6 takeaways (and 3 predictions) from CISO meetings at the RSA Conference

The most effective way for divining the current state of enterprise cybersecurity practices is to talk to a number of CISOs representing different industries and to distill those conversations into an overall model.

Here’s the problem: at my normal rate of approximately two conversations with Chief Information Security Officers (CISOs) per month, the “present discounted value” of the information gathered never quite brings this picture into clear focus – this is where the RSA Conference comes to the rescue.

Lessons learned from RSA Conference 2018

If you work in the cybersecurity industry, April was marked on your calendar as the month the now mammoth RSA Conference that took place in San Francisco. While this is always a time to catch up with former colleagues who also work in the security business, it also presents a unique opportunity to meet with many CISOs in a short span of time. I personally took part in approximately 12 meetings with CISOs over a span of three days.

Here are some of the things I learned from those meetings:

  1. The notion that a strategy built primarily around preventing bad things from entering an environment is effective seems to have finally been put to rest. The rebalancing of investments around true defense-in-depth – arraying your prevention technology to take care of the known bad and having tools and people ready to deal with threats still making it through – is well underway.
  2. CISOs are still experimenting with how much preventive effort is enough and when to begin doubling down on their detection and response capabilities. My description of this to them seems to resonate: prevention is noise-reduction while detection is signal amplification. There is no perfect answer for what mix produces the clearest signal.
  3. The hype surrounding artificial intelligence seems to have abated somewhat. Most CISOs view Artificial Intelligence (AI) as an automation technique and are now asking the right question: “what AI will actually do for me?”
  4. There’s muddled use of the terms “artificial intelligence”, “data science” and “machine learning”. AI can exist without Machine Learning (ML) – remember “expert systems” of a couple of decades ago, which were a very different form of AI. Data science need not use ML – it’s just the use of algorithms to extract meaning out of data. ML is having an algorithm learn from data rather than having a human encode the logic. There’s still plenty of work for humans to set up the data, possibly label it, select features for the algorithm and tune it to achieve the desired results – in other words, it’s not magic.
  5. Lots of companies are experimenting with data lakes and data ponds (and maybe even data puddles). The precise end goals of those experiments are not very clear. They usually start with collecting a lot of different kinds of data in a Hadoop or Elasticsearch cluster and then unleashing data scientists on those clusters. The data scientists hired for each problem domain tend to have no background in that domain – e.g. an ex-physicist is hired to do data science for cybersecurity. And each problem domain has at most 1-2 data scientists working on it.
  6. I did not hear a single customer claim success in real-time detection of cyberattacks with their cybersecurity data lakes, but there were examples of them being able to perform better investigations and forensics after-the-fact. And even before RSA, I have heard of several companies declaring their first foray into the crossroads of data science and cybersecurity a failure – either because they never were able to get value out of it or because it became impossible to maintain the value over time. Against this backdrop, retention of data scientists is also an issue.

3 predictions for RSA Conference 2019

It’s interesting to consider what 2019 will bring. Let me take a crack at three predictions:

  1. The prevention vs detection balance will have matured. More investment in products and people will have shifted from the prevention column to the detection column with emphasis on commercial products that leverage data science to improve the performance of the prevention side and to wrestle meaning out of data for the detection side.
  2. Cybersecurity data science experiments will continue – with some companies still going through their first iteration and others starting on their second one. This experiment is mirrored by other parts of their organizations also trying to extract value out of data science. And retention of data scientists will continue to be an issue as their skills are in high demand in almost every industry and working on endeavors that do not appear to be succeeding leads to unhappy employees.
  3. Like the rather unfocused-SIEM projects of a decade ago that eventually became focused on specific use cases, security teams will learn to focus their cybersecurity data science efforts on tractable problems for which they have the necessary data and skills. Crawl, walk and, eventually, hope to run.

All in all, it was a super productive week. I would need to log about tens of thousands of air miles to have as many quality meetings with this number of CISOs. That would involve a lot of time in airports, plenty of jet lag and lots of bad airplane food.

Come to think of it, maybe we can just fast forward to RSA Conference 2019.

Copyright © 2018 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022