new
security perimeter and the and the initial access vector, it's
the number one initial access vector for the databridge
investigation report. The other thing I, I want to say
is that, you know, this doesn't just mean, you know, technical
(05:10):
means, it doesn't mean the threat actor is using very
sophisticated engineering or technology to break in.
You know, they're often using social engineering attacks to
actually, you know, kind of manipulate the human that
they're trying to impersonate orexploit, you know, to, to, to
get in. So it's been consistent for the
(05:32):
last decade that this is the number one initial access
vector. So it's the obvious thing
staring at us in terms of what we ought to do to improve our
security posture, which is to improve our identity security
posture. Kathleen Mitchell on LinkedIn
asks this question, which is fundamental, simple and basic.
(05:58):
And I think it's a little more complicated, which is how is
identity breached in the first place?
If you think about how we are manifesting identity, how are we
trying to manifest identity? It's through a credential, which
is, you know, in the past and even now painfully so, is a
(06:18):
password. It's, it's based on what you
know, right? So the way you log into a
computer or the way you log intoyour bank account or any of the
IT resource or, or, or control resource, let's call it, you
know, you have to, you have to share something that only you're
supposed to know a password or apass phrase.
(06:41):
That's one type of credentials. You know, it's a lot of
compromise actually happens justby, you know, the password
getting compromised. And the way that is happening is
either through a brute force attack that the threat actors
are basically just running through a dictionary attack,
what is called brute force just apply a lot of different
(07:03):
passwords to guess what the password might be.
But increasingly what they're doing is using sophisticated AI
technology to scour your digitaluniverse to figure out your
dog's name, your children's name, your address, your date of
birth, etcetera, from your digital shadow on the Internet
and then make a very educated guess in terms of what what that
(07:25):
credential might have been. So password compromise is one of
the ways that identity compromise might occur.
But that's not all right. There are other credentials that
we offer like multi factor authentication, which is hey,
it's not just what you know, butmaybe what you have or who you
(07:46):
are in terms of a biometric authentication, right.
So let's talk about what you have.
So a lot of times and RSA has been in this business of
offering what is called MFA, multi factor authentication,
where we provide either a physical hardware token for a
mobile phone based application that.
So if Kathleen is trying to log in and if Kathleen is in
(08:10):
possession of her phone, we can send a message to her phone with
a one time password, an alpha metal password that nobody knows
about, right? And then Kathleen can provide
that information to log in. But in this pattern, what has
happened is a lot of times the bad, bad actors can, you know,
(08:30):
execute what is called a man in the middle, attack the resource.
And then there is Kathleen and aphone.
They can intercept the communication between those two
whenever there is vulnerable type of communications.
As an example, SMS messages are very insecure.
So if if the the on time password is being sent over SMS,
(08:52):
they can actually exploit that and steal that over like, you
know, these unprotected channels.
They can actually, you know, do as you know, kind of, you know,
steal your you steal your, you know, the phone credentials to
actually pretend that this is your phone.
So there are technologies to compromise the cryptography and
(09:14):
the encryption or attack this, you know, the middle
communication, the man in the middle attack to defeat that
type of credential. And then finally, the type of,
you know, identity that is basedon biometrics in terms of who
you are, you know, and the perfect example here is a lot of
banks even today, painfully, they might use your voice to
(09:36):
authenticate you on your bank account.
And guess what? Today with the AI technology
that is available, you know, andAI can have access to maybe one
of the videos you posted on the Internet and they can mimic your
voice perfectly. So they will in their voice, in
your voice, talk to your, you know, bank and basically fool
(09:59):
them into thinking that it's Kathleen on the other side and
thereby defeat their, you know, biometric based identity
strategy. So there are multiple techniques
that the threat actor is now wielding to defeat and
compromise credentials and identity and thereby, you know,
(10:21):
get, get in, in, in a, you know,in an unexpected way and, and
cause harm. So that's just an explanation of
what what might happen there. Subscribe to the CXO Talk
newsletter, Go to cxotalk.com. Check it out.
We tremendous, we have tremendous shows that are coming
up, really just extraordinary shows.
(10:41):
So subscribe to our newsletter, join in, ask your questions.
So Kathleen follows up and we have a bunch of questions now
stacking up. So we're going to have to get to
those, but Kathleen follows up. So you know, what do we do with
MFA is not enough. So what do we do?
I'm not saying MFA is not enough.
MFA is a is an amazing solution to harden your harden your
(11:05):
attack surface. But the issue is all MFA is not
created equal. MFA codes, if they're sent over
SMS networks, over mobile networks, they are vulnerable.
That's not a good secure type ofMFA that is susceptible to SIM
swaps, account takeovers, or youknow, phone, you know, hijack,
(11:29):
hijacking of your phone number, all attacks that are relatively
easy to to execute and exploit. A phishing resistant MFA, an MFA
solution that has a strong cryptographic roots like an auto
say a physical token and an autosay soft token.
(11:54):
We call it a mobile based application.
They are not sending these one time passwords, these FML
credentials, if you will, over vulnerable networks.
They're sending them over highlysecure sessions that are
established between the resourceand and your and your MFA device
(12:15):
or or or your MFA token, if you will.
So MFA is is a highly recommended and highly effective
solution frankly to defeat many,many credential compromise
attacks. So one recommendation absolutely
adopt phishing resistant MFA that is not relying on mobile
(12:38):
based OTP one time passwords. Having said that, I also want to
add now getting to the fact thateven with MFA, the threat actor
is super smart. They know that RSA and a bunch
of other companies have designedtechnology that is not
vulnerable and it's strong MFA, phishing resistant MFA.
(13:02):
Guess what, when you can't beat it, you bypass it.
So that's what the threat actor is doing.
And how are they doing that? Well, they are doing that by
using attacks like the helpdesk exploit attack.
So about 3 years ago, you know, we had an incident at, at MGM,
(13:22):
one of the, and, and, and another casino in, in, in Vegas
where, you know, the way the threat actor got in is they
called the help desk for that organization pretending to be an
employee. And they said, I have lost my
MFA device and I urgently need to log in to my IT device
(13:47):
because I have a deadline. And this is a project that is
very important to our CEO. And therefore I need your help
to provision new credentials forme and help me access my, my
device and my IT resources. And thereby they use social
engineering via help desk scenario to bypass MFA.
(14:07):
They actually did have MFA, you know, provided to all their
employees and all their users, but it was bypassed through
social engineering techniques byfooling the help desk agent into
issuing an alternate credentialsby creating this fake sense of
urgency. So this is a very, very common
(14:29):
attack now, and it is even more and more sophisticated because
now it's maybe not a human calling the help desk, It's
maybe an AI impersonating the employee's voice, literally.
So the help desk, you know, is is is is you know, can be very
easily fooled because it sounds exactly like maybe somebody very
important in the organization. It might be the CF OS voice
(14:51):
calling the help desk and the help desk, you know, will
recognize the authority and be fearful and therefore, you know,
sometimes make the wrong decisions.
So that's how you know things get exploit.
So my recommendation back to what can we do?
Use MFA strong fishing resistantMFA 100% for 100% of your users.
(15:14):
Recommendation #2 Do not just obsess about authentication and
strong credentials. Think about managing the
identity throughout its life cycle.
You know, and, and, and preventing against these help
desk type of attacks by finding other identity security
(15:36):
solutions that protect identities even during these
types of like credential, what we call the joiner mover leave a
process. A new employee joined an
employee called the help desk, they got promoted.
They're leaving the organization.
We need to pay attention to managing those events in the
(15:57):
life cycle of an identity to assure security in today's
digital world. I want to just tell everybody
that you can ask your questions.When else will you have the
chance to ask the CEO of RSA Security pretty much whatever
you want. So take advantage of it, folks.
(16:18):
So let's jump over to Twitter, to X and Arsalan Khan is a
regular listener and he says this, I think this is related to
what you were just speaking about, Rohit.
He says as a consumer, we share our identity information,
credentials multiple times to various IT systems, the library,
(16:41):
grocery stores, banks and so on.We are only as safe as the least
safest system. And these are not in our
control. So what can, what can we?
What should we do? Any information that is
potentially identifying you as an individual, we need to share
(17:02):
it on a need to know basis. We have been as individuals,
especially as professionals in aworkforce setting, we've been
perhaps been too LAX in terms ofsharing our information because,
you know, as you said, you know,there is a legit reason many a
times for actually, you know, banks, Oregon or libraries or
(17:24):
others to kind of, you know, get, get access to that
information. I think we need to pay attention
to what is that organization or individual doing with the
information you're providing? Are they storing that in a, in a
Safeway? So the, the, the security, you
know, when we share, let's say our information with the bank,
(17:46):
our mother's maiden name, our, you know, date of birth,
etcetera. We need to pay attention to the
cybersecurity posture of that bank, their data privacy
statements that we often, you know, kind of glance very
quickly and, and agree to in, in, in sort of agreements that
we signed, etcetera. I think we need to pay attention
to are they doing the right things to keep your information
(18:11):
as private as it needs to be to assure security in today's
environment. So a, share on a need to know
basis B, pay attention to what the organization that you
provided the information to is doing to protect your
information and how are they, how good of a job are they doing
handling that information. So those are two two
(18:33):
recommendation and I have 1/3 which is look, if you're an IT
professional, do not rely simplyon an information based identity
system. This is the whole concept behind
multi factor authentication. Don't rely on one factor.
(18:53):
That's what literally multi factor means, right?
Do not rely on the knowledge based proofs of who you are,
your date of birth, your address, etcetera, etcetera.
Ask for your, you know, ask for other things like are you in
possession of the phone that is supposed to be yours?
Can we send FML password or codethat you can provide us, you
(19:18):
know, biometrics in terms of like scanning your, you know,
Face ID or or things like that. So always as an IT professional,
you have to use multitude of factors to assure identity.
Do not rely on just knowledge based information.
Those are three things that we can do to harden our
environments despite the need toshare information like like you
(19:41):
asked. So great question.
Thank you for that. Let's jump to a question from
Preeti Narayan on LinkedIn, who's asking about Cecil roles.
And she says this Cecil roles are among the most in demand
globally. Does this reflect a shift in how
(20:01):
organizations prioritize identity and AI risk at the
executive level? And will Siso demand rise
further? What I will say is the stature
of the SISO like you said is elevated now in today's today's
(20:23):
world of AI powered threats. And the reason is cyber risk is
now one of the top the risks in the what is called the risk
register for most organizations.You know, most public companies,
but also a lot of private companies have a practice around
(20:48):
risk management, which is to make sure that the organization
can deal with the risks that it faces and has sufficient
mitigation for those risks. Cyber risk is now a very, very
prominent part of that risk register.
And therefore the SISO stature in terms of advising the board
(21:09):
and the management teams on cyber risk and its implications
as well as the mitigating controls that the SISO is
recommending is one of the most consequential business decisions
that private or a public companytoday needs to make.
So what I would say is there is the, there is a huge demand for
(21:35):
the strategic Sysos that can translate the technology of
cybersecurity to the business implications of cybersecurity
for the board and management teams to act upon.
So I think that you know that weare, we are going to find, find
(21:57):
Sisos, you know, finding even more and more stature in
organizations, a larger voice, amore prominent voice.
And what I would say is that, you know, even at the board
level, you'll see a lot of demand for cybersecurity
(22:18):
expertise because not only do you need a strategic SISO, you
need a board and a management team that can understand what
the SISO is telling them. So you need a level of expertise
in order to govern the cyber risk that most organizations
face in today's climate. So should the SISO be a
(22:40):
technologist or a business person?
We're entering the ad of Sysos that maybe have a strong
business background with enough technology sort of capability to
drive teams that might be operational and technology
oriented. And therefore, I would frankly
(23:01):
ask for a Sysor to be more sort of, you know, 5149, you know,
more business than technology intoday's climate, because
cybersecurity is now a squarely a business problem more so than
it is a technology problem, right?
It's social engineering. It's in the world of AI, right?
So so so thinking about robust risk management approach to
(23:25):
cyber is is consequential to theefficacy of a sysso.
What kind of communication skills a sysso has and when they
communicate. And the reason I asked this is
not too long ago I approached 2 Cisos, 1 each from two of the
largest, most well known brands in the US independently.
(23:51):
And CISO number one said she wants to do it.
And then I started saying, well,it's live and we take questions
and she's like, no, no, no, I can't, can't do that.
CSO #2 said in my role. And I, I've known CSO #2 for a
long time. In my role, no way.
So what's the job of the CSO in terms of communication?
(24:12):
And is it too scary for a CSO tojoin something like this that's
live, that we take questions? Seisos have a dual role, as does
every cybersecurity professional.
If you think about cybersecurityas a business area, it's unique.
In other business areas, when wetalk about competition, you're
(24:34):
often thinking about other vendors that might offer a
similar solution that is competing for the love of the
customer with you. In cybersecurity, when we say
competition, it's the threat actor on the other side.
So the Siso has a dual role. One is to defeat the competition
(24:57):
on the other side and, and, and make sure you know, your
security posture is robust, thatyou have all the, you know, the
right technology and the processes to make sure your
cybersecurity is, is assured. But in addition to SISO has
another role. The threat actors are
collaborating. They're sharing information,
(25:19):
they're sharing malware, they'resharing ransomware tools that
are that they're using. We on the good side need to do
the same thing. We need to do a better job of
collaborating on the good side. So if once or so in the
financial services industry is noting that a certain type of
malware is is is prevalent or istrying to, you know, get access
(25:46):
to their environment, that information, sharing that
information with other companiesand other peer Sisos and other
cyber professionals is highly, highly valuable.
So my point is that I think there is a certain level of
transparency that the SISO needsto have with peers and we need
to lift all boats, not just protect our respective
(26:07):
organizations, but share our knowledge with peers and peer
organizations so we can lift allboats and defeat the threat
actor on the other side because that's who we are really
competing with in cyber, not notother peer companies.
Arsalan Khan comes back on Twitter and he says our identity
(26:29):
is spread across so many different systems and companies.
It's not just one single place. It's the entire ecosystem of, as
we were talking earlier, pretty much everybody that we do
business with. But most companies are not
(26:49):
transparent in how they deal with consumer data.
In fact, consumers have no clue until after a data breach
happens and I'll just add and sometimes a long time after that
data breach has happened. It is getting better and the
reason it's getting better is that the regulator is stepping
in, right? The regulator is mandating
responsible disclosures that if you get breached that as a
(27:12):
public company, for example, especially public companies,
there is real teeth in, in, in, in some of these regulations in
terms of responsible disclosure that you must, any material
breach or cyber incident, you must report right And and there
thereby protect your consumers and customers before their, you
know, information gets compromised perhaps.
(27:34):
So the regulator stepping in, things are getting better.
In addition, there is, you know,you know, it started the GDPR
and EU and then CCPA here, here in California and there's more
regulations around data privacy as well.
So yes, there is, it still remains a challenge more
broadly, but it is it is dramatically better than what it
used to be. And again, I go back to the same
(27:56):
recommendation. Let's not solely rely on the
privacy and the successful privacy of the information we've
shared because despite best conduct on part of organizations
that have that information, the bad guys can still get in.
We must reconcile with the reality that the bad guys will
(28:17):
always find a way to get in because sometimes they're
actually insiders, sometimes they're actually inside the
company. It's not that somebody bad on
the outside that's trying to getin.
It's just somebody on the inside.
It's an inside a threat issue. Therefore, do not rely on the,
the privacy of your information as the only mechanism that
(28:38):
you're going to use for cybersecurity.
So that's that's sort of my my headline summary on that
question. Sounds kind of hopeless.
Let me let me let me swivel thento a more optimistic picture,
Michael and and and all the all the audience.
(28:59):
Look, the way to approach this problem is framing our goal
properly. OK.
And I, I've often used a medicalanalogy to talk about the goal
is, you know, if you think aboutmedicine, you can frame the goal
in terms of like, we're going toeradicate disease.
That could be one goal, or you could say the goal is actually
(29:21):
Wellness and health despite the existence of disease.
So in cyber, we need to take a similar approach.
It's not about making sure that,you know, cyber incidents don't
happen because they will. It's about resilience.
I think we ought to actually redefine our industry, not as a
cybersecurity industry to be, but to be a cyber resilience
(29:41):
industry because the goal is digital Wellness.
It's not to make sure the threatactors are kept at Bay, but the
fact that even if they get in, there is limited risk or damage
to the business that they can perpetrate.
That's the goal. It's Wellness despite the
existence of the threat actor. And if you frame the problem
(30:01):
like that, it's not a hopeless situation at all.
In fact, it's it's, it's very tenable.
And you approach cybersecurity as a risk problem.
And I would love to talk about sort of, you know, the, the,
the, you know, how CE OS and boards ought to pay attention to
cyber, cyber as a risk problem, right?
It's about reducing risk. It's not about eradicating it
(30:24):
because that's untenable goal, right?
And, and, and, and that's, that's the hopeful narrative for
cyber, that it is absolutely possible and absolutely
attainable to have cyber health and digital health despite all
these threat actors, especially in a world of AI.
I think AI will be a massive, massive force that'll help the
(30:47):
good, good actors keep up with the threat actor.
So I'm, I'm actually an optimistas it pertains to the cyber, you
know, cyber landscape, if you will.
Let's take very quickly. Kathleen Mitchell comes back
with another really good question.
And then we need to talk about AI and we need to talk about
these board issues, both very, very important.
(31:10):
Kathleen says for smaller and mid sized businesses, how can
leaders move beyond just meetingcompliance requirements to make
cybersecurity a real competitiveadvantage, one that they'll
prioritize and invest in? The reality is, traditionally
(31:30):
smaller organizations have struggled to actually make
headway with cybersecurity. The reason being they simply
don't have the technical expertise of the teams to
actually deploy solutions. Having said that, I think there
is, you know, there is a couple of trends in the industry that
(31:55):
are really helpful to smaller organizations, which is managed
service providers. So you can actually now have
solution providers that are, youknow, that are providing full
end to end service in terms of helping smaller organizations
that don't have the human capital to manage cyber to do it
(32:16):
on their behalf and do it treated as a business problem.
The second thing is the advent of AI will will, I think,
hopefully foster the creation ofmore autonomous cyber solutions
where you don't need as many humans with hands on the wheel
to drive the cybersecurity truck, if you will, right.
So, so the the promise of AI, asI alluded to earlier, we've
(32:41):
always suffered on the good sideof the fight with the lack of
cyber talent. We don't have even enough good
humans to fight the good fight. And the bad guys only need to be
right once. We need to be right all the time
with AI. We can now to wield these
agentic digital workers on our behalf, on our side, to tip the
(33:08):
balance in our favour so that wecan do the things that we never
could do because we didn't have enough good humans on our side.
You can automate that, right? That's a massive, massive
tailwind for us on the, in the cybersecurity world that will
help specially smaller organizations and, and, and, and
(33:29):
I think, you know, I, I, you know, the other thing is I want
to commend some of the organizations, you know, here in
the, here in the US like SYSA, critical infrastructure security
agencies. So the government has done a
great job of elevating the knowledge, the know how and the
sensitivity to cybersecurity forsmaller organizations.
(33:50):
They have recipe books, they have great resources on
sysar.gov that smaller organizations can peruse and,
and, and consume to get smarter on the issues around
cybersecurity, as well as tools and techniques and prioritize
recommendations on what they cando to protect themselves.
(34:12):
So, so I think it's an emerging,you know, it's a, it's a world
that is getting much better in terms of cyber for smaller
organizations than it used to be, let's say five years ago.
For smaller companies, it's tough.
You know, CXO Talk, we're a small company and because of CXO
Talk we're attacked all the time.
(34:33):
I'm mean, I get attacks of phishing like very targeted and
our infrastructure was attacked and I was at a loss like what to
do? And, and actually I asked a
couple of former CXO talk guestswho were like, you know, top
security experts and we had a call and they gave me advice and
we were able to ultimately sort it out some, you know, a, a AWS
(34:57):
configuration issues and a bunchof other stuff, but it's tough
if you're a small company. It is tough and I would say
this, this social engineering type of attacks are especially
tough phishing, as you alluded to, Michael, they're like, you
know, relentless attacks and nowmore sophisticated because they
can impersonate, you know, your loved ones or or people in your
(35:21):
company, etcetera. So I have a couple of
recommendations in terms of like, what can you do to protect
yourself against phishing attacks, right?
For you know, so I, I, I've 3 macro recommendations #1 multi
phishing resistant, multi factorauthentication deployed for all
(35:47):
users. I think that can help.
So anytime you know that that isa baseline table stakes,
recommendation number 2 is we have to realize that these
product actors try to manipulateyou emotionally and create a
sense of urgency. Act now.
You must do this now, otherwise bad things are going to happen.
So anytime you sense any communication that tries to
(36:11):
ignite the sense of urgency, treat it with a lot of
suspicion. That's recommendation #2
recommendation #3 is that realize that deepfakes is the
air of deepfakes and what is called synthetic media.
You might get a video of your son or daughter in harm's way
that looks completely real asking for help and you might
(36:34):
kind of act on it. Do not act on, on, on media
alone, Voice, video things that things that might appear very
real with your loved ones or within your company.
Have an out of band mechanism toassure identity.
(36:55):
So if you have your children as an example or a family, you
might have a family password that if I ever call you asking
for help, if I have a flat tire,if your daughter says, hey, if I
you know, I have a flat tire, I need 50 bucks to, you know, pay
the towing company. Do not send the 50 bucks right
away. Ask your daughter for the family
(37:16):
password. So verify the other person
outside of you know what might be very realistic voice or
synthetic media that you know itmight sound or look exactly like
the the individual that you trust.
So do not establish trust based on you know media because they
are they can be compromised in the world of AI.
Have an out of band channel to assure.
(37:38):
So those are three quick recommendations and what you can
do to, I guess avoid getting fished if you will.
And Michael, you know you, I'm sure you're a big target.
I am. I'm famous in my company for
sending text messages asking forgift cards as Aceo.
So they get CEO text messages all the time.
My my colleagues in the company that asking for gift cards.
(38:00):
We have an AI question from Elizabeth Shaw on Twitter, and
I'm glad she is jumping in because we need to talk about
AI. And she says AI brings its own
issues. There's AI versus AIAI run amok.
How should companies consider AIfor cybersecurity and place
(38:22):
their trust in it? So the role of AI in all of
this? There are three dimensions to
AI. One is AI as a sword, right?
It's a, It's the attacker's tool.
So they're the threat actors aregoing to use AI to attack at
scale or hyper personal personalized impersonate, bypass
traditional defenses, create malware because you can do wipe
(38:45):
coding. So even technically inferior
threat actors can now code because AI can code on their
behalf. So it's, it's a, it's a sword.
Second thing is it's a shield onthe threat actor side, which is
we have not had enough humans tolook at all the incidents, all
the threats that are playing out.
(39:06):
We can do that. You know, we'll have digital
workers, software, robots that can do that job for us.
We can monitor synthetic media to look for signs for synthetic
media, right? Is this deepfake, right?
There are technologies that can do that, AI technologies, we
can, you know, monitor patterns for what is normal versus what
(39:27):
is normal, do predictive risk modelling, do incident
simulation and playbooks automation because of AI.
So that's the shield dimension. So sword dimensions, shield
dimension, but there is 1/3 dimension, which is what you
were touching on Elizabeth, which is AI as a, it's an act.
It's an, A part of the attack surface, right?
(39:49):
The turn actor might actually compromise the AI that you're
using by poisoning AI or, or doing, you know, you know, doing
nefarious prompt engineering or,you know, by actually ensuring
that you know that you're denialof service attacks.
(40:09):
So if AI is in a decision loop, let's say it's it's, you know,
approving. I don't know loan applications
for a bank. You know, they can actually, you
know, bombard and do a denial ofservice type attack to, to
confuse the AI, right? And, and, and 'cause that so AI
can be attacked. And therefore we as cyber
(40:31):
professionals need to do 2 things.
One is we have to embrace AI as a shield because we know that
the bad guys are using it as a sword.
So we better pick it up. We got to get more educated and
proficient on using AI. Otherwise we'll be left behind.
We cannot wait but then also adopt AI responsibly, right?
(40:52):
And and and don't trust AI blindly.
You have to have AI inside of guard rails.
Meaning you know any agentic AI you deploy in your environment,
make sure it has the guard railsof human defined workflows.
A human in the loop second second is you must have non
(41:13):
human identity solutions to makesure, just like you're
protecting human identities and making sure the human is has the
privilege to act on your digitalestate.
Don't allow AI agents to work autonomously without verifying
their identity. So you have to have non human
(41:36):
identity solutions that assure the identity of these AI agents
that are acting on your behalf. So that's that's what I would
say in terms of AI, those are kind of the three dimensions
that we must pay attention to. It is not just, you know, as a
probably a double edged sword. That is a, you know, it's also,
it's also, it's also the thing that is actually being attacked
(41:57):
by the sword. Can you talk a little about the
economics of AI? Or how does AI affect the
economics of cyberattacks? Cybersecurity is an economic
problem. At the end of the day, the cyber
threat actor is economically motivated and constrained just
like we are on this side. They don't have infinite
(42:20):
budgets, they don't have infinite resources either.
So the economics of AI based, you know, or cyber in the, in
the air of AI is that the cost of perpetrating a cyberattack is
going to go remarkably low, right?
So we have to recognize that reality.
(42:42):
In the past, we would say, oh, you know what, it takes a lot of
cost, a lot of expense to actually exploit, you know, zero
day attacks because it requires a lot of technical expertise and
hiring technical expert experts is is costly and so forth.
(43:02):
So we, we, we could make those assumptions.
Now we cannot do that because, you know, there is AI on the
other side and the cost of launching an attack is a lot
lower. So we cannot use economics or
cost as a deterrent. What we have to do is we have to
be smart about our Cron jewels. What the, what the threat actor
(43:25):
doesn't know is once they get in, they're trying to get to a
Cron jewels. We know where our Cron jewels
are. They don't.
So if we pay, if you know, so don't have a peanut butter
cybersecurity strategy of protecting everything.
Have a differentiated strategy where you have a robust
enterprise risk management framework where you have what
(43:47):
are the likelihood of cyber threats happening?
What is the impact of those cyber threats.
I would have this kind of matrixand the cyber threats that have
a high likelihood of happening and have a high impact are the
ones you look to mitigate and address, right?
And have this differentiated economical strategy of not
(44:10):
spending your money, if you will, to cover all bases, but to
cover the right bases and spend smartly.
Because the the economics as a deterrent strategy no longer
holds true in the in the AI era.Let's talk about board issues.
What is the role of a board versus the executive management
(44:34):
when it comes to dealing with these cybersecurity issues?
Let me frame it at a high level first.
I think the board sets the what and the why, which is what is
the acceptable level of risk, What are the strategic
priorities and how much are we going to fund to mitigate those
risks? The management teams on the how,
(44:59):
the tools, the processes and theexecution to actually achieve
those outcomes. So board, the what and the why
management, the how and the way the way this needs to play out
is, you know, and I'm on the risk committee of, of, of a few
public board and I've, I've, I've held those roles.
(45:20):
I've, I've kind of advised them on cyber security as a part of
that enterprise risk register. Like I said, the ERM strategy
for an organization is you take your risks and you place them on
this matrix of likelihood and, and the magnitude of impact.
You start with what is called inherent risk, which is if you
(45:41):
do nothing, what is the level ofrisk and you create this matrix,
Then you say, I am going to apply some controls.
I'm going to adopt MFA for everybody.
I'm going to do patch managementand I'm going to use, you know,
a zero trust micro segmentation tool that will protect my my
(46:04):
users from threat actors. Those are mitigating controls.
And then what you're left with is what is called residual risk,
right? So inherent risk apply
mitigating controls, remaining risk is residual risk.
And then the board has to make acall on what is that acceptable
level of risk? What's your risk appetite?
What's your risk tolerance? If you have a, if you're a
(46:26):
software vendor that provides a SAS solution, how much downtime
can you accept? Right.
And maybe the downtime that you can accept is 4 hours, in which
case you're spending, you know, instead of making sure you're
available all the time, what youwant to make sure is that if you
do get compromised, you can bring things back up in 4 hours.
The idea of resilience. So it's this fine balance
(46:49):
between managing risk, deciding what to avoid, what to reduce.
Sometimes you transfer risk by buying cyber insurance and what
risk are you going to accept? That's a board level topic,
right? That's what the risk committee
of a board needs to think about,needs to plan fully execute on
(47:11):
and then and then kind of task the management team to say this
is what we want in terms of, youknow, the mitigating controls
and this is the acceptable levelof risk.
You now go forth and execute on deploying the tools and the
processes to make sure we remainwithin that kind of realm of
(47:32):
risk that is acceptable to us asa company.
That's kind of the division of labour, if you will, between the
board and the management that you were touching on, Michael.
You just described a very sensible and and general risk
management framework that's applicable, of course, in many
kinds of circumstances. However, when it comes to
(47:53):
cybersecurity, there's also thistechnology element.
And so how can board members make the intelligent decisions
about that residual risk when they don't necessarily
understand the underlying technology that's driving the
whole thing? I don't think the board needs to
be steeped in the technology of cyber.
They need to be steeped in the risk of cyber.
(48:16):
They need to understand that a ransomware attack, you know,
what's a typical ransomware attack and you know, what's the,
what's, you know, for my ilk of company, my size of company,
what are the kind of, you know, if, if, if something like that
were to happen in our environment, do we have the
playbooks to kind of restore ourservices and, and what's the
type of ransom demand we might hear etcetera.
(48:38):
So they have to think about the business aspect to cyber, not
the technical aspect to cyber. But they do need to be aware of
the types of technical threats that exist.
But they don't need to worry about the how.
In one minute, can you briefly describe the life cycle of a
ransomware attack? I pointed out because the
consequences can be so drum companies have gone out of
(49:00):
business because of this. Ransomware is a very nefarious
type of attack because it's changed the game on us, right?
It in the past, the bad guys would get in, they would steal
stuff and take it out. Data, you know, information,
things of that nature. In this case, what they do is
they get in, they disrupt your environment and pause it.
You know, they might encrypt your data.
(49:21):
They don't steal it. It's still there, but it's not
encrypted, so you can't access it or they might, you know, kind
of disrupt your operations as inyou can't run your trains
because they have kind of, you know, the, you know, they're
kind of lock the lock the go button for the train and then
demand ransom. So the, the, the, the life cycle
(49:43):
you, what you need to think about from a ransomware thing is
what can you do before, during and after a ransomware attack?
A, a board needs to think about that framework.
And there are things you can do in terms of the before, which
is, you know, the, the, the policy, the, the, the, you know,
(50:03):
the business cartridity plan that shows even if they get in
and if they, let's say, encrypt the data, how quickly can be
restored from a backup copy? Is everything protected?
So before investing identity backup segmentation, response
planning during you have to focus on containing fast,
communicating clearly, restoringquickly.
(50:26):
And then after a ransomware attack, you learn adapting
harden. That's sort of the framework
that you should be thinking about if you do happen to, you
know, face a ransomware situation, but do not pay ransom
right off the bat because it only encourages the bad guys to
do more. Think about, you know, unless,
unless your hands are tied and you, you know, the, the, the
(50:47):
damage is so consequential and, and, and, and that you that you
have to that's should be a matter of last resort.
Where's RSA Security investing over the next 12 to 18 months?
We are focused on what we call the three PS of of cyber in FY
in 2025. We think that that's the most
(51:09):
important things to focus on fororganization.
The three PS of identity security, password less posture
management and platformization passwords.
We've talked about the cost, complexity and the vulnerability
aspect of passwords. Passwords need to die.
You need to adopt to a password less world to and and all
(51:31):
password less solutions aren't created equal.
So, you know, embrace enterpriseready password less solution
because passwords are not, you know, not the right tool for an
AI powered cyber threat landscape #2 Posture management.
Like I said, that's how the bad guys are getting in.
So best way to improve your security posture is to improve
(51:54):
your identity security posture. Do the users have more
entitlement than they do? Do you have offering accounts
that come? People have left the company,
they're still, they're still accounts.
So cleaning up the digital debris and the sort of, you
know, tightening up your identity posture using AI is
(52:14):
investment area #2 and platformization.
The bad guys are exploiting the the gaps between our tools.
Best of breed strategy in identity isn't working anymore.
You need solutions that have shared context that can defeat,
you know, this modern third attacks that the, that the, you
(52:34):
know, the bad bad guys are throwing at us.
So those are the three areas of focus for RSA and and that's how
we believe we can make a difference in terms of keeping
the most secure companies aroundthe world secure.
OK. Rohit Ghai, CEO of RSA Security,
thank you so much for taking your time to be with us.
(52:55):
This was great. Thank you, Michael.
Everybody, thank you for watching.
Before you go, subscribe to the CXO Talk newsletter, Go to
cxotalk.com, check it out, read tremendous.
We have tremendous shows that are coming up, really just
extraordinary shows. So subscribe to our newsletter,
(53:15):
join in, ask your questions, andwe'll see you again next time.
Take care, everybody.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
The Breakfast Club
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy, Jess Hilarious, And Charlamagne Tha God!