Posted on Mar 9, 2020
RSA 2020 took place in San Francisco last week. While I was there, I spoke to dozens of CISOs and CIOs about the state of information security. I’d like to share some of the insights I took from those conversations below.
The CISO of a big oil and gas company told me that he doesn’t have time to deal with dozens of start-ups; instead they expect consolidation in the security space. Where there isn’t one big vendor, a CISO wants to have seamless integrations and workflows between their vendors.
It felt to me that there was more emphasis on application security for purchasing decisions and less emphasis on network security and endpoint security solutions. This need made a lot of sense; ultimately in today's day and age of the cloud, everything is delivered through the web, so application security attacks will be prevalent
Never forget that your customers’ trust is one of your company’s most important assets.
Case in point: I heard a GM of a major company’s security unit say over dinner on the sidelines of RSA: “ People buy from us because we are trusted, not always because we have the latest, greatest AI algorithm out there.” Trust in your brand, and the reliability of your Customer Service is very important.
“Cybersecurity teams should highlight their successes publicly in order to counter a widespread morale problem in the industry, “ said Rohit Ghai, president of RSA Security.
The fact that they’re not doing so already highlights a communication gap between management teams and CISOs. CISOs are struggling to find uniform ways to communicate their security posture and performance to their boards and management committees. While almost every CISO I spoke to acknowledged that their budget for 2020 has increased from 2019 (which is good), they also acknowledged that they have no idea how to quantify cyber risk. For example, if they buy $1 million worth of the latest malware prevention technology, most CISOs had no idea if it made them 5% more secure, 10% more secure, or 0% more secure.
Communicating to the board and building effective interdepartmental relationships between security and the business side of an enterprise will continue to be crucial in ensuring security.
There may be no one at RSA 2020 who enjoys questionnaires. CISOs hated filling out the same long questionnaires in an attempt to prove to the companies they do business with that they are safe. At one panel that I attended, a CISO called them a headache.
Security vendors also are tired of filling out questionnaires. To most, questionnaires are time-consuming and not worth the money or effort to properly fill them out. One CISO of a security company mentioned to me that she “would love to see these questionnaires go away because they’re just a migraine for [them].” The vendor completed over 350 security questionnaires in the last year alone, but she didn’t fill them out — her interns did. Her interns answered hundreds of questions by copying from company policies and prior questionnaires. Why? Because the companies requiring the questionnaires aren’t even reading them; they’re only requesting them to check a box for compliance.
There is a shortage of skilled cyber talent in our industry. Some measures are being taken to compensate for that. For example, I saw a few companies offering training to up-level their existing teams to become cyber professionals.
Our SecurityScorecard CISO Paul Gagliardi spoke on a panel with folks from Microsoft, Starbucks, and other companies, and I enjoyed the quote from Starbucks global CISO Andy Kirkland, that the “best training is in-the-moment training”. Humans learn better with a little adrenaline rush; after they know they got phished, they might be more careful in the future.
To conclude it was an amazing event for SecurityScorecard, by the numbers we had over 130+ customer conversations, our team presented in 5+ different panels and had over 2000+ interested parties in security ratings.
Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 20 cybersecurity KPIs you should track. Read more.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.