The State of InfoSec - A Change is Gonna Come

April 23, 2019 5 min Read

Last month, I traveled to San Francisco for one of the largest Information Security exhibitions of the year – the RSA Conference (RSAC). As a technologist, I always look forward to attending events like RSAC because they provide me with the opportunity to learn about hundreds of emerging technology solutions and gain an updated perspective on the trends driving an industry. Returning to the newly renovated Moscone Center and featuring more than 700 exhibitors, the 2019 edition of RSAC US was the largest to date. Needless to say, I was optimistic about my chances of uncovering at least a few solutions to consider for Expedient’s Compliance and Security suite.

If you follow me on LinkedIn or Twitter, then you probably already know that I came home to Pittsburgh disappointed. The vast majority of the solutions I encountered at the Moscone Center were derivative, weren’t innovative, and were being sold on fear not business value. The similarity of the solutions exhibited at RSAC was such that they can be categorized into six main buckets:

  • Identity, privacy and compliance enforcement
  • Freeware software turned into paid fear services
  • Traditional (on-prem shrink wrap) security information and event management (SIEM) and next-generation (built in the cloud) SIEM
  • Consumer/User Education solutions
  • Network Security (Layer 3-4 and Layer 4-7)
  • MSSPs and VARs offering consulting and managed services

With so many solutions in so few business verticals, how would anyone be able to select a vendor that’s right for their business? Needless to say, after attending the conference I have concluded that the current state of the security industry is complex and confused with a murky value proposition, which explains the widespread use of fear-based selling tactics I witnessed at the conference. These are all signs that this industry is primed for disruption. A week or so after RSAC ended, 451 Research published a roundup of key insights from the show – several of which validated my takeaways.

To provide you with some context at a high level, a few of 451’s main takeaways are listed below. However, I encourage you to download and read the short, 4-page report in its entirety as it will provide you with a deeper understanding of the trends driving the InfoSec industry and how it impacts your business.

451’s Take on the RSA Conference:

  • “While there are products that seek to address the security problems that crop up as new technologies become widespread, trends such as container security are a continuation of a multi-year theme at RSAC. One macro theme evident is the rise of the developer as an enabler for security.” – Daniel Kennedy__, Research Director, Voice of the Enterprise: Information Security
  • “In cloud security, we’re still dealing with the disconnect between security operations in traditional environments and cloud-native. It was nice to see more traction for container security topics, but there’s a lot more to be done.” – Fernando Montenegro__, Senior Analyst, Information Security
  • “Interest in the zero-trust phenomenon continues to grow… Reactions to zero trust remain fairly balanced between optimism, curiosity and skepticism, with a growing awareness among attendees that zero-trust is more of a philosophical approach or process than an actual product or product category.” – Garrett Bekker__, Principal Analyst, Information Security
  • “… the traditional enterprise routine of buying more devices, applications and tools to protect the organization is steadily fading away. While some of that spending has shifted to people, including employees and contractors, most of the spending is being reallocated to third-party supplied security services.” – Aaron Sherrill__, Senior Analyst, Managed Security Services

From my perspective, the most important InfoSec takeaway from this list is the concept of approaching cybersecurity from a “philosophical” or process-oriented approach instead of a traditional, product-oriented approach. To protect the ever-growing security perimeter of multi-cloud environments, organizations must adopt sound security practices and methodologies on a company-wide scale. In today’s multi-cloud world, it’s not about the number of expensive security tools you deploy… it’s about creating and adopting processes across every line of business that put security at the forefront.

You’re probably wondering how you will find the time, internal cooperation, and resources to execute such a complex initiate. This is where Expedient comes in. We take care of all of the day-to-day IT functions that are causing you and your team headaches right now – like managing data centers, software licenses, security patches, network appliances, and backups. See how our managed services can help your business focus on the strategic initiatives or contact me directly for more information. Just think about all of the extra time and resources you will have to focus creating and implementing your new InfoSec strategy.

As Expedient’s Principal Technologist, AJ Kuftic is responsible for driving technology change and helping customers understand the capabilities of Expedient’s solutions. Follow him on Twitter.

AJ Kuftic AJ Kuftic

Subscribe to Our Blog