Black Hat is a busy show, plain and simple.
But it offers a rare opportunity to place one's finger on the pulse of the security community and get a feel for what's on peoples' minds. CSO had a chance to sit down at this year's Black Hat USA with Accuvant Chief Security and Strategy Officer Jason Clark and Director of Information Security James Robinson and chat with them about the most popular buzz they've been hearing and what they think is important to the security community right now.
The role of the CSO
Accuvant holds a dinner at Black Hat each year that plays host to dozens of the industry's top CSOs, and it was at the dinner this year that Clark says there was a lot of chatter about the role of the CSO. In light of recent major events (Target comes to mind), it would appear that the role is changing, for better and for worse.
"The change, without a doubt, is that all of a sudden, CSOs are like, 'Holy crap, everyone can get fired for this,'" says Clark. "It's being recognized that it's a tough job, and I think that's good. We're getting more attention than we've ever gotten, most people are not ready for that attention because they're not ready to speak to the business. They're lacking those business skills."
Robinson adds, "Everyone at my table, they were interested in the board conversation. What are you presenting? Is it risk? How do we move the needle? They don't even know how to go to their boss [the CIO] and say, 'What do I present?' They don't have that help. So they're having them reach out to their peers at other companies and saying, 'Help me out.'"
Though they may not know what to do in the event that they get what they ask for, we asked Clark if the general consensus is that CSOs are, in fact, getting all of the resources they want and need. It's a common lament on the part of security leadership: they're asked to do a lot with only a little because executives want ample protection, but aren't willing to spend that much money on it.
He says that these days, CSOs can usually get what they ask for, but now the problem is that they're not using the resources effectively.
"It really depends on if they're able to sell and align it to what the business is able to accomplish," says Clark. "This is a factor: with resources like money, they are getting more resources, but I don't see them building a strategic enough program that aligns with the business. When asked to present a strategy, it's just a product roadmap…that's not a strategy. That's not going to grow and protect the business."
It isn't just a matter of building a more strategic approach, however, because these days, CSOs need more outside help as well. A one-man army approach is no longer an option.
"One thing that we're noticing is that they need to outsource," says Robinson. "They can't be the best at all of this stuff. They need to look outside the organization and take their little team and hone in on what's critical to the business."
We asked about any mobile concerns or risks that Clark and Robinson may have been hearing about at the show, but they maintained that mobile is no longer the topic du jour. One possible explanation for this is that it raises too many questions that simply cannot be answered yet, so people are just waiting for a solution.
"I've been seeing a couple of things on mobile," says Robinson. "I've seen some organizations that are trying to tackle it and feel that what they have today is getting them on the right path, but they still question the strategy a bit. They're waiting for adoption of new technology that has yet to come out. Then I see another group that's just throwing their hands up and saying, 'We don't know, we can't wrap this up.'"
Clark adds, "It's still too young. 18 months ago, mobile was the topic of every dinner [with CSOs] that we hosted. Now, I can't think of when the last time was that we heard about it. There's a lot of opportunity, but people are getting fed up."
Instead, they said, it would appear that cloud is more at the forefront of people's minds. That said, Robinson points out that cloud adoption presents the same issue as mobile -- everyone's data starts to get spread out and that makes it all the more difficult to secure.
"There are a couple of things coming together with mobile and cloud, so everything is everywhere at one time and it kind of all fell in our lap," he says. "And the technologies are still catching up. There are some good approaches out there, but we're still innovating."
Clark says that threat intelligence is "hands down" the most discussed topic at Black Hat this year, but the buzz has confirmed to both him and Robinson that there is hardly a unified approach to it. It is undoubtedly a complication, and Clark summed it up aptly. "Most of the people who we ask, we're going to get a different answer on what they think threat intelligence is, and I think it's confusing," he says.
As such, Clark and Robinson propose a simplified breakdown of the categories of threat intelligence and how only together can they become an asset for your company.
Though Clark mentions that threat modeling is an important honorable mention that many organizations overlook-- Robinson says that adoption rates are in the low single digits -- their first category is threat feeds. The feeds can be informational, says Clark, but they can also be used to implement reactive and proactive measures.
The second is targeted intelligence. "Let me know when someone is talking bad about my company," says Clark. "I'm a brand an Anonymous or Green Peace or whoever doesn't like me, or maybe they already have my data. That's targeted. There's no technology in the world that can [detect] that. You need people."
And finally, there's adversarial intelligence, or researching the types of adversaries, their names, and the industries they target -- and ultimately tying it back and determining what that means for your organization.
"It paints a face to the bad guy for your bosses," says Clark. "You can say, 'Hey, this hacker group located in this area is going to launch an attack against, say, the oil and gas industry, we need to be ready for that.' It's valuable to be able to point to a group and say, 'They're here.'"
Unfortunately, Clark and Robinson have found that few teams tie all of these facets together to create a comprehensive approach to threat intelligence.
"A lot of the programs think all they need to do is receive that data and leverage and do something with it," says Robinson. "But capabilities need to come together between different aspects of threat intelligence."
Clark adds, "Category one to me is like Norse. The second is a company like iSIGHT, watching. The third is CrowdStrike, identifying groups. A lot of groups say, 'We've got one of those,' but that doesn't cover all your bases. It's only one of these three domains."
Though perhaps it's not something point that's being discussed a great deal at this year's Black Hat, Clark added that, above all, it's important for the security community to work together.
"I think we are so outnumbered," says Clark. "There's such an importance and the community needs to unite in every way. We need to start helping each other."
Clark points to his and Robinson's founding of the Security Advisor Alliance -- a collective of CSOs that will ideally someday number in the multiple hundreds and assist each other in a self-help network -- as an example of such unity.
It's important, however, not just to establish a network to help current CSOs, but to also start planting the seeds to create the next generation of CSOs: Clark says that he would like to create a CSO university to "grow" the next CSOs, especially since there are so many positions open for them right now and supply is not meeting demand.
"It's going to be things like that that bring things together and help us turn the tide and win," says Clark. "Because right now, we're not winning."