Black Hat has gotten a lot bigger over the past few years, so many security insiders now compare Black Hat to the RSA Security Conference circa 2012 or so.
This is an accurate comparison from an attendance perspective but there is still a fundamental difference between the shows. In my humble opinion, RSA is an industry event, while Black Hat is more of a cybersecurity professional gathering. The focus is on cyber-adversary tactics, techniques, and procedures (TTPs), threat intelligence, and defensive playbooks. Rather than host lavish cocktail parties, vendors who participate in Black Hat must roll up their sleeves and demonstrate their technology acumen to gain street cred with this crowd.
In the past, a vendor’s technology prowess was usually used as an introduction to some type of security hardware or software. Technically savvy vendors would bond with security analysts as a means for pitching the latest products. In 2019, however, security technical gurus are looking for more than cool security technology alone – they are looking for help.
What’s going on? A global cybersecurity skills shortage, that’s what. ESG research indicates that 53% of organizations say they have a problematic shortage of cybersecurity skills. Furthermore, the recently published research report from ESG and the information systems security association (ISSA) indicates that 73% of organizations have been impacted by the cybersecurity skills shortage. Sixty-six percent of those impacted say the cybersecurity skills shortage has increased the workload on the infosec team, 47% say the cybersecurity skills shortage has led to the inability to learn or use cybersecurity technologies to their full potential, and 41% have had to hire and train junior employees rather than hire more experienced staff.
There’s one more implication around the cybersecurity skills shortage – nearly one-third (32%) of organizations have had to increase their use of professional/managed services because they remain understaffed and lack advanced cybersecurity skills. Like I said, organizations can no longer toe the cybersecurity line alone – they need help.
This brings me back to Black Hat. Yes, there will still be plenty of geeky technologies on display in areas like security analytics and threat detection/response. That said, I predict that managed services will be one of the main themes at Black Hat 2019.
It’s worth noting that managed security services are already making a big inroad at enterprise organizations. According to ESG research, 51% of large firms are already using some type of managed threat detection and response service (MDR) today, while another 42% will do so in the next 12 to 18 months or are interested in doing so. The research also points to the top reasons for adopting MDR:
- 32% of organizations needed a rapid improvement in threat detection and response and thought an MDR service would be more expeditious than deploying threat detection and response technologies.
- 29% of organizations were already working with a managed security service provider so it was easy to add MDR services as part of their contract.
- 28% of organizations admit that MDR services can do a better job at threat detection and response than they can.
- 27% of organizations say that they tried to deploy some type of threat detection and response technology but found that operating this technology was beyond their ability.
Black hat has always been a bully pulpit for security vendors known for their strong technology and threat intelligence knowledge – CrowdStrike, FireEye, Kaspersky Lab, Palo Alto Networks, Trend Micro, etc. These and other firms will maintain a staring role, but given the rapid adoption of managed services, look for others like Accenture, Booz Allen Hamilton, IBM, KPMG, SecureWorks, and Unisys to elbow their way into the spotlight. The new vendor mantra at Black Hat may be, “how can we help?”
Security professionals must resist the temptation to limit their Black Hat focus to security technology bits and bytes. Rather, they should prepare for this transition by bolstering their ability to qualify and manage third-party security service providers and coming to terms with the fact that they need help. As former President Barack Obama said, “Don't be afraid to ask for help when you need it. Asking for help isn't a sign of weakness, it's a sign of strength. It shows you have the courage to admit when you don't know something, and to learn something new.”