RSA 2020 Cybersecurity Trends: “Cool People In Security”
Last week we hosted our 3rd annual RSA “Cool People In Security” event. This unconference style event first started during RSA 2018. We all had a few friends who we thought were cool people and figured it’d be fun to bring them together and see what happens. (If you didn’t get an invite it doesn’t mean you aren’t cool, we just don’t know you yet so feel free to reach out and introduce yourself!) What came of it was a beautiful group discussion on cybersecurity trends from the folks on the frontlines.
So what happens when you get 50+ cool people in cybersecurity together? You get some really interesting and candid conversations full of insights from CISOs, security engineers, analysts and consultants on the state of cybersecurity. We had folks engaging in cross-industry conversations who were from federal agencies, Fortune 500’s, born-in-the-cloud companies, and even help-me-get-to-the-cloud companies.
The discussions were candid and held in confidence with those in the room, so we can’t tell you exactly what was said but we can share a few trends and takeaways.
We had two roundtable discussion topics: “Stop Buying Security Products. Fix Your Security Posture, Using What You Have. Better.” and “Modern SOC Data Requirements.” These both led to plenty of healthy debates and lively discussions. What was interesting though was that both topics quickly centralized around three main themes that kept arising despite where the conversations began. These were the looming issues that everyone was trying to figure out:
Overwhelming infrastructure complexity
For years many companies have been buying too many layers of security products. They invest in dozens of point products that each solve one thing or another, without fully understanding the relevance of that function to the rest of their infrastructure. Because many of these products do not integrate with each other, and they don’t have a level of visibility that lets them see their network holistically, often they end up with products doing a redundant job that is already handled by another solution.
Most organizations are being hit hard by the cybersecurity talent gap and unable to fill their staff with the internal talent needed to derive the most value from their security investments. Another issue many raised was that they would like to have some metric or industry-specific standard to measure complexity. This would help them understand if they were operating a fairly normal environment or one that is abnormally complex. People thought it would be helpful to have at least a trusted community of peers and experts to seek and share information on shared problems. A place where they could compare notes and share learnings.
Data FOMO is real
The old habit of hoarding data and figuring out what to do with it someday is still alive, and a little too well. Many have a fear of losing important data, especially with the shift to the cloud, so they are holding on to logs they may never need. It’s more of a paranoia thing than anything else one person joked. This also applies to all the alerting products people have bought. Even if that product has never produced any useful data, they don’t want to chance missing something important one time. So organizations tend to hoard data. Or they have an unfounded notion that this product just may be the key to unlocking the insights they have been after someday. But again, there’s a cybersecurity skills shortage and they don’t have the internal talent (yet, crossing fingers) to make much use of the data anyway. Some are starting to get more use case centric, but that’s a very modern team that is oftentimes cloud-native. So they aren’t hoarding tools from a past era. They use a lot of the cloud provider’s products, augmented by a few others, to give them the picture they need.
Given the way things have been done, it’s extremely hard to know what data you have and don’t have. So all of it gets kept. Sitting there. Buring budget. Unused.
The “I don’t know what I don’t know” Problem
What questions do I need to ask? What data should I collect? When it comes to data, do I start with a question first and then find the data, or start with the data first and then find the question? How do I know I’m on a good path?
These questions are big drivers of data hoarding. But hoarding data doesn’t equate to knowing data. So how do CISOs know where to begin? They rely on the tools and professional services they purchased to figure that out for them. But tools are only as good as the people and processes that manage them, and professional service folks are usually highly specialized around a given need.
CISOs know they need better ways to question data, but they don’t have a good answer today.
As you see, these three themes are all interconnected. There is no check-the-box solution. That’s because security is first and foremost a people problem; not having the number of people with the right skills that you need, or people not knowing what they don’t know makes it extremely difficult to keep up with a new world of cloud that moves at the speed of code.
The rate of change is one of the biggest challenges companies face as they move from on-prem to the cloud, and a major contributor to each of these issues. Systems keep becoming more complex, we aren’t prepared to handle the ever-increasing volume of data produced daily, our comfortable tools and frameworks that worked on-prem are irrelevant in the cloud, and our heads are spinning so fast we don’t even know what questions to begin with. Security, IT, DevOps, Engineering, Finance, and even Legal teams are in dire need of greater collaboration and visibility into their environment across the organization to make sense of this new world and make it work.
As we were wrapping up, we wanted to hear three starting points people could take to begin solving these problems. The majority of the room expressed the desire to see people coming together to make a difference more specifically:
- Domain Experts need to increase collaboration (Internally and Externally).
- Security Vendors need to do a better job working together and fostering knowledge sharing.
- Industry Experts need a way to communicate their knowledge to the masses.
Let us know if these challenges resonate with you and what you are doing to increase the security posture of this industry!