Doug Cahill and Christina Richmond discuss their expectations for the upcoming RSA conference
Read the related ESG Blog: Previewing RSA Conference 2019: Cybersecurity Services, Cloud Security, and DevSecOps
Doug: I'm here with Christina Richmond, ESG's new Principal Analyst. Christina, welcome to ESG.
Christina: Thank you so much, Doug. It's great to be here.
Doug: Great to have you here.
Christina: Thank you.
Doug: Okay. So we're going to be covering cybersecurity services for ESG, and one of the things we've talked about since you joined is the ongoing acute shortage of cybersecurity skills.
Doug: And, in fact, in our most recent Technology Spending Intentions study, cybersecurity, again, was the number one area in which our respondents had the most problematic shortage of cybersecurity skills, 53% of the participants said they have a shortage. So, enter services, right. I mean, you know, for me, services also bring sort of some advanced cybersecurity capabilities to a broader part of the market. So, with RSA Conference literally around the corner, what are you expecting to see at RSA when it comes to services?
Christina: That's a great question. So, yeah, cybersecurity has a definite shortage of people, as we know, and I expect to hear that a lot on the show floor and to hear from service providers that they're there to help. So I definitely expect to hear things like, "Well, why don't we offload some of your issues, because you can't get the people or the budget to help you. So let's do some SOC as a service or SIM as a service, or let's take care of your threat intelligence and make sure you have visibility across the landscape.
Maybe we can help you assess your program, right? We can do the strategy and design portion to make sure that you're looking at that business and risk area," which is a hot topic. Business and risk is something that I see growing this year. I don't know that we'll see it on the show floor, because it's not a shiny object, but I think we'll hear about it a lot.
Doug: Absolutely. So sort of a combination of, hey, managed services, but also, really, consultative engagements to help organizations, you know, sort of retool their cybersecurity program, modernize that, and help the CISO be able to talk risk to the audit committee.
Christina: So, speaking of managed, I didn't mention MDR, but I think we'll hear a lot about MDR, and I know that Jon Oltsik has a wonderful study on threat detection and response, right?
Doug: That's right, that's right.
Christina: And so I think we're going to hear a lot from vendors on the show floor and in our meetings about threat detection and response, analytics, how do we use an MDR engagement and EDR tools to help us with that.
Doug: Yeah. I love that topic because it allows more companies to be more leaned forward and proactive in their cybersecurity posture.
Doug: I mean, EDR has been sort of relegated to the top-of-the-market customers. MDR makes that capability available to so many more businesses.
Christina: And I think MDR really has a special place in the response category, because it automates and uses the AI and algorithmic qualities, the machine learning that you use to help you find what's going on in your environment and who's trying to get into your environment and then helps you respond without having to engage a lot more people.
Doug: Yeah. And response readiness is an area that you're going to explore.
Christina: Exactly, yeah, yeah. So response readiness is something that I'm probably going to do a study on, that and women in cybersecurity. Because if we have a dearth of personnel, and we have only 11% of women in cybersecurity roles, that's an easy fix. If we have women who are skilled in security, which we do, how do we help those women and those organizations bring more women into those roles?
Doug: Yeah, you bet. That's really where we can move the needle.
Doug: So one of the things I think about in terms of just, you know, moving the needle is this notion of DevSecOps, you know.
Christina: Right. And you've been looking at that quite a bit. And so DevSecOps is something I find fascinating. So, what do you expect to see at RSA around that?
Doug: Yeah, you bet, you bet. So, first of all, I think it's great that there's a full day on DevSecOps this year. Monday, full-day seminar on DevSecOps.
Christina: That's great.
Doug: You know, there are organizations that are sort of catching up, and there's some of this readiness gap between the degree in which the organization has already adopted cloud services and their ability to secure that use of cloud services.
Doug: And so they have, you know, AppDev teams and a line of business that are off and running, you know, employing CICD to continuously deliver new apps to production, which is great, business agility and their, you know, great competitive advantage with the security teams sort of behind. The second kind of customer organization is really sort of cloud-native or DevOps native. So they've been doing DevOps since - they've never seen a data center, right?
Doug: And so a lot of the DevOps, DevSecOps story has been around the shift left and really using application security controls, you know, static analysis and composition analysis, really, in your, you know, development phase. And that's great, right? That helps you have more hardened configurations and apps that go to production. I also think we need a shift right. Like, let's not forget runtime. So we can always use DevSecOps to automate the introduction of runtime controls.
Christina: That's awesome. So, in that first organization that you talked about, right, it seems to me that there's a service opportunity there. What I have heard, and perhaps you can educate me on this, what I've heard is that DevSecOps is also a cultural change. It's a people and a process change, right?
Doug: Yes, yes.
Christina: And so I expect to see a lot of services where service providers are talking about, "How can we help you shift left?" And I love the idea of shift right as well. So tell me more about what you think is going to happen as far as shifting right, because that's not an area I've really looked at.
Doug: Shift right is really about automatically applying controls based on policies, based on the role of like a server workload. "Hey, this is a, you know, a web server that's running on Ubuntu, and I'm automatically going to have a cloud workload protection platform control that's applied and the policies, you know, set right out of the gates." So, as soon as that server comes up, boom, it's got the agent on it.
Christina: Yeah, got it.
Doug: So there's no sort of like, "Okay, it's in production now, we're going to roll out the agent."
Christina: I don't know if it's really a services thing, then. It's really more about the automation there. It's designed in, sounds like.
Doug: The shift right is. I think maybe the shift left and the cultural approach is a good services opportunity.
Christina: Absolutely. Cool.
Doug: So, hey, this was good fun.
Christina: Thank you.
Doug: We just scratched the surface on a bunch of the topics we're going to see at RSA.
Christina: We'll have a lot more times to chat, I'm sure.
Doug: We'll have a lot more time to chat. And speaking of that, we'll cover these topics and more at a breakfast event that we're holding at Thursday morning of the RSA week. So, Christina, again, welcome to ESG.
Christina: Thank you so much, Doug. I'm so happy to be here.
Doug: And thanks, everybody, for watching.