I’ve spent a good amount of time talking to CISOs over the last few months to learn about their current priorities and how their jobs are changing. Of course, many of these security executives will be attending the RSA Security Conference in a few weeks. Based upon my meetings, here’s a sample of what CISOs will be looking for in San Francisco:
- Executive-level threat intelligence. As business executives gain a better understanding about cyber-risk, CISOs have been tasked with learning more about cyber-adversaries and reporting what they learned to the board. To be clear, CISOs are not looking for deep technical intelligence on IoCs, exploits, or malware variants. Rather, they want to know who is attacking their organizations, for what purposes, and gather a high-level view of their tactics, techniques, and procedures (TTPs). This exercise also extends beyond basic cyber-attacks. CISOs want a better understanding about dark web chatter, fraudulent websites, credentials theft, and third-party risk management as it impacts their organizations. In pursuit of this knowledge, CISOs will likely seek out vendors like BitSight, Digital Shadows, and Flashpoint at RSA. Others (CrowdStrike, FireEye, Webroot, etc.) with deep threat intelligence chops should also be prepared for these discussions.
- Every CISO I spoke with said that their current security technology infrastructure is overwhelming, so they have ongoing projects to consolidate and integrate security technologies. This means that CISOs won’t be looking for individual products but rather integrated security platforms they can implement over time. For example, CISOs want to talk about integrated threat defense – not endpoint security, malware sandboxes, machine learning, etc., individually. On the backend, CISOs are kicking the tires on security operations and analytics platform architectures (SOAPA) that bring together disparate operations tools like SIEM, UEBA, EDR, security automation and orchestration tools, etc. IBM, Splunk, and others have a story to tell here but vendors should beware of proprietary agendas. The CISOs I spoke with want to hear a different story featuring heterogeneous architectures, APIs, and open source software.
- Business risk. CISOs are getting more involved with business planning and strategy so they can assess risks, implement controls, and manage risk over time. In my humble opinion, the RSA Conference tends to underemphasize risk management, but there will be some chatter about peripheral subjects like digital transformation, IoT security, and the NIST cybersecurity framework. RSA (the company, not the conference) will be especially focused on the intersection between business and IT risk.
- Changing security perimeters. Just about every CISO talked about the fact that mobility and cloud have obliterated the old network perimeter. As a result, many organizations are looking at identity and data security as evolving perimeters. While CISOs are prioritizing identity and data security, these topics get little more than lip service at RSA (although they may be jammed into GDPR-specific sessions). Identity discussions will center around multi-factor authentication and the software-defined perimeter (SDP, Cyxtera, Google, Zscaler, etc.) while data security chatter will focus on DLP (Digital Guardian, Forcepoint, Symantec, etc.) and encryption. Not exactly what CISOs will be looking for but somewhat of a start.
My CISO discussions also tended to concentrate on people and process rather than technology. This makes sense since many organizations continue to rely on manual processes for cybersecurity, and 70% of organizations claim that they’ve been impacted by the cybersecurity skills shortage. Unfortunately, these focus areas are diametrically opposed to the RSA Security Conference, which tends to be a “hurray for security technology” festival.
The cybersecurity industry is booming, and I expect the RSA Conference to be a whirlwind of meetings, sales pitches, cocktail parties, etc. At some point, however, I hope we can all cut through the industry hyperbole and address these and other CISO priorities.