Sunday, June 12, 2022

From The RSA Conference: What The CISOs Are Saying For 2022

 


Just last week, the RSA Conference was held.  This is the biggest Cyber gathering on a global basis, where pretty much every vendor from the sun comes out, sets up a booth, and showcases their latest products and solutions. 

Keep in mind that this is not an event for just the larger Cyber companies, but even the startups are welcome to have a booth their as well.  It is also a time when the leaders in Cyber, not just from the business community also come out to share their thoughts and ideas.

This year’s RSA conference was a very special one, because this the first face to face one that happened in two years, ever since COVID-19 struck.  With so many people attending, a lot of attention was paid to the CISOs there, and were asked what their thoughts were as we now come in the second half of the year.

So what is concerning them for this time period?  Here is what was discovered:

1)     The lack of workers:

While it is a known fact for quite some time, CISOs for the first time I have seen have actually disclosed the fact that they are worried about filling in their empty spots.  Although this feeling was echoed by a many of the SMBs, those that have 50 or fewer employees are really feeling the pinch.  The companies polled were also concerned about employees maintain a strong level of Cyber Hygiene, and supply chain attacks, such as the one illustrated by Solar Winds.  Even the vetting process used to find the right third party to work with is a strong concern, especially for healthcare organizations.

2)     The movement to the Cloud:

With the Remote Workforce now taking a permanent fixture in Corporate America, many businesses are now moving to the Cloud, 100%.  Meaning, they are getting rid of being On Prem and now adopting a Private Cloud or even a Hybrid Cloud infrastructure.  But interestingly enough, it is the SMB that is taking the lead here, not the bigger companies.  For example:

*75% of the SMBs (those with less than 50 employees) have either made a full migration to the Cloud, or are planning to. 

*Only 13% of the larger businesses (those with more 10,000 employees) have made a full adoption to the Cloud.

Not surprisingly, software security, especially those involving open-source APIs are a top concern for the CISO (at 62%), and the implementation of DevSecOps (at 54%). 

Also, the reason why the larger companies have not totally migrated to the Cloud yet is that they still have a lot of legacy infrastructure that has to get moved over.  Since they have larger balance sheets than versus the SMB, they can afford to wait in order to take the big plunge.

3)     Cybersecurity Insurance:

Not surprisingly, this is a need that many CISOs echoed at the RSA Conference.  But the also admitted that they are having a much harder time getting a good policy, because of all of the compliance checks that are now being demanded by the insurance carrier.  Another huge impeding factor is the fact that covering Ransomware payments is no longer being included in many policies, along with escalating premiums because of the rise in inflation.  In this regard, the insurance carriers are also being blamed for making blanket requirements, without assessing the true security environment of an applicant.

My Thoughts On This:

Some good news here is the 74% of the CISOs polled think that they will see an increase in their budgets in the second half of this year.  But on the downside, only 24% are making use of Threat Intelligence.  This is quite surprising, since there are many automated tools out there that can help not only analyze but even predict what the future holds.  This is an area which needs to be paid attention to very closely.

In the end, the one question that did not get asked is how long the traditional role of the CISO will last.  IMHO, the days of hiring a traditional CISO with a great salary, perks, benefits, and stick options are now coming to an end, most likely this year.  Many businesses are now starting to understand the value of vCISO.

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...