After yet another article listing the Top 500 security products popped up in the news, I realized I had hit my tipping point. As security practitioners, we want to focus on strategic, business enabling objectives, yet can sometimes be clouded with the overly saturated amount of data being thrown in our direction. As CEO of a security organization, my problem is the same problem many CISOs face, with an enormous influx of similar messaging and clutter in the market.
According to CB Insights, venture capitalists and investors poured $3 billion dollars into more than 300 deals in the cyber security industry in 2016 alone. That’s a lot of powerful organizations betting on the growth of the cyber security market.
What does this mean for CISOs?
Well, it means there are plenty of innovative products to check out, but also a lot of noise and distractions. These well-funded security startups have CISOs in their target. With these investment dollars, startups are attempting to dictate security conversations and frame challenges in terms of their own solutions.
It takes a lot of discipline from a CISO not to be distracted by all the bells and whistles on display. The vendor onslaught combines with daily, sometimes hourly, news headlines about data breaches. It is no wonder that CISOs sometimes feel like they are trying to get their work done in a packed football stadium. It can be hard for even the most mature CISOs to concentrate on their strategic priorities.
In this issue of Feats of Strength, we profile many CISOs who are veterans of the industry. While they report an increased number of startups on the scene, they have suggestions for how other CISOs can manage it all. In his profile (pages 16-17) Ed Ferrara, CISO at CSL Behring says, “The VCs see this [the threat landscape] as a growth industry.” He continues, “At the end of the day the customer needs to do a lot of due diligence. Speaking as a former analyst, I can say that due diligence means doing more than just reading the analyst report and buying the recommended technology. Consider how the technology fits within your business model.”
In his profile (pages 6-7), Michael Coates, the CISO of Twitter suggests making sure any new security technology investments make sense for your organization. Does it solve a real and pertinent challenge, and can it run without a big time and management investment from your team. Coates says, “Security needs to be scalable, fast and effective at addressing real problems. Security technologies that create a lot more work for already overburdened security teams are not helpful. If I can trust a security solution to do its job then I can focus my team’s efforts on one of the many other issues we face.”
We cannot ignore that some of the noise distracting CISOs and their teams comes from within the existing security infrastructure. Many companies already run 20 to 30 information security products, which produce countless numbers of notifications and alerts. In an article on effectively leveraging and managing technology investments, Don Cook, Director of Program Management for K logix suggests that every information security solution, whether already installed or yet to be purchased, should be evaluated based on operational impact, risk mitigation and financial impact to the business. “If you cannot tie a product back to your vision and security strategy, then it is not a sound investment,” says Cook.
Dr. David Reis is the CIO at Lahey Hospital and Medical Center. Formerly a CISO, Dr. Reis asks himself two questions every day. These questions help him stay focused on business priorities.
He asks:
“Have I made it easier for my organization to successfully implement digital strategy?”
“Did I communicate security’s impact on business effectively, and in our specific business language, to other executives.”
Dr. Reis’ two questions should guide CISOs actions this year. It is impossible not to acknowledge the noise, but CISOs have a job to do and that is to enable a secure environment for their business. CISOs that create a comprehensive security plan and routinely cross check financial and time investments against their plan will have the most success blocking out the noise and delivering on their promise to the business.
THE CYBER SECURITY INVESTMENT CRAZE
Most funded security products in 2016:
- - Mobile security
- - Vulnerability & risk management
- - Network security
- - SCADA security
- - Incident response
Back to business? The market for startups is slowing down (slightly) - - 2015 saw $3.75B invested across 336 deals, compared to 300 deals and $3 billion in 2016.
Subscribe
Stay up to date with cyber security trends and more