I’ve spent a good amount of time talking to CISOs over the past few months to learn about their current priorities and how their jobs are changing. Of course, many of these security executives will be attending the RSA Conference in a few weeks.
What security executives are looking for
Based upon my meetings with security executives, here’s a sample of what CISOs will be looking for in San Francisco:
1. Executive-level threat intelligence
As business executives gain a better understanding about cyber risk, CISOs have been tasked with learning more about cyber adversaries and reporting what they learned to the board. To be clear, CISOs are not looking for deep technical intelligence on IoCs, exploits, or malware variants. Rather, they want to know who is attacking their organizations, for what purposes, and gather a high-level view of their tactics, techniques, and procedures (TTPs).
This exercise also extends beyond basic cyber attacks. CISOs want a better understanding about dark web chatter, fraudulent websites, credentials theft, and third-party risk management as it impacts their organizations.
In pursuit of this knowledge, CISOs will likely seek out vendors such as BitSight, Digital Shadows, and Flashpoint at RSA. Others (CrowdStrike, FireEye, Webroot, etc.) with deep threat intelligence chops should also be prepared for these discussions.
2. Integrated security platforms
Every CISO I spoke with said their current security technology infrastructure is overwhelming, so they have ongoing projects to consolidate and integrate security technologies. That means CISOs won’t be looking for individual products, but rather integrated security platforms they can implement over time. For example, CISOs want to talk about integrated threat defense – not endpoint security, malware sandboxes, machine learning, etc. individually.
On the backend, CISOs are kicking the tires on security operations and analytics platform architectures (SOAPA) that brings together disparate operations tools like SIEM, UEBA, EDR, security automation and orchestration tools, etc. IBM, Splunk, and others have a story to tell here, but vendors should beware of proprietary agendas. The CISOs I spoke with want to hear a different story featuring heterogeneous architectures, APIs, and open-source software.
3. Business risk
CISOs are getting more involved with business planning and strategy so they can assess risks, implement controls, and manage risk over time. In my humble opinion, the RSA Conference tends to under-emphasize risk management, but there will be some chatter about peripheral subjects such as digital transformation, IoT security, and the NIST cybersecurity framework. RSA (the company, not the conference) will be especially focused on the intersection between business and IT risk.
4. Changing security perimeters
Just about every CISO talked about the fact that mobility and cloud have obliterated the old network perimeter. As a result, many organizations are looking at identity and data security as evolving perimeters. While CISOs are prioritizing identity and data security, these topics get little more than lip service at RSA (although they may be jammed into GDPR-specific sessions). Identity discussions will center around multi-factor authentication and the software-defined perimeter (SDP, Cyxtera, Google, Zscaler, etc.), while data security chatter will focus on DLP (Digital Guardian, Forcepoint, Symantec, etc.) and encryption. Not exactly what CISOs will be looking, for but somewhat of a start.
My discussions with CISOs also tended to concentrate on people and process rather than technology. This makes sense, since many organizations continue to rely on manual processes for cybersecurity, and 70 percent of organizations claim they’ve been impacted by the cybersecurity skills shortage. Unfortunately, these focus areas are diametrically opposed to the RSA Security Conference, which tends to be a “hurray for security technology” festival.
The cybersecurity industry is booming, and I expect the RSA Conference to be a whirlwind of meetings, sales pitches, cocktail parties, etc. At some point, however, I hope we can all cut through the industry hyperbole and address these and other CISO priorities.