RSA 2020 took place in San Francisco last week. While I was there, I spoke to dozens of CISOs and CIOs about the state of information security. I’d like to share some of the insights I took from those conversations below.
1. Consolidation of vendors: CISOs are increasingly interested in doing business with fewer companies.
The CISO of a big oil and gas company told me that he doesn’t have time to deal with dozens of start-ups; instead they expect consolidation in the security space. Where there isn’t one big vendor, a CISO wants to have seamless integrations and workflows between their vendors.
It felt to me that there was more emphasis on application security for purchasing decisions and less emphasis on network security and endpoint security solutions. This need made a lot of sense; ultimately in today’s day and age of the cloud, everything is delivered through the web, so application security attacks will be prevalent
2. Trust matters. Sometimes more than everything else.
Never forget that your customers’ trust is one of your company’s most important assets.
Case in point: I heard a GM of a major company’s security unit say over dinner on the sidelines of RSA: “ People buy from us because we are trusted, not always because we have the latest, greatest AI algorithm out there.” Trust in your brand, and the reliability of your Customer Service is very important.
3. There’s a communication gap between the CISO and the board.
“Cybersecurity teams should highlight their successes publicly in order to counter a widespread morale problem in the industry, “ said Rohit Ghai, president of RSA Security.
The fact that they’re not doing so already highlights a communication gap between management teams and CISOs. CISOs are struggling to find uniform ways to communicate their security posture and performance to their boards and management committees. While almost every CISO I spoke to acknowledged that their budget for 2020 has increased from 2019 (which is good), they also acknowledged that they have no idea how to quantify cyber risk. For example, if they buy $1 million worth of the latest malware prevention technology, most CISOs had no idea if it made them 5% more secure, 10% more secure, or 0% more secure.
Communicating to the board and building effective interdepartmental relationships between security and the business side of an enterprise will continue to be crucial in ensuring security.
4. Questionnaires: A headache for every CISO.
There may be no one at RSA 2020 who enjoys questionnaires. CISOs hated filling out the same long questionnaires in an attempt to prove to the companies they do business with that they are safe. At one panel that I attended, a CISO called them a headache.
Security vendors also are tired of filling out questionnaires. To most, questionnaires are time-consuming and not worth the money or effort to properly fill them out. One CISO of a security company mentioned to me that she “would love to see these questionnaires go away because they’re just a migraine for [them].” The vendor completed over 350 security questionnaires in the last year alone, but she didn’t fill them out — her interns did. Her interns answered hundreds of questions by copying from company policies and prior questionnaires. Why? Because the companies requiring the questionnaires aren’t even reading them; they’re only requesting them to check a box for compliance.
5. Our industry must address the trained cyber professional gap.
There is a shortage of skilled cyber talent in our industry. Some measures are being taken to compensate for that. For example, I saw a few companies offering training to up-level their existing teams to become cyber professionals.
Our SecurityScorecard CISO Paul Gagliardi spoke on a panel with folks from Microsoft, Starbucks, and other companies, and I enjoyed the quote from Starbucks global CISO Andy Kirkland, that the “best training is in-the-moment training”. Humans learn better with a little adrenaline rush; after they know they got phished, they might be more careful in the future.
Final thoughts
To conclude it was an amazing event for SecurityScorecard, by the numbers we had over 130+ customer conversations, our team presented in 5+ different panels and had over 2000+ interested parties in security ratings.