Succeeding in the Age of Security Confusion: A Look Back at RSA Conference USA 2015

IMG_4574-768x1024Continuous automated threat removal, active breach detection, applied intelligence, machine learning, behavioral analytics, shadow IT, agentless integration, advanced next-generation threat (you pick it) detection / prevention / protection / defense, data science this and data science that … it’s enough to make your head spin. I suspect it’s not actually a new condition, but in walking away from the 2015 RSA security conference it dawned on me that, as an industry, information security is in
an Age of Confusion.

Think about it. On one hand we are experiencing an unprecedented explosion of new security technologies, products, and solution providers. According to RSA’s own stats, there were 503 exhibitors at this year’s show. 503! … each with its own, too-often confusing 3 to 5 word phrase for describing and differentiating what it is they do. Ugh. Even for a seasoned security professional it’s simply too much to parse. I can’t tell you how many times I overheard someone (often myself) saying: “so what exactly is it you do?”

But wait, we haven’t even gotten to the other hand yet. What about all those poor newbies? What about the rapid influx of new personnel into information security from other areas of IT, or worse (for them) other areas of the business? Can you imagine what it must be like for them, awash in a sea of well-meant but utterly confusing terminology, catch-phrases, and technical mumbo jumbo? If it were me, after the third booth I would have plunked myself in the relaxation lounge and probably never left … that is, at least not until the pub crawl started.

Seriously though, what you need to do about this situation differs based on who you are.

Vendors. For the fine purveyors of all these shiny new security solutions, my advice is:

#1 Keep it simple. It’s okay to have a pithy label for what you do. After all, the better ones can actually become quite “sticky.” From there, though, you’d better be able to quickly boil things down. Answers these questions first and do so, ideally, in five sentences or less: What’s the problem you solve? How are you different? What’s the value you deliver?

#2 Show ‘em a picture. We all know a picture is worth a thousand words. But what I HATE is when a pitchman dives into the nitty-gritty of how their solution does what it does and is different before I have a grasp on its physical architecture, i.e., what are its main components and where do they reside. Are we talking client-side agents or network appliances? In-band or out-of-band? On-premises or in the cloud? A single picture is great for answering all of those questions, too.

#3 Come with a plan. There are no security silver bullets. It is inevitable, therefore, that every security team will need to create a defensive architecture compromised of multiple technologies and products. With all of the innovation and fine-slicing of differences/approaches that is occurring in the market, coming up with an architecture where everything fits together in a way that minimizes the outstanding gaps has become a major undertaking. As a result, any vendor that can clearly show how their solution fits into that bigger picture – not to mention, what that bigger picture actually looks like – will almost certainly have an advantage over its competition.

(#4 Call us. CyberEdge Group routinely helps its clients with all of these items, and much more.)

Users. For all of the enterprise security practitioners that need to make heads or tails of all the solutions in the market and ultimately stitch a bunch of them into an effective set of defenses, I encourage you to take an approach similar to this:

#1 Build/adopt a plan. See #3 from the vendor’s section above. Without a plan/architecture you are destined for a patchwork of solutions featuring tons of redundancy and/or gaps through which the bad guys will be able to drive a bus.

#2 Figure out where vendor X fits into your plan. Ask questions like these to quickly triangulate on what they do: What problem does your product solve? Who are your closest competitors? What are the most significant differences between your product and each of those competitors?

#3 Figure out if they’re worth talking to more. Without exposing any details of your plan/architecture, ask them to paint a picture of where/how their solution “fits in,” what it doesn’t do, and what else you’ll need to purchase to accomplish your objectives. Based on their response, you should have a pretty good idea if they’re worth talking to further, or if it’s time to move on to the next booth/vendor on your list.

As always, let me know your thoughts on my thoughts. And happy hunting!

Most Recent Related Stories

Black Hat 2018 – Trip Report
Not To Be Overlooked… Insights From Mandiant’s 2014 M-Trends Report: Beyond the Breach
Insights and Observations from the 2014 Verizon Data Breach Investigations Report