The security industry remains strong with computer science, but weak on IT

Vendors need better understanding and empathy about CISOs, security professionals, and business objectives

Last week, I was in Silicon Valley meeting with a parade of CISOs and security vendors. Business travel is no “day at the beach,” but these trips really help me keep up with the latest enterprise security challenges and potential technology solutions. It was also nice to spend time in the Valley and re-charge my batteries toward the security industry. There was a lot of excitement out there as a result of business growth, VC investment, and the wildly successful FireEye IPO. I had a number of meetings with security vendors, discussing the threat landscape, anti-malware technologies, emerging trends in network security, and my latest pet topic, big data security analytics. These meetings are wonderful geek sessions around topics like metamorphic malware, machine learning, and global threat actors. Nevertheless, there is one problem that I’m constantly reminded of during these trips: Many security technology vendors have fantastic computer science chops but they really don’t understand the IT and security organizations of enterprise customers and prospects. To be more specific: 1. Very few are prepared for a CISO-level discussion regarding enterprise-wide security and how it relates to the business. 2. Ongoing management and operations is a major enterprise security challenge. This is a critical security consideration in all cases. 3. Security is a process not a product. How does each product then fit into the process? 4. Security skills are in short supply so all vendors should anticipate that customers will be under-staffed and lacking critical training and experience. I realize that CISOs are not involved in every security technology purchase but security vendors must remember that they ARE responsible for the whole enchilada. This means that security vendor should be able to describe how their particular security widget contributes to greater protection and lower risk. Furthermore, CISOs (and many successful security professionals) care about security efficacy but that’s not the only thing they consider. Most of the CISOs I speak with are also concerned with streamlining/automating security operations, increasing the productivity of the security staff, and enabling secure business processes. These critical topics should be part of every security vendor’s value proposition. ESG data indicates that many CISOs are looking to implement enterprise-class, integrated security solutions with central command-and-control, big data analytics capabilities, and distributed policy enforcement. In this type of security strategy, vendors will have to work with CISOs and the security staff on 5-year implementation plans, project management, short- and long-term goals, defining metrics, and business-centric ROI justification. These requirements provide a distinct advantage to existing enterprise vendors like Cisco, Dell, EMC, HP, IBM, and Oracle, as well as service providers like Accenture, CSC, E&Y, Leidos, PWC, and Unisys. The rest of the security industry has to double-down on “C-level” enterprise security skills or create partnerships with other vendors and service providers with these skills.

New! Download the State of Cybercrime 2017 report