It’s been a week since my last meetings at RSA and I’m already thinking about travel plans and agendas for Infosec Europe and Black Hat. Before closing the book on RSA 2016, however, I have a few final thoughts about the industry and cybersecurity professional community.
- It’s time to go beyond product categorization.
The technology industry has product categorization down to a science — we organize around products, budget for products, and make purchasing decisions on each individual product category. Heck, my friends at Gartner and NSS Labs have built lucrative businesses around testing and rating products via magic quadrants.
Now I get that human beings need guidelines to help them define things, but our obsession with product categorization has become counterproductive. Why? Because products interoperate to form solutions, and solutions can help us achieve actual goals and objectives. For example, vendors like Cisco, Fidelis, FireEye, Hexis Cyber Solutions, Symantec, and Trend Micro offer solutions designed for interoperability between endpoint and network security. If we only evaluate, test, purchase, or deploy one of the components of these solutions, we lose a lot of the intrinsic solution value. Yeah, we’ve always looked at technologies like this way but we are only creating obstacles for ourselves if we continue to do so.
- Technology underpinnings aren’t nearly as important as outcomes. On a similar note, the cybersecurity industry continues to be disturbingly compulsive about technology feature/functionality. You couldn’t walk 10 feet at the Moscone Center without someone telling you about artificial intelligence, machine learning, or threat intelligence. The technology buzz reminded me of my early career experiences at DEC world, and that was in the 1980s! Note to cybersecurity technology vendors: CISOs care about mitigating risks, protecting assets, and responding to cyber-attacks. In other words, they care about outcomes and are not nearly as concerned with the technical wizardry of how these results are achieved.
- Cybersecurity professionals should get comfortable with the cloud control plane. Many new cybersecurity products are designed around a cloud control plane. The good news is that this model can greatly ease deployment since organizations don’t have to install and configure management servers and software. Cloud control planes can also accelerate software enhancements and distribution since the bits run centrally. Finally, cloud control planes are great for aggregating, correlating, and distributing new threat intelligence in a timely manner.
So what’s the bad news? Many organizations don’t want their cybersecurity “crown jewels” running in the cloud. Furthermore, some regulations actually forbid this model entirely. As Bob Dylan sang, “the times they are a-changin." Large organizations have become comfortable running business critical applications using SaaS applications from Box, Salesforce, and ServiceNow — it’s time that cybersecurity professionals and regulators develop a similar comfort level. This is the where the industry is headed, so the sooner we embrace it, the sooner we will benefit from it.
- CISOs need to play their managed security services cards. At the risk of repeating one of my more common refrains, CISOs must consider the implications of the global cybersecurity skills shortage in every decision they make. This means that every CISO should consider where they can offload work to managed service providers in order to cut costs, ease the burden on staff, or improve results. In the past, CIOs usually outsourced two types of activities: pedestrian tasks and those that require abundant skills and experience. CISOs should follow this model by outsourcing pedestrian tasks (i.e. basic email security, web security, and log management) to MSSPs like Proofpoint and Zscaler, while looking to partners like Dell and Symantec for brainy processes like incident response and security analytics.