Last week, I wrote about the rapid cycle of innovation happening with security technologies today — I’ve never experienced a time when every element of the security stack is transforming.
New security technologies are arriving at an opportune time. According to ESG research, 69 percent have increased their cybersecurity budgets in 2017, and my guess is that they will continue to increase investment in 2018. And when asked which BUSINESS initiatives will drive the most IT spending, 39 percent of organizations responded, “increasing cybersecurity protection.” This means business executives are buying into the need for cybersecurity improvements all around.
So, it seems like transformative security technologies are arriving at the right place and time, right? Not so fast. Many of the technology changes I wrote about last week remain in their genesis stage and haven’t been deployed yet for several reasons including:
- A cybersecurity culture clash. In today’s market, there is a huge cultural gap between suppliers and customers. Cybersecurity professionals are paid to look at every angle of technologies, looking for vulnerabilities open for exploitation. This makes them skeptics by nature. Alternatively, new technologies are often pushed by startups marketing silver-bullet solutions. And let’s not forget about Sand Hill Road VCs. Once they invest in a company, they turn marketing staffers loose to pump up portfolio companies with buzzword bingo claims.
These mixed agendas set up a situation where risk-averse CISOs looking to bolster the security of their business are met with rhetoric and hyperbole. Little wonder why it takes so long for vendors to develop trust and bridge this cultural gap. - A desire to exhaust the old before trying something new. When new requirements arise, it’s only natural to see if existing security controls can be fine-tuned to address these needs. In some cases, this strategy is worth pursuing. For example, turning on advanced controls on endpoint security software can help increase the efficacy of threat prevention. On the other hand, existing security controls may be a mismatch for some new requirements.
ESG research indicates that 92 percent of enterprise organizations tried to secure cloud workloads using traditional network security controls, but ultimately, 74 percent of them had to abandon some or all of these controls because they proved to be incongruous with this new use case. Rather than make mistakes, some CISOs simply choose to let others act as security innovation guinea pigs. - The cybersecurity skills shortage. ESG research from early 2017 indicates that 45 percent of organizations admit to a “problematic shortage” of cybersecurity skills. This means they are understaffed and lacking skills in critical areas. New technology projects take time to research, test, purchase, provision and operate. In many cases, organizations simply don’t have adequate time or resources to proceed. One CISO recently summed up this predicament to me when he declared, “My number one job is to keep vendors away from my security staff.”
- A changing organizational model. This is particularly true with new and innovative cloud security technologies. In many cases, product selection, procurement, and operations includes groups such as software developers, cloud computing architects, and DevOps — antithetical to old-guard security pros. Security vendors may know how to secure cloud-based workload, but they have no idea how to communicate and work with these burgeoning IT functions. Once again, this cultural divide can slow down new security technology projects.
There is also a general state of confusion in play. When a vendor touts a new solution based upon machine learning, what does this mean? Does it matter? Answering these questions takes time and effort.
There is work to be done on the supply and demand side to improve the efficient delivery of innovative security technologies that have the potential to add real value.
On the demand side, CISOs must monitor changing threats, vulnerabilities and security requirements and then task security engineers to research and report on new innovations. Cybersecurity professionals should also participate in professional associations, such as the Information Systems Security Association (ISSA), so they can quickly gain wisdom from common experiences with new technology.
Security technology suppliers must abandon their packaged goods market approach, put time into understanding the concerns of CISOs, and develop real empathy for their customers. BTW: There are no shortcuts here.