RSA Security CEO:
AI, Identity & Board-Level Cybersecurity
In this exclusive conversation, RSA Security CEO Rohit Ghai explains why identity has become the most frequent target of cyberattacks and why traditional defenses, such as multi-factor authentication, are insufficient.
Watch on YouTube
53:39 
RSA Security CEO Rohit Ghai reveals why identity is cybersecurity's weakest link and how AI transforms both attacks and defense on CXOTalk episode 892. Learn practical strategies for cyber resilience, MFA implementation, and board-level security governance.
Related Episodes
In this exclusive conversation, RSA Security CEO Rohit Ghai explains why identity has become the most frequent target of cyberattacks and why traditional defenses, such as multi-factor authentication, are insufficient. He describes how attackers exploit social engineering, why both humans and machines need trusted digital identities, and what he calls the “looming identity crisis.”
Ghai also examines the role of artificial intelligence in reshaping the economics of cybersecurity, giving both attackers and defenders new capabilities. He shares practical steps for boards and executives to strengthen resilience, manage identity as a strategic business issue, and prepare for the risks AI introduces into security.
Topics include:
- Identity as the primary attack surface
- Weaknesses in multi-factor authentication
- Social engineering threats targeting employees and help desks
- The growing challenge of securing machine identities
- How AI changes the balance between attackers and defenders
- Board and executive responsibilities for cyber risk
Key Takeaways
Cyber Resilience Replaces Traditional Security Thinking
Organizations must abandon the outdated notion of keeping attackers out and instead adopt an "assume breach" mindset that focuses on resilience.
This approach designs systems knowing attackers will get in, then minimizes blast radius through zero-trust architecture, least-privilege access, and separated duties. Like an immune system responding to infection, organizations need automated playbooks and continuous monitoring to detect and respond quickly when incidents occur.
The shift from preventing all attacks to surviving and thriving despite them represents a fundamental change in security philosophy. This realistic approach enables better sleep at night, knowing your organization has multiple layers of defense and recovery mechanisms.
Identity Represents Your Greatest Vulnerability and Opportunity
Credential compromise has remained the number one initial access vector in cyber incidents for over a decade, making identity security your most critical investment area.
Attackers bypass even sophisticated MFA systems through help desk exploits and social engineering, manipulating employees during critical identity lifecycle events like onboarding or password resets. Organizations must implement phishing-resistant MFA for 100% of users while managing identities throughout their complete lifecycle, not just at authentication.
The solution requires both technical controls and human awareness training, as attackers increasingly use AI to impersonate voices and create fake urgency scenarios. Success depends on treating identity security as a continuous process rather than a one-time authentication event.
AI Transforms Cybersecurity Into a Three-Dimensional Challenge
Artificial intelligence operates simultaneously as an attacker's weapon, a defender's shield, and a new attack surface requiring protection.
Threat actors leverage AI to code malware, automate attacks at scale, and create sophisticated impersonation attempts, while defenders use AI for anomaly detection, incident automation, and predictive risk modeling.
Organizations must also protect their AI systems from poisoning, prompt manipulation, and denial-of-service attacks. The economic equation shifts as both sides use AI to either raise attack costs or lower defense costs, creating an arms race where early AI adoption determines competitive advantage. Companies need to embrace AI as a defensive tool while implementing guardrails and human oversight to ensure responsible deployment.
Episode Participants
Rohit Ghai is Chief Executive Officer of RSA Security, a global leader in identity and access management solutions serving over 9,000 organizations and managing 60 million identities across cloud, hybrid, and on-premises environments. He guides the company’s vision and strategy, driving innovation and global growth while helping security-first organizations navigate digital risk and safeguard their most critical assets.
Michael Krigsman is a globally recognized analyst, strategic advisor, and industry commentator known for his deep business transformation, innovation, and leadership expertise. He has presented at industry events worldwide and written extensively on the reasons for IT failures. His work has been referenced in the media over 1,000 times and in more than 50 books and journal articles; his commentary on technology trends and business strategy reaches a global audience.
Related Episodes
In This Episode
Understanding Identity in Cybersecurity
Michael Krigsman: Identity is foundational for private and secure computing, but it's filled with challenges. Today, on CXOTalk number 892, we explore AI, identity, and board-level cybersecurity with the CEO of RSA Security, Rohit Ghai. I'm your host, Michael Krigsman, so let's get into it.
Rohit Ghai: We are an identity security platform company. We serve the world's most security-sensitive organizations. We provide solutions in the area of identity and access management, and identity governance and administration, balancing trust and business agility. That's what we do, Michael.
Michael Krigsman: When we talk about identity, tell us what that actually means.
Rohit Ghai: Identity, think of it as a digital representation of a person, a device, or a system. The actors on the network could be any of those, and a digital representation of that is needed to control the who, the what, the when, and the why questions around identity. So the who or what it is: can I prove deterministically that it is indeed Michael that is trying to access this IT resource? So establishing that trust in terms of who you are is what is referred to as authentication.
Are you who you're claiming to be? And we have several solutions over the years. Passwords were the most basic one, and we have a bunch of other technology now that is at play to provide this layer of authentication.
The next piece is around authorization, which is the "what." And what can you access? What systems, applications, data are you allowed to access? What rights do you have? What credentials do you have?
What privileges do you have? And then finally, the idea of managing the why. Like, why should Michael have access to these resources? Because he has a certain role in the organization.
He has a certain job responsibility, so that's the who, the what, and the why.
And, touching on the "when" a little bit, what has happened over the years, Michael, is that the typical pattern of the cyber threat actor is that they find a way to get in. We have to resign ourselves to the fact that we cannot keep them outside. They're going to find a way to get in. So our job really is twofold: to make sure, even when they get in, that they can't move laterally inside the network.
We have to have this idea of continuous trust. Even when they're inside the door, inside the gate, we still have to monitor the behavior of the actor to make sure the right things are happening and everything is legit over time and no nefarious activity takes place.
So that's really the overlay on top of the who, the what, and the why that traditionally has been the problem of identity. So that's what we do in the area of identity. It's all about the digital representation, ensuring these questions and making sure the right things are happening.
And by the way, I might remind everybody that most cyber incidents happen on the back of credential compromise. So identity — the line I like to use is, "Identity is the most attacked part of the attack surface." That's how the bad guys are getting in. So it's super critical in today's world to improve your cyber posture.
How Identity is Breached
Michael Krigsman: What does that mean, that identity is foundational, that's how people are getting in?
Rohit Ghai: There's this report, Michael, that all cyber professionals pay attention to: the Verizon Data Breach Investigations Report. Year after year, it does a great job of reporting on what is called the initial access vector — what techniques the threat actor used to get in. I'll cite the latest one (and this has been true for the last decade): credential compromise — meaning stolen credentials — is the number one initial access vector in the Data Breach Investigations Report.
The other thing I want to say is that this doesn't just mean technical exploits. It doesn't mean the threat actor is using very sophisticated engineering or technology to break in. They're often using social engineering to manipulate the human they're trying to impersonate or exploit in order to get in. For the last decade, it's been consistent that this is the number one initial access vector.
It's an obvious thing staring at us, in terms of what we ought to do to improve our security posture, which is to improve our identity security posture.
Michael Krigsman: Kathleen Mitchell on LinkedIn asks this question, which is fundamental, simple, and basic — and I think is a little more complicated — which is: How is identity breached in the first place?
Rohit Ghai: If you think about how we are manifesting identity, how are we trying to manifest identity, it's through a credential which is, you know, in the past and even now (painfully so), a password. It's based on what you know. The way you log in to a computer or the way you log in to a bank account or any other IT resource or controlled resource — let's call it — you have to share something that only you are supposed to know.
A password or a passphrase. That's one type of credential. A lot of compromise actually happens just by the password getting compromised.
And the way that happens is either through a brute-force attack (the threat actor basically just running a dictionary attack). Brute force means just applying a lot of different passwords to guess what the password might be. But increasingly, they're doing it by using sophisticated AI technology to scour your digital universe to figure out your dog's name, your children's names, your address, your date of birth, etc., from your digital shadow on the internet, and then make a very educated guess as to what that credential might have been.
So password compromise is one of the ways that identity compromise might occur.
That's not all.
Michael Krigsman: What are the other ways? I mean, password compromise is clearly one very important one. But there are others too.
Rohit Ghai: Sure. A very common technique is what we call phishing. And RSA has been in this business offering what is called MFA — multifactor authentication — where we provide either a physical hardware token or a mobile phone–based application. So if Kathleen is trying to log in, and if Kathleen is in possession of her phone, we can send a message to her phone with a one-time password, an ephemeral password that nobody knows about, and then Kathleen can provide that information to log in.
But in this pattern, what has happened is a lot of times the attackers will steal your phone or your phone credentials to pretend that it is your phone.
So there are technologies to compromise the cryptography and encryption, or attack the communication in the middle (the "man-in-the-middle" attack), so to speak.
They will, in your voice, talk to your bank and basically fool them into thinking that it's Kathleen on the other side, and thereby defeat their biometric-based identity strategy.
A phishing-resistant MFA — an MFA solution that has strong cryptographic roots, like an RSA physical token or an RSA soft token (a mobile-based application) — they are not sending these one-time passwords, these ephemeral credentials, if you will, over vulnerable networks. MFA is a highly recommended and highly effective solution, frankly, to defeat many credential compromise attacks.
One recommendation: absolutely adopt phishing-resistant MFA that is not relying on mobile-based OTP (one-time passwords).
When you can't beat it, you bypass it. That's what the threat actor is doing. And how are they doing that? Well, they are doing that by using attacks like the help desk exploit. About three years ago, we had an incident at MGM and another casino in Vegas where the threat actor got in by calling the help desk for that organization, pretending to be an employee. They said, "I have lost my MFA device, and I urgently need to log in to my IT device because I have a deadline, and this is a project that is very important to our CEO. I need your help to provision new credentials for me and help me access my device and my IT resources." They used social engineering via a help desk scenario to bypass MFA. That organization did have MFA provided to all their employees and all their users, but it was bypassed through social engineering — fooling the help desk agent into issuing alternate credentials by creating this fake sense of urgency.
This is a very common attack now, and it is becoming more sophisticated. It might not even be a human calling the help desk — it could be an AI impersonating the employee's voice. The help desk can be easily fooled because it sounds exactly like somebody very important in the organization. It might be the CFO's voice calling; the help desk will recognize the authority and be fearful and therefore sometimes make the wrong decisions. So that's how things get exploited.
So my recommendation — back to "what can we do" — is use MFA (strong, phishing-resistant MFA) 100% for 100% of your users. Recommendation number two: do not just obsess about authentication and strong credentials. Think about managing identity throughout its life cycle, and prevent these help desk–type attacks by finding identity security solutions that protect identities during these critical events in the identity life cycle — the joiner, mover, leaver process:
- A new employee joined.
- An employee called the help desk.
- They got promoted.
- They're leaving the organization.
We need to pay attention to managing those events in the life cycle of an identity to assure security in today's digital world.
Protecting Personal Information and Identity
Michael Krigsman: I want to tell everybody that you can ask your questions. When else will you have the chance to ask the CEO of RSA Security pretty much whatever you want? So take advantage of it, folks. Let's jump over to Twitter (to X). Arsalan Khan is a regular listener, and he says this (I think this is related to what you were just talking about, Rohit): He says, "As a consumer, we share our identity information, credentials, multiple times to various IT systems — libraries, grocery stores, banks, and so on. We are only as safe as the least safe system, and these are not in our control. What can we, what should we do?"
Rohit Ghai: Any information that is potentially identifying you as an individual should be shared on a need-to-know basis. We have been, as individuals — especially as professionals in a workforce setting — perhaps too lax in terms of sharing our information because, as you said, there is often a legitimate reason for banks or libraries or others to get access to that information. I think we need to pay attention to what that organization or individual is doing with the information you're providing. Are they storing it in a safe way?
When we share (let's say our information with the bank: our mother's maiden name, our date of birth, etc.), we need to pay attention to the cybersecurity posture of that bank and their data privacy statements that we often glance over and agree to.
We should pay attention to whether they are doing the right things to keep your information as private as it needs to be to assure security in today's environment:
- Share on a need-to-know basis.
- Pay attention to what the organization that you provided the information to is doing to protect your information, and how good a job they are doing handling that information.
- If you're an IT professional, do not rely simply on an information-based identity system.
This is the whole concept behind multifactor authentication. Don't rely on one factor — that's literally what "multifactor" means, right? Do not rely on the knowledge-based proofs of who you are (your date of birth, your address, etc.). Ask for other things like: Are you in possession of the phone that is supposed to be yours?
Can we send an ephemeral password or code that you can provide us? Biometrics — for example, scanning your face ID or things like that. Always, as an IT professional, you have to use a multitude of factors to assure identity. Do not rely on just knowledge-based information.
Those are three things that we can do to harden our environments despite the need to share information, as you asked. Great question. Thank you for that.
The Evolving Role of CISOs in Cybersecurity
Michael Krigsman: Let's jump to a question from Preethi Narayan on LinkedIn, who's asking about CISO roles. She says this: "CISO roles are among the most in-demand globally. Does this reflect a shift in how organizations prioritize identity and AI risk at the executive level, and will CISO demand rise further?"
Rohit Ghai: The stature of the CISO, like you said, is elevated now in today's world of AI-powered threats. The reason is that cyber risk is now one of the top risks in the risk register for most organizations. Most public companies (and many private ones) have a practice around risk management to ensure the organization can deal with the risks it faces and has sufficient mitigation for those risks.
Cyber risk is now a very prominent part of that risk register. Therefore, the CISO's stature in advising the board and management teams on cyber risk and its implications — as well as the mitigating controls the CISO recommends — is one of the most consequential business considerations a company today needs to address. There is huge demand for strategic CISOs who can translate the technology of cybersecurity into the business implications of cybersecurity for the board and management to act upon.
I think we're going to see CISOs gaining more and more stature in organizations — a larger, more prominent voice. And even at the board level, you'll see a lot of demand for cybersecurity expertise. Not only do you need a strategic CISO, you need a board and a management team that can understand what the CISO is telling them. You need a level of expertise at the top to properly govern the cyber risk that organizations face in today's climate.
Michael Krigsman: Should the CISO be a technologist or a businessperson?
We're entering the era of CISOs that maybe have a strong business background with enough technology capability to drive teams that might be operational and technology-oriented. Therefore, I would ask for a CISO to be more 51/49 — more business than technology — in today's climate, because cybersecurity is now squarely a business problem more so than it is a technology problem, right?
It's social engineering. It's in the world of AI, right?
Thinking about a robust risk management approach to cyber is consequential to the efficacy of a CISO.
Michael Krigsman: What kind of communication skills should a CISO have, and when should they communicate? The reason I ask is, not too long ago I approached two CISOs — each from one of the largest, most well-known brands in the US — independently.
CISO number one said she wants to do it. Then I started saying, "Well, it's live, and we take questions," and she's like, "No, no, no, I can't do that." CISO number two said, "In my role..." (and I've known CISO number two for a long time), "In my role, no way."
What's the job of the CISO in terms of communication, and is it too scary for a CISO to join something like this (that's live, where we take questions)?
Rohit Ghai: CISOs have a dual role — as does every cybersecurity professional. If you think about cybersecurity as a business area, it's unique. When you're a sales professional, you sell. When you're a marketing professional, you market. When you're an HR professional, you manage talent and culture. But when you're a cybersecurity professional, you have to do your day job of securing the enterprise, and you also have to be an evangelist for security across the entire organization. Because the weakest link in security might be something that you are not directly managing. It might be in finance; it might be in marketing. It might be a contractor that has a weak posture that you're not directly governing. So unless you evangelize and communicate effectively to those constituencies, the entire security program suffers.
Michael Krigsman: How should a CISO communicate?
Rohit Ghai: I think a CISO has to be multidimensional in communication style. They must be just as effective in the boardroom talking about risk as they are in the SOC (Security Operations Center) talking about the latest threat vector and how to address it technically. You have to be effective with all audiences — whether it's your development team, your security team, your IT team, or the board and executives. That is a very unique skill.
Michael Krigsman: Is that what makes the CISO job different from most other kinds of executive roles? The fact that they have to have both an understanding of deep technology and be able to bridge to people on the board and in the finance department and elsewhere? That combination?
Rohit Ghai: Exactly. Because if you're a CFO, maybe you don't need to understand every technical detail about accounting or risk. But as a CISO, you do need to understand enough of technology and enough of business and be that bridge.
The Role of Regulation in Improving Data Privacy and Cybersecurity
Michael Krigsman: Another question from Arsalan Khan on Twitter: "As a consumer, we can try to manage our personal identity and data privacy. But without regulations, our data is out there across all these different organizations. How can the entire ecosystem (everybody we do business with) improve data privacy and security? Is it even possible without more government regulation?"
Rohit Ghai: I think governments around the world are paying attention to this, which is why you have GDPR in Europe, the CCPA in California, and so on. Regulators in many countries are focusing on this phenomenon. We do need regulations, but I'd say we need smart regulations — regulations that can be applied and, perhaps even more importantly, enforced. Because it's one thing to enact a law; it's quite another to enforce it in a scalable way across an entire economy.
The second thing is that it's not all on the government or regulators. We as practitioners (and some of us are vendors, like RSA; some of us are practitioners in enterprises) have to pay attention to designing technology that is not vulnerable, and to strong MFA (phishing-resistant MFA).
Let me swivel to a more optimistic picture, Michael (and everyone in the audience). In the media, often the conversation is about cyber threats, and I feel the narrative is very negative. It's as if the bad actors are doing all these things to us and we are just taking it on the chin. But I have a more optimistic message. I feel that the defenders — the good folks — are also innovating. We're doing things like multifactor authentication, zero trust architecture, AI for cyber defense, orchestration and automation of incident response, etc.
So I would say we should reframe "cybersecurity" as "cyber resilience." Because it is a fact that you can't stop every threat actor from getting in, but you can certainly have a resilient organization such that, even when they get in, you detect and respond very quickly and ensure that your organization can survive that incident.
Michael Krigsman: What does "cyber resilience" mean? I like the concept, but what does that practically mean for a CISO?
Rohit Ghai: Cyber resilience means assuming breach — designing your architecture with the knowledge that somebody is going to get in, somehow. Therefore, you minimize the blast radius of an incident. You assume they've gotten in, so you're not going to put your crown jewels in one place or in one account. You assume that if they got into one account, they could move laterally to another account. Therefore, you're going to separate duties, you're going to have least-privilege access, you're going to have zero trust architecture — basically, assume they're going to get in, so be resilient.
Michael Krigsman: What do you do? To use the cliché, they say there are two kinds of companies: those that have been breached and those that don't yet know they've been breached. How do you deal with that?
Rohit Ghai: That's exactly the "assume breach" mindset. We can take a lot of cues from, say, the public health industry. You assume that certain things will happen in a population, and then you minimize the effect. But to make it very concrete: You minimize the blast radius. You assume that certain accounts will get compromised, so you disallow any account to have too much privilege. You disallow any single person or single account to have, say, a dual-control scenario on something that is mission-critical. You ensure that you have continuous monitoring. You ensure that you have all kinds of playbooks automated to quickly respond, such that if something happens, it's like an immune system in the human body — something can attack you, but your immune system kicks in and addresses it.
Michael Krigsman: Great. So cyber resilience is really a shift in mindset in many respects, isn't it?
Michael Krigsman: More than anything else.
Rohit Ghai: Absolutely — it's a shift in mindset, and it's a realistic one. It's not a pessimistic one; it's just a realistic one. And it helps because you sleep better at night knowing that you have that immune system, that you have that resilience in place. It's not just, "Oh my God, if that happens, then I have no plan B." You always have a plan B.
Michael Krigsman: I love that analogy of the immune system. That's really perfect.
Social Engineering and MFA Vulnerabilities
Michael Krigsman: We have another question from Arsalan Khan, who asks: "Where does social engineering fit into identity risk? And how do we make sure that MFA is secure in the face of social engineering?"
This is a very important question, because earlier you were talking about RSA being a leader in MFA. So what's the interplay there?
Rohit Ghai: Social engineering is absolutely the way that a lot of threat actors get in. And we've talked about it a bit, but to recap: When you can't beat the technology, you bypass it. So that's what the threat actor is doing. And they're doing that by using attacks like the help desk exploit attack we discussed. They use social engineering to bypass MFA by fooling a help desk agent into providing alternate credentials.
The recommendations here are, again: use MFA — strong, phishing-resistant MFA — 100% for 100% of your users. And don't just obsess about authentication and strong credentials; manage identity throughout its life cycle. Guard against those help desk–type attacks by implementing identity security solutions that protect identities during joiner, mover, and leaver events.
Phishing, as you alluded to, Michael, is often the entry point. Attackers lure users to click on malicious links or provide confidential information. Even the best technical controls can be undermined if a user is tricked. That's why continuous user education and simulated phishing exercises are vital. We also need technical measures like email filtering, link scanning, and browser protections to reduce the chances that a user ever even sees a phishing email in the first place.
Another angle is device security. Attackers might trick users into installing malware through a phishing email or link. Having strong endpoint protection and monitoring can limit the damage if a user does fall for a phishing attempt.
Michael Krigsman: To summarize your advice on this: It's multifaceted. There's the human element — training, awareness — and there are technical controls, and then there's incident response, which we discussed in terms of resilience.
Rohit Ghai: Exactly right.
The Role of AI in Cybersecurity
Michael Krigsman: We have an AI question from Lisbeth Shaw on Twitter, and I'm glad she is jumping in because we need to talk about AI. Lisbeth asks: "How will AI impact cybersecurity — both in terms of threats and defense? What should companies do to manage AI-related cyber risks?"
Rohit Ghai: There are three dimensions to AI:
AI as a Sword – It's the attacker's tool. Threat actors are going to use AI to attack at scale or hyper-personalize impersonation attempts, bypass traditional defenses, and even create malware (because AI can code on their behalf). Even technically inferior threat actors can now code because AI can code for them. So it's a sword.
AI as a Shield – We haven't had enough humans to look at all the incidents and threats playing out. We can address that with digital workers — software robots — that monitor for signs of synthetic media (for example, to detect deepfakes), watch for abnormal patterns versus normal behavior, and perform predictive risk modeling, incident simulation, and playbook automation thanks to AI. So that's the shield dimension.
AI as part of the Attack Surface – The threat actor might compromise the AI you're using by poisoning it or through nefarious prompt engineering, or by launching denial-of-service attacks against AI-driven systems. If AI is in a decision loop (say, approving loan applications for a bank), attackers can bombard it with junk data or requests to confuse the AI and cause bad decisions. So AI can be attacked.
AI can be attacked, and therefore we need to do two things. First, we have to embrace AI as a shield, because we know that the bad guys are using it as a sword. We need to get more educated and proficient in using AI — we cannot wait or we'll be left behind. Second, adopt AI responsibly. Don't trust AI blindly. Always put AI within guardrails, meaning any agentic AI you deploy should operate with human-defined workflows and a human in the loop. Also, implement non-human identity solutions to ensure that AI agents (just like human users) are verified and only perform actions they're authorized to do.
Rohit Ghai: So those are the three dimensions we must pay attention to. It's not just a double-edged sword in the proverbial sense — AI is also the thing being targeted by that sword.
Economics of AI in Cybersecurity
Michael Krigsman: Can you talk a little about the economics of AI? How does AI affect the economics of cyber attacks?
Rohit Ghai: The economics of cyber attacks are unfortunately favorable to attackers in many cases. AI, as we discussed, can further tilt those economics by enabling attackers to automate and scale their efforts at low cost. However, AI can also help defenders reduce costs by automating routine tasks and improving detection accuracy, which reduces the workload on human analysts. It's an arms race, economically speaking. The key for defenders is to leverage AI to increase the cost for attackers (by making attacks harder or less likely to succeed) and to reduce our own cost of defense (through efficiency and automation).
For example, if attackers can use AI to find vulnerabilities or craft phishing emails en masse, then we should use AI to automatically scan for those vulnerabilities and to filter out phishing emails. That way, attackers have to invest more effort to get through, while we invest less effort to stop them. Over time, if we do it right, we make cyber attacks less profitable and cyber defense more cost-effective.
For example, if attackers can use AI to find vulnerabilities or craft phishing emails en masse, then we should use AI to automatically scan for those vulnerabilities and to filter out phishing emails. That way, attackers have to invest more effort to get through, while we invest less effort to stop them. Over time, if we do it right, we make cyber attacks less profitable and cyber defense more cost-effective.
Michael Krigsman: That's a very interesting way to look at it. It's all about raising the attacker's costs and lowering the defender's costs, using the same tools.
Rohit Ghai: Exactly.
Board-Level Cybersecurity Strategy
Michael Krigsman: Let's talk about board issues. What is the role of a board versus the executive management team in developing and overseeing cybersecurity strategy?
How should that interplay work?
Rohit Ghai: The board's role is governance and oversight — ensuring that cybersecurity is being managed as a business risk. They should ask tough questions about risk appetite, major threats, regulatory compliance, and whether the company is adequately prepared. But they rely on the executive management team (including the CISO and CIO) to execute the strategy and report back in business terms.
In practice, the board should be concerned with the "what" — what our risk is, what our strategy is to manage it, what resources are needed. The management team handles the "how." That said, boards today also need some level of cyber literacy so they can challenge assumptions and not just rubber-stamp what they hear. It's a partnership: management runs the program, and the board verifies that it's effective and aligned with the company's risk tolerance and business goals.
Michael Krigsman: How does a board build that cyber literacy so they can even ask the right questions?
Rohit Ghai: Boards have to prioritize education and sometimes even bring in outside expertise. Many boards are now adding members with cybersecurity experience or creating advisory committees that include outside experts. Board members can also attend training sessions, read cybersecurity reports (like that Verizon DBIR we mentioned), and basically approach it like any other area of oversight where they might not have come up through the ranks (similar to how audit committees ensure financial expertise). In the last few years, I've seen many boards become much more savvy about cyber, but it requires continuous learning.
Michael Krigsman: As boards become more cyber savvy, does that change the role of the CISO when interacting with the board?
Rohit Ghai: It does. A more cyber-savvy board will expect a higher-level discussion. The CISO can't just come in with technical metrics or fear-based messages; they need to discuss cyber risk in the context of business risk — maybe using frameworks like FAIR (Factor Analysis of Information Risk) to quantify cyber risk in dollar terms, or at least in high/medium/low terms that relate to business impact.
A savvy board will also ask for comparisons: "How do we stack up against peers? Are we spending appropriately? Where are our gaps?" So the CISO has to elevate the conversation, use less jargon, and more business language. It's actually a welcome change, because it means cybersecurity is being treated as a core business issue, which it is.
Michael Krigsman: Basically, the CISO must become — or already must be — a business executive as well as a security executive.
Rohit Ghai: Yes, absolutely. The CISO must wear both hats. They should understand revenue, growth, product strategy, and so on, in addition to understanding threats and technology. When those things intersect, they can prioritize security activities that enable the business, rather than being seen as the "Department of No."
Michael Krigsman: Ha! The "Department of No." We've heard that phrase. And that perception is part of what needs to change, isn't it?
Rohit Ghai: Right. Security can't just say no to everything; otherwise people will find ways around it. Instead, security needs to partner with the business. That means sometimes coming up with secure solutions that enable the business to do what it wants, but in a safer way. For example, if the marketing team wants to use a new SaaS tool, instead of just banning it, maybe the security team does a quick vetting or finds a way to segment that data. It's about balancing risk and reward, not eliminating risk entirely (which is impossible and would also eliminate reward).
Michael Krigsman: This has been a fantastic discussion, but we're almost out of time. Before we wrap, let's squeeze in one more topic.
Understanding Ransomware and Response Framework
Rohit Ghai: (Responding to a question) Attackers have evolved with ransomware. They often exfiltrate data before encrypting systems — so even if you have backups, they threaten to leak your sensitive data if you don't pay. They would steal data and take it out — information, things of that nature.
A comprehensive response framework is needed:
- First, harden your systems to reduce the chance of ransomware getting in (things like patching, endpoint protection, disabling unused services).
- Second, have good backups and test them — traditional advice, but still crucial.
- Third, have an incident response plan specifically for ransomware. That plan might include how to communicate (if your email is down, have an out-of-band method), how to involve law enforcement, and whether you would ever consider paying or not (a policy on that).
Additionally, consider tools that can catch ransomware behavior quickly — for example, if a system starts rapidly encrypting files, it can isolate itself. And encrypt your data at rest too, so if they steal it, it's not as useful (though that’s hard if they get the keys).
Michael Krigsman: So essentially you're saying assume they might steal data and have a plan for that. It's not just "Do I have backups?"
Rohit Ghai: Exactly. The plan must assume data could be public. So part of the plan is PR and legal: if our data is leaked, how do we handle that? Do we have communications ready? Do we know our regulatory requirements for disclosure? It's crisis management beyond IT.
RSA Security's Focus Areas for Cybersecurity
Michael Krigsman: Finally, Rohit, where is RSA Security investing over the next 12 to 18 months? What are the key focus areas for you?
Rohit Ghai: Great question. Our focus is on the convergence of identity security, cloud security, and AI. Specifically, we're investing in:
- Identity and access management – making it cloud-delivered and AI-enhanced (for example, risk-based authentication that uses AI to analyze user behavior).
- Integrated risk management – helping organizations quantify and manage risk across domains (cyber, third-party, compliance) because, as we discussed, cyber is a business risk.
- Secure digital transformation – that means as companies adopt cloud, IoT, and so on, we provide tools to secure those new environments seamlessly.
AI underpins many of these initiatives — for example, using AI to detect anomalies in identity usage patterns or to prioritize risk findings. And of course, we're keeping a close eye on emerging threats like post-quantum cryptography (what happens to encryption when quantum computers arrive). It's an exciting time, because the challenges are big, but the tools at our disposal are also evolving rapidly.
Michael Krigsman: Rohit Ghai, CEO of RSA Security, thank you so much for taking the time to speak with us.