ESG On Location: Impressions from RSA 2016

As our final act of RSA Conference 2016 coverage, I wanted to share the video that my colleague Jon Oltsik and I recorded to wrap up our thoughts from San Francisco:

Video transcript:

Woman: The following is an ESG On Location Video.

Doug: Well, the ESG team is recently back from the RSA Conference, and once again this year it was a really active, bustling conference. A lot of highly relevant discussions about the cybersecurity threat landscape and solutions to be able to check, prevent today's modern attacks. While there's a lot to talk about, we thought that we would share with everybody just a few of our takeaways from this year's conference, starting with endpoint security. So Jon, you shared with a pretty full house the results of some of our recent research on endpoint security. And what were some of the key things that you shared with everybody?

Jon: It was interesting, Doug, first of all I asked an audience of about 400 people if they had a clear understanding of the definition of next-generation endpoint security, and not one hand went up. So it was interesting to me that there was a lot of confusion in the market, there's a lot of hype in the market.

What we were sharing was the results of our research and really looking at next-generation endpoint in terms of prevention solutions and detection and response solutions. And it really resonated with the audience members who were either about to make those types of decisions and they wanted to learn from other people's experience, or they were vendors trying to understand the market. The market is changing quickly, there's a lot of play in the market, there'll be a lot of displacement of existing solutions. And the audience was really responsive to that message.

Doug: Absolutely. It's an active market. Right? There's a lot of buying motions, there's a lot of endpoint security projects, so the audience was really attentive to learn from others that have gone down that path.

knowledge-share.jpgJon: That's right, and we'll be producing our market landscape report very soon with even more on that. Now, you went to RSA on the backs of a lot of research on cloud security, and cloud security was everywhere at RSA. So what was your takeaway?

Doug: Yeah, interesting. We're living in a day and age now where cloud-first the new normal. Right? Almost every organization I speak to have sort of cloud imperatives, some sort of cloud project. Be it their journey being characterized by initially leveraging SaaS applications on the journey of the cloud or actually using native cloud services like infrastructure/platform as a service. So there are a number of vendors that are providing security solutions that are purpose-built for that journey that can really help secure their cloud initiatives, which is really encouraging because more and more of organizations' data is going to be stored in the cloud and those are the assets to protect.

Jon: And what I heard at RSA was visibility first. Visibility and then controls and the controls we want to be able to employ whether it's physical infrastructure on-prem or off-prem.

Doug: No question. You can't secure what you don't know you have, so that's the starting point. Part of that I think is with the backdrop of the service securities skill shortage is really be very focused on the approach to security. What did you see at the show around that very topic?

Jon: Well, I was discouraged because there was mention of the cybersecurity skill shortage. Our research says that 46% of organizations have a problematic shortage of cybersecurity skills. So it wasn't as front and center as I'd like. I think this is a national security issue. However, I was encouraged that there was discussion about automation and orchestration. So instead of response platforms, IBM buying Resilient, I was encouraged that there was a lot of discussion around security analytics. Let artificial intelligence do some of the work for us and make our people more productive.

And I was also encouraged by the talk about managed security services. So a maturing of those services from just simple monitoring to much more proactive hands-on supporting the IT person, rather than just replacing what they do. That was sort of my takeaway, what were your final thoughts on RSA this year?

Doug: Well, one of my sort of final thoughts here as a key takeaway was that the product category construct doesn't necessarily apply anymore. We talked to a number of vendors that are rightfully integrating what had previously been thought as desperate technologies. For example, endpoint network security with data loss prevention so you can keep the good in and the bad out. So I think as an industry, especially those of us that are industry analysts need to think beyond the buckets and really think about the outcomes and the use cases that provide those outcomes and how we talk about today's cybersecurity solutions.

Jon: This is still an industry wrapped around technology. There's too much talk around the how, and not enough around the why, not enough around the outcomes. And we, as an industry, have to do more to solve our customer problems, understand the business ramifications and stop talking about how we do that with this or that technology.

Doug: Yeah, Jon. I totally agree. We tend to get very technical; we've got to up-level the conversation. Well, that's it for now. Thanks very much for listening and stay tuned for more coverage from ESG.

cyber supply chain research

Topics: Cybersecurity RSA Conference