We Need a Better Mousetrap: Insights on Security from Key CISOs at RSA

While at RSA last week I had the pleasure of attending the T.E.N breakfast which brought together CISOs from Aetna, Cox Automotive, SunTrust Bank, Target, and The Coca-Cola Company.

During this highly informative and entertaining session, these leading influencers provided some great insight into their security challenges, trends and observations.

Severe shortage of skilled security staff. Every single one of the CISOs on the panel stressed this problem again and again – its directly impacting their security strategy and detection and response measures. Target mentioned that they currently have 40-50 open positions in their security department.

Data overload. Security tools are generating enormous amounts of data, but are lacking the ability to analyze and correlate this data into meaningful metrics, via a single pain of glass.  The problem is further exacerbated by the lack of personnel with the right skill sets to manage these tools and digest and process the data.

The threat landscape is changing every 30 days. There an urgent need for a way to prioritize alerts by criticality. Right now, resources are being allocated based on the highest perceived risk, with fingers crossed that they’re getting it right and will get to keep their jobs.

Its everyone’s problem. Security has been elevated to a key strategic initiative which now involves business and legal decision makers in addition to IT.

Look at the behavior. Aetna’s CISO stressed that it’s critical to expand the use of behavioral analysis and authentication to detect anomalies and fraud, especially with phishing attempts on the rise.

Its cloud time. The Coca Cola Company’s CISO spoke about how his organization is in the process of moving their business applications to the cloud. Like on-premise, cloud-based apps often share data and integrate with 3^rd party apps which may also store data on their own cloud platforms. Thus there is a critical need to be able manage security across these complex environments, and be able to track where all the data is located.

We need a better mousetrap. Last but not least, with cyber attacks happening every single day all the CISO stated that there’s a critical need for better solutions to detect and prevent them. SunTrust Bank, for example, mentioned that they are in the process of re-building their SOC from the ground up “to create a better mousetrap”.

These observations are very much in line with what we heard from our own customers and booth visitors at RSA:

There’s a growing appetite for automating security. There is more data, more alarms and security events than ever before, yet every one’s suffering from a lack of staff to deal with them. Companies are now realizing that automation is the only way to go if they want to “get back time” and spend it on strategic initiatives and fighting fraud the instead of struggling to keep the lights on.

Security is strategic. In line with the CISOs observations, we’re seeing more and more interest in our application centric approach to security policy management, which gives the business managers the power to take responsibility for the security of their applications. This interest manifested itself in the surprisingly high number of non-technical, business and legal folk, who visited our booth at RSA wanting to learn more about our solution and how it fits into their organizations.

The professional era of the cloud is now here. Like The Coca Cola Company, we heard from many companies, including financial institutions, that migration to the cloud is now a given– and will happen sooner rather than later. Yet while there is no empirical evidence that the cloud is less secure than physical on-premise data centers, the security team is usually less than thrilled with the prospect, and are often being dragged into the cloud – sometimes kicking and screaming. They fear a loss of control, somewhat understandably. Security controls in the cloud are very different to on-premise and, as we found out in our recent survey, most companies have little idea what they need, and how to incorporate and manage these controls across their hybrid environments.