ESG Blogs

As part of a recent ESG research project, 340 enterprise cybersecurity, GRC, and IT professionals were asked to compare cyber risk management today with how it was two years ago. The data indicates that 39% of survey respondents believe that cyber risk management is significantly more difficult today than it was two years ago, while another 34% say that cyber risk management is somewhat more difficult today than it was two years ago.

At ESG, we are just about to publish some new research on cyber risk management and I’ve been knee-deep in the data for the past month. Here are a few of my initial impressions:

• Business managers are far more involved than they used to be. A few years ago, business executives didn’t want good security, they wanted good enough security. Back then, security professionals bemoaned these half-hearted cybersecurity efforts, longing for CEOs with cybersecurity knowledge who were truly invested in strong cybersecurity controls and oversight. Note to cybersecurity pros, ‘be careful what you wish for.’ The ESG data indicates that corporate executives and boards are much more involved and demanding these days. This is forcing CISOs and infosec teams to collect and analyze more cyber risk data and present it to the mucky-mucks in business-friendly terms. The data indicates that this is already driving a new, more comprehensive model for cyber risk management.

As a follow-up to VMworld US in Las Vegas this past August, VMware reiterated its compelling albeit ambitious strategy at VMworld Europe in Barcelona. From my perspective, that strategy is well aligned with the flexibility today’s enterprises require – the ability to run any app on any cloud accessed from any device with intrinsic security. This is the true essence of hybrid clouds for which VMware has a comprehensive definition – private cloud, public clouds, as well as Telco clouds – and a plan to offer a hybrid cloud control plane with equally flexible delivery options.

As a cybersecurity industry analyst, I am admittedly guilty of being myopic in looking for security to be the leading act in the keynote at major industry events. Such was the case at AWS re:Invents of the past when security was front and center starting with a discussion about the shared responsibility security model, the foundation of any cloud security program. That started to change in the last few years with security playing more of a supporting role in Andy Jassy's and Werner Vogels' keynotes. To be clear - it’s not that AWS is now being dismissive of security by any stretch, it’s simply that security is no longer an impediment to the adoption of public cloud platforms, at least those operated and secured by major CPS such as AWS, who has always treated security as job #1. AWS no longer needs to convince the market the cloud is secure, the conversation is now about how to meet your part of the shared responsibility model.

The history of security purchasing centers around best-of-breed products. With each requirement, security professionals would research products, review third-party tests, bring in products for internal testing, and buy those that exhibited a superior ability to prevent, detect, or respond to cyber-attacks.

In a blog I wrote and published in August, I listed the 8 attributes that my colleague Doug Cahill and I believe are critical for a cybersecurity technology platform. The blog also ranks the 8 attributes according to a recent survey of 232 cybersecurity professionals working at enterprise organizations (i.e., those with more than 1,000 employees).

In a recent research survey, ESG asked a panel of 232 security and IT professionals a series of questions about cloud-native security (i.e., security controls, management, and monitoring options built into cloud infrastructure and offered by cloud service providers (CSPs)). Here are a few of the data points we uncovered:

I wrapped up my 3-week tour of the cybersecurity industry with a stop in Las Vegas for McAfee MPower. Here are a few of my takeaways from the event:

Last week, Trend Micro came to Boston for its annual Trend Insights industry analyst event. The company provided an overview of its business, products, and strategy. Here are a few of my takeaways:

I spent the early part of this week in Orlando, attending Splunk .Conf 2018. Here are a few of my takeaways:

1. Splunk articulated a vision of security analytics/operations for 2020 that included 10 areas:
   1. Data ingestion. Collecting and processing a growing body of security telemetry.
   2. Detection. Finding and blocking known threats.
   3. Prediction. Using advanced analytics to identify new attacks and then spreading the warning around to all connected customers.
   4. Automation. Automate all pedestrian tasks and accelerate more complex tasks.
   5. Orchestration. Use APIs to connect security controls together for investigations and remediation actions.
   6. Recommendation. Monitor and record security operations and then recommend proven actions to the SOC team.
   7. Investigation. Provide intuitive tools to figure out what cyber-attacks are happening and why they are happening.
   8. Collaboration. Offer a workbench for security operations while connecting to collaboration tools like Slack.
   9. Case management. Deliver a security-centric tracking system that spans security incident management lifecycles. 
   10. Reporting. Providing a central place to measure all aspects of reporting.