I’m sure lots of CISOs spent this week meeting with their teams, reviewing their 2013 performance, and solidifying plans for 2014. Good idea from my perspective. The CISOs I’ve spoken with recently know exactly what they have to do but aren’t nearly as certain about how to do it.
At a high level, here’s what I’m hearing around CISO goals and the associated challenges ahead this year:
- Improve risk management. This translates into threat/vulnerability measurement, threat prevention, and ongoing communication with the business mucky mucks. The problem here is that their networks are constantly changing, scans are done on a scheduled rather than real-time basis, and the threat landscape is dangerous, sophisticated, and mysterious.
To address these shortcomings, many organizations will embrace continuous monitoring (or Continuous Diagnostics and Mitigation (CDM) as it is known in the federal space) as a major security initiative. The goal? Real-time situational awareness on network activity accompanied by data-driven decision making. This trend will play well for vendors like Agiliance, McAfee (IPO), RSA (Archer), and Symantec (CCS).
- Improve security efficacy. Security efficacy improvement comes down to the simple fact that many existing security controls aren’t nearly effective enough against advanced threats.
This issue will generate the most industry buzz (along with mobile security) and will be ubiquitous at next month’s RSA security conference. While firms like FireEye and Palo Alto Networks will continue to play a starring role, CISOs are looking for more than products alone – they want an integrated cybersecurity architecture that covers networks, endpoints, and security analytics. Cisco/Sourcefire and Trend Micro are well positioned here as are security analytics leaders like Blue Coat, Click Security, Hexis, 21CT, ISC8, IBM, and LogRhythm. New endpoint security technologies from vendors like Bit9, Bromium, Invincea, and Malwarebytes will also remain in the spotlight.
- Streamline security operations. Okay, this issue gets almost no attention in the market but it should. Why? The combination of an army of point tools, manual processes, and cybersecurity skills shortages are making the CISOs' job increasingly difficult. Enterprise security needs significant improvement here or the battle may be lost.
So what happens? CISOs do deep assessments and look for ways to build an enterprise-class integrated security architecture over the next 3 years. In other words, they need central command-and-control, distributed enforcement, and advanced security analytics for real-time detection and long-term investigations. This will require lots of upfront services, providing a great opportunity for Accenture, CSC, HP, IBM, Leidos, and Unisys. Security executives will also be open to enterprise security architecture discussions as well. Cisco, IBM, McAfee, and Trend Micro are positioned best for these meetings.
- Enable business/IT flexibility. This objective is code for supporting cloud computing, mobile computing, IT consumerization, and “shadow IT” without increasing risk.
Another difficult task that involves a lot of new skills, processes, and controls. From a vendor perspective, Centrify, Ping Identity and RadiantLogic are poised to provide cloud-based identity services while CloudPassage, HyTrust, and Sky High Networks promise cloud security management and oversight. Personally, I’d like to see more discussions about open security standards to make this less cubersome.
Addressing these four challenges won’t be easy and every CISO I know is looking for help. As such, every security vendor should be prepared to discuss how their products and services address – and help overcome – each one.