Top security concerns, the coronavirus, and other key takeaways from our week at the RSA conference

There is no shortage of issues facing the CISO and their staff today. This came into sharp relief at RSA week before last. We had the privilege of hosting several security executives -- some clients, others in our extended network or just interested in joining and contributing – over dinner or drinks to hear what is on their minds. Though our field work and experience provide us with a viewpoint, we learn a lot by sitting back and listening to leaders brainstorming their challenges and sharing solutions with each other. Below, some highlights we’d like to share with you:

Security Talent and Staffing:

Building a human capital strategy with the right security capabilities and cultural fit is increasingly difficult. It’s been challenging for a while now, but with the overall economy on a 12 year high, the availability of talented security managers is tight, let alone for security analysts.  Security is increasingly integrated with the core business, which puts a premium on leaders that can bridge both technical and business worlds – communicate effectively on both sides. Not to mention the additional demands on security as digital interaction grows and the information economy continues to take root.

At RSA, we heard that security leadership is developing multiple strategies to deal with human capital shortages. First, in the short term, they are looking at how to get more efficiency out of their operations. They’re re-evaluating processes and services for value-based outcomes. The IT Service Management (ITSM) playbook is applicable here in that focusing on value-added activities clearly leads to reduced resources and effort. Processes and tasks can be prioritized based on whether they plug into key services security is offering their business customers.

The second set of strategies is around the opportunities to automate and use tools where possible. Tools are getting smarter, and using them in the right context can help supplement short term labor challenges despite the potential for “landmines of ineffectiveness”.  Managers are mining their existing portfolio of tools, in concert with the right security architecture strategy, and getting more bang for the buck out of current tool spending.

Finally – and I promise this isn’t just us plugging ourselves – third-parties can and do provide solid talent in a pinch. The vendor chosen should be considered in the context of the overall roadmap of projects and your current labor talent pool. Where there is a need to (re)define the direction and build new initiatives, use of higher-priced consulting staff for strategic projects while utilizing FTEs to help operationalize and execute is an efficient option.

Longer-term, many managers are going to the root of the problem by working with recruiting departments to have a presence at top universities, to identify emerging talent and to bring them onboard. Companies are playing a role in supporting security boot camps and providing use cases, as well as expanding internship opportunities. Identifying and cultivating talent today will help breed the labor force needed tomorrow.

The Security Technology Overload:

Our events at the RSA conference are typically late in the day when vendor-fatigue has begun to set in. And did we ever hear about it? The technology and tool field has exploded over the last decade, and crafty salesmen have led many organizations to an excessive tool footprint with underwhelming results. For some of the executives we spoke with, this is a legacy issue, inherited from an earlier time.

But what to do? The conversation seemed again to go into a value-driven direction. What are the key capabilities that the security team wants to enable for their business partners? With that defined, a project that rationalizes each domain with current capabilities and codifies appropriate security architecture requirements, can both help business / IT partners better leverage security’s strengths while helping security get the most out of their resources.

A value-driven approach, backed by an appropriate security architecture, also helps identify gaps. At RSA we heard a lot about gaps in tool capacity (tools that aren’t serving the purposes intended or required -- and can be expunged), and gaps driven by real shortfalls in current capabilities. Sometimes an existing tool has new features that can help close that gap, other times it may require a shift in the tool portfolio. This architecture-driven tool rationalization was also very helpful in firming up cloud migration and cloud security strategies, as these security architectures can plugin when they are capability-focused and tool/technology agnostic.

Manage Security Like a Business:

The conversation in some board rooms has noticeably shifted. The banging on the walls about security’s importance is paying off (or was it their competitor’s hack in yesterday’s newspaper?). Though they may still not fully understand it, boards increasingly know that information security is both important and a critical capability for the company. The CISO has been given, over time, more presence and more airtime in front of senior business leaders.

Careful what you wish for? Nah, it’s good overall everyone felt, but the demands to communicate well and to deliver are higher than ever. Some feel they have to over-perform compared to their revenue-generating peers on effectiveness, efficiency, and transparency.

The takeaways we heard here may not be new, but they are truer than ever. Firstly, operate as a business unit. Identify the value provided, set a budget, stick to it, and support the business strategy. This kind of discipline helps anchor all subsequent conversations. Breaches are not the only reason CISOs lose their jobs...running major deficits with unclear direction and value will get you terminated just as easily.

Second, speak in a language the board and business units understand. They actually understand the risk when it’s put in the right context. Because security in many ways is like insurance – a premium to protect against an invisible, potential eventuality -- it’s still challenging to communicate the critical value. Nevertheless, business leaders (especially CFOs) tend to grasp conversations that are risked-based, metric-oriented, and sound. Defining a methodology and reporting on it consistently has led to good results: approved budgets, clarity on direction, and support from subordinate teams/partners.

Coronavirus:

Despite fears over Covid-19 and an initial pullback from travelers, the conference was still busy. What this outbreak means to many companies and their security departments is still unclear. Many are tasking their threat intelligence to think through scenarios that may need to be mitigated, making this a great time to stress test your business continuity plan. We heard from many who will be doing so immediately and adding pandemic planning to the list.  Also, bad guys love to take advantage of hysteria. Spam messaging and phishing are using concern over the disease as bait. People thirsty for knowledge around the latest news or preventive cures could increase vulnerabilities. Security awareness programs are taking note. Alertness and abundance of caution seem to be high as the CDC and other experts race to understand how bad this will be and what it means for everyone. Take the opportunity to adjust risk models as we learn more.

The conversations needed out in many directions beyond the above (blockchain access permissions anyone?), but we’ll wrap here with these shared nuggets. Where is the edge of your practice today, and how is Covid-19 figuring in your plans moving forward?

We’d love to hear from you about any of the issues we covered above, and of course, we’d be happy to share more in-depth insights if you are interested.  Reach out with your thoughts and/or to dig in more with us, and stay sane (and healthy) out there!