RSA is around the corner which means tens of thousands of people will descend on Moscone Center in San Francisco, CA. Hundreds of innovative young companies will look for customers, props, and capital (especially at the Early Stage Expo!). Venture capitalists will look for opportunities to invest and find the next $1B IPO. Larger companies may well search for IP to complement larger platforms. CISOs will show up looking for solutions to today’s problems, with an eye toward tomorrow’s, and ask two key questions: What in this expo hall will help me better protect my company? And, what can I take OUT of my portfolio in exchange?
Considering this, I contacted several VC and tech sector colleagues to test an assertion in my most recent blog, which stated that perhaps the kind of innovation we’re likely to see at RSA can offer too much of a good thing when it comes to CISOs’ priorities. Is the market ready for all this innovation? Are there enough dollars available? Is the innovation meeting CISOs’ real needs?
Looking at the exhibitor list, and searching by core topic, it’s going to be exciting, yet challenging, to determine which companies are truly innovating and competitive in these crowded marketplaces. A quick look also tells us where most of the attention is, and where it isn’t. The Analytics, Intelligence and Response, and Machine Learning categories turn up hundreds of companies, as expected due to all the financial support into, and buzz around, these fields. We should expect to see many claims of best-in-class cyber defense products. However, I suspect there is growing skepticism about vendors’ claims to have the best ML/AI-driven 0-day finder. I encourage vendors to be prepared to articulate the real true capabilities of the ML and AI engines that drive your solutions: By what standards can we evaluate the strength of algorithms and engines? Can they scale, integrate into, and play nice with a customer’s existing toolset? No doubt, ML and AI will continue to improve and become more central to security, but early innovations here have probably created what one contact called a “swarm effect” that has promoted the rise of duplicative technologies. Vendors should also be aware there are probably too many companies chasing too few CISO dollars, and there is bound to be consolidation. On the investor side, I suspect ML/AI fatigue is setting in. A few VCs have said they’re pretty much done putting money into this area until it shakes out.
Perhaps CISOs can nudge the security and investor communities into using ML and AI to develop more foundational preventative solutions. These might include more secure-by-design hardware and software architectures, self-aware and self-healing systems, and smart-configuration and smart-patching solutions. One CTO colleague relayed that he’s seen excellent presentations and proposals on self-healing computational models and systems, but unfortunately few VC-funded companies are moving beyond research into development and commercialization, partly because so much attention is on APT-hunting shiny objects. Until the community is incentivized to move into these areas, the current ‘assume breach’ detect-and-respond model will dominate how cybersecurity is practiced and commercialized.
As another example, look at blockchain and cryptocurrency, two leading-edge investment areas. Is commensurate work being done to update the underlying cryptographic algorithms and protocols that date back to 1982? Quantum-resilient crypto and homomorphic encryption technologies are areas that probably haven’t received the level of financial support they deserve, outside of DARPA or other government programs.
Getting back to CISOs’ priorities, the consistent theme was how to make the best use of people and existing tools:
- Training: This “CBT/CET” Gartner market will reach $7.2B by 2019. We know that we’re facing a shortage of up to 2M qualified cyber professionals. Unfortunately, this year’s conference doesn’t seem to reflect the market opportunity or interest in addressing such core challenges. I queried the “Human Element” and “Professional Development” topics in the RSA exhibitor list and turned up only 57 and 19 companies, respectively, with booth presence this year. I hope at least their booths are crowded and that they succeed. We need more innovation in people. Machines will have to do more and more of the work but in the end, people deploy, monitor, and interact with the technology that is protecting their systems. We must be more innovative in how we train people and encourage others to join the field. The better we can train personnel to more effectively monitor and improve the performance of their cyber systems, the more we can create a virtuous loop that combines trained people continuously optimizing the abilities of the machines that will be required to handle more of the configuration, deployment, monitoring, detection, and remediation workloads.
- ROI: We need to invest more in tools that help CISOs use their existing tools better. One VC colleague pointed to a recent investment his firm made in a company whose solution measures the effectiveness of third-party security tool implementation. Who’s watching the watchers? IMHO, a very clever example of the type of virtuous cyber loop we could create. Another VC contact uses the analogy of the industry delivering too many cyber ‘drugs’ to treat the same symptoms; what his firm wants to see is investment in more doctors and nurses to more effectively administer the treatment, get to root cause, and save the patient.
I support many public sector CISO teams in the US and Europe. What do I think they’ll be looking for at RSA? With an eye on ML/AI innovation, I think they’ll be just as interested in tools that offer improvements to the messy hygiene work of security: automated and self-learning configuration, inventory analysis and update management tools, and for anything that helps their people improve how they manage their responsibilities. Given uncertain budgeting and the continual need to maintain and adhere to compliance mandates, they’ll also look for solutions that help improve and speed up the path to staying as green as possible on a scorecard. Perhaps the excitement around advanced sciences and big data will dominate the RSA agenda, but I expect and encourage CISOs to push innovators for solutions that get to the core of their day to day challenges.
If you’re an investor, or if you’re an innovator looking for what could be next year’s breakout opportunity, think about investing in the people who will deliver on your goals.