Reflecting on my recent pilgrimage to RSA Conference, and conversations with CISO and vendor peers and friends, two overarching conclusions are that hot themes emerge that cluster all solutions – as well as VC investments in these – together in what appears to be ‘the CISO’s new priority area’ (1) while further adding complexity, and thus cost and friction for the business, in maintaining, operating, integrating and attempting to fully benefit from the newly introduced technologies (2).
When I was a CISO, vendors would often approach me with their solutions to what they thought – and in some cases even ‘prescribed’ – was my most significant challenge du jour. Invariably in most of these cases, the assessment was far off the mark and if followed, would have required kicking off a multitude of conflicting longer running programs competing for scarce resources that once operational would go on to permanently require said scarce resources. My most pressing problems were mostly political in nature or related to budget, gaining business buy-in, reducing technical debt and so on – more relating to the why than the how. Where they pertained to how to achieve something, is where the realization of the many blind spots we suffer from in InfoSec stems from.
The Right X
When one starts looking at the types of problems we solve as an industry and especially the way in which these are solved, one quickly comes to the realization that we do not solve for the right x.