• United States




6 takeaways (and 3 predictions) from CISO meetings at the RSA Conference

May 08, 20185 mins
Data and Information SecurityIT GovernanceNetwork Security

The most effective way for divining the current state of enterprise cybersecurity practices is to talk to a number of CISOs representing different industries and to distill those conversations into an overall model.

Credit: Thinkstock/RSA

Here’s the problem: at my normal rate of approximately two conversations with Chief Information Security Officers (CISOs) per month, the “present discounted value” of the information gathered never quite brings this picture into clear focus – this is where the RSA Conference comes to the rescue.

Lessons learned from RSA Conference 2018

If you work in the cybersecurity industry, April was marked on your calendar as the month the now mammoth RSA Conference that took place in San Francisco. While this is always a time to catch up with former colleagues who also work in the security business, it also presents a unique opportunity to meet with many CISOs in a short span of time. I personally took part in approximately 12 meetings with CISOs over a span of three days.

Here are some of the things I learned from those meetings:

  1. The notion that a strategy built primarily around preventing bad things from entering an environment is effective seems to have finally been put to rest. The rebalancing of investments around true defense-in-depth – arraying your prevention technology to take care of the known bad and having tools and people ready to deal with threats still making it through – is well underway.
  2. CISOs are still experimenting with how much preventive effort is enough and when to begin doubling down on their detection and response capabilities. My description of this to them seems to resonate: prevention is noise-reduction while detection is signal amplification. There is no perfect answer for what mix produces the clearest signal.
  3. The hype surrounding artificial intelligence seems to have abated somewhat. Most CISOs view Artificial Intelligence (AI) as an automation technique and are now asking the right question: “what AI will actually do for me?”
  4. There’s muddled use of the terms “artificial intelligence”, “data science” and “machine learning”. AI can exist without Machine Learning (ML) – remember “expert systems” of a couple of decades ago, which were a very different form of AI. Data science need not use ML – it’s just the use of algorithms to extract meaning out of data. ML is having an algorithm learn from data rather than having a human encode the logic. There’s still plenty of work for humans to set up the data, possibly label it, select features for the algorithm and tune it to achieve the desired results – in other words, it’s not magic.
  5. Lots of companies are experimenting with data lakes and data ponds (and maybe even data puddles). The precise end goals of those experiments are not very clear. They usually start with collecting a lot of different kinds of data in a Hadoop or Elasticsearch cluster and then unleashing data scientists on those clusters. The data scientists hired for each problem domain tend to have no background in that domain – e.g. an ex-physicist is hired to do data science for cybersecurity. And each problem domain has at most 1-2 data scientists working on it.
  6. I did not hear a single customer claim success in real-time detection of cyberattacks with their cybersecurity data lakes, but there were examples of them being able to perform better investigations and forensics after-the-fact. And even before RSA, I have heard of several companies declaring their first foray into the crossroads of data science and cybersecurity a failure – either because they never were able to get value out of it or because it became impossible to maintain the value over time. Against this backdrop, retention of data scientists is also an issue.

3 predictions for RSA Conference 2019

It’s interesting to consider what 2019 will bring. Let me take a crack at three predictions:

  1. The prevention vs detection balance will have matured. More investment in products and people will have shifted from the prevention column to the detection column with emphasis on commercial products that leverage data science to improve the performance of the prevention side and to wrestle meaning out of data for the detection side.
  2. Cybersecurity data science experiments will continue – with some companies still going through their first iteration and others starting on their second one. This experiment is mirrored by other parts of their organizations also trying to extract value out of data science. And retention of data scientists will continue to be an issue as their skills are in high demand in almost every industry and working on endeavors that do not appear to be succeeding leads to unhappy employees.
  3. Like the rather unfocused-SIEM projects of a decade ago that eventually became focused on specific use cases, security teams will learn to focus their cybersecurity data science efforts on tractable problems for which they have the necessary data and skills. Crawl, walk and, eventually, hope to run.

All in all, it was a super productive week. I would need to log about tens of thousands of air miles to have as many quality meetings with this number of CISOs. That would involve a lot of time in airports, plenty of jet lag and lots of bad airplane food.

Come to think of it, maybe we can just fast forward to RSA Conference 2019.


Oliver Tavakoli is chief technology officer at Vectra, where his responsibilities include setting the company strategy which spans the security research and data science disciplines. He is a technologist who has alternated between working for large and small companies throughout his 30-year career.

Prior to joining Vectra, Oliver spent more than seven years at Juniper as chief technology officer for its security business. Oliver joined Juniper as a result of its acquisition of Funk Software, where he was CTO and better known as developer No. 1 for Steel-Belted Radius – you can ask him what product name came in second in the naming contest.

Prior to joining Funk Software, Oliver co-founded Trilogy Inc. and prior to that, he did stints at Novell, Fluent Machines and IBM. Throughout his career, Oliver has annoyed colleagues by his insistence that words be spelled correctly.

Oliver lives bi-coastally – he lives in California, but continues to harbor illusions of spending July and August "working" from his summer house on the New England coast. Oliver received an MS in mathematics and a BA in mathematics and computer science from the University of Tennessee.

The opinions expressed in this blog are those of Oliver Tavakoli and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.