BeyondTrust
  • Products
    Privileged Password Management
    Discover, manage, audit, and monitor privileged accounts
    Password Safe DevOps Secrets Safe
    Endpoint Privilege Management
    Manage privileges on Windows, Mac, Linux, and Unix endpoints
    Windows and Mac Unix and Linux Active Directory Bridge
    Secure Remote Access
    Centrally manage and secure remote access for service desks and vendors
    Remote Support Privileged Remote Access
    Use Cases and Industries
    See All Products
  • Resources

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

    Watch Video

    Learn

    Case Studies
    Competitor Comparisons
    Datasheets
    Glossary
    Product Demos
    Whitepapers

    Attend

    Events
    Go Beyond
    Training
    Webinars

    Support

    Changelog
    Professional Services
    Technical Documentation
  • Blog
  • Partners
  • Contact
  • Support
  • Services
  • Training
  • Events
  • Company

What it’s like to be a CTO/CISO at this Year’s Gartner Security & Risk Management (SRM) Summit

June 18, 2019

  • Blog
  • Archive

One of the more interesting aspects of having dual roles (CTO & CISO) within BeyondTrust is attending conferences as both a vendor (CTO) and as a potential security customer (CISO). As a CTO, I’m attending events to share insights around security challenges that our solutions can help address, and I often present on topics related to privileged threats, privileged access and identity management, and vulnerability management. However, with my CISO hat on, I’m in attendance to learn about the latest security and risk challenges, to help me formulate and evolve a strategy to keep my organization as safe as reasonably and affordably possible.

The challenge in cybersecurity is that, even a CISO with unlimited resources to protect their organization could still potentially incur a security incident of some nature. IT risk management is all about understanding and managing risks. Winning means minimizing the acceptable risk as much as possible within a practical budget. Some residual risk will remain, but that is the risk you have accepted to live with (at least for now) and contain as much as possible.

While attending Gartner Security & Risk Management Summit (SRM) 2019 this week in Washington, D.C., I experienced that the reputation of BeyondTrust’s industry-leading solutions is certainly one key to our success, especially compared to our competitors. I also took note that many other security tools come with incredibly complex implementations, unproven longevity, and may be based on academic technology that might have a finite life and potentially limited long-term effectiveness. This leads any CISO to question—should they be an early adopter, leader, or laggard? The headache of implementation, cost, and long-term effectiveness in mitigating risk raises this question to the frontal lobe of every CISO.

So, what did I truly learn at the conference? I think one slide from the keynote captures it all for my CTO hat, and provides the foundation for the event: The “2019 Top 10 Security Projects” presented by Gartner are:

  1. Privileged Access Management
  2. Carta-Inspired Vulnerability Management
  3. Detection and Response
  4. Cloud Security Posture Management (CSPM)
  5. Cloud Access Security Broker (CASB)
  6. Business Email Compromise
  7. Dark Data Discovery
  8. Security Incident Response
  9. Container Security
  10. Security Ratings Services

As an IT security vendor, having BeyondTrust’s field of expertise (PAM) labeled as the number one priority is an absolute ego-stroke for everyone who works at my amazing organization. And yes, it is okay, once in awhile, to pat yourself on the back, but without ever forgetting humility because this was not always stature for PAM. In fact, while privileged access management (PAM) has existed as a product since 1985, only in the last few years has it emerged as the prime attack vector for threat actors to leverage accounts, resources, and assets within an organization.

Now, as a CISO with a quick hat change, I have a few critical takeaways from this ranking:

  • My best defense is to make sure I am “drinking my own champagne” and internally use every product we make to the fullest of its capabilities. And, in fact, we do. Privileged access management and the concept of least privilege should be staples for every security-minded organization, just as they are for ours. That is a fact and not a bias, and Gartner echoes this in their top 10 list.
  • Cybersecurity basics like vulnerability management, patch management, detection and response, and incident response are just as important as ever. Many of the presentations and vendor messaging at SRM this year focused on these topics, which should continue to be a high priority from policies, to procedures and products. Also, processing the data from cybersecurity basics to every level of the organization that needs to consume it—from engineers to key executives and the Board—is key. That message is loud and clear, and there where dozens of dashboard vendors across the exhibit floor.
  • “The Cloud” occupies two places within Gartner’s top 5 of the list above. If you embrace the Cloud, these are just two pieces to consider. Please note that they are specifically labelled “cloud”, however, it warrants considering other attack vectors that may be relevant to your environment.
  • Gartner’s last entry (#10) of Security Ratings Services is of unique interest. I expect to see growing demand for vendor and supply chain security management in the next few years and I believe this entry will evolve into something much more robust, like a credit rating score.

Final thoughts on the Gartner SRM Summit

With the Gartner SRM Summit now halfway done, I think it’s safe to share a few more observations:

  1. The show is getting larger every year, highlighting the importance of security and risk management. There is interesting bleed over to identity and access management (IAM) since this is a primary attack vector.
  2. The number of vendors with new offerings to manage threats is impressive. While some vendors/solutions are very niche, the capabilities and potential outcomes are pretty cool. Review the new vendor list (less than 2 years old) and you will see what I mean.
  3. Vendors should tone down the amount of flashing lights and cheap tchotchkes. As a CISO, I want tools that will help my organization succeed. Marketing does own this event – and I get it.
  4. Finally, please, do not give me a USB containing “anything”! I was surprised at how many booths had free USB sticks with documentation and trial software. This is just a bad idea. If you need to ask why, you should not be at this show in the first place.

If you’d like to better understand how BeyondTrust (a leader in the Gartner Magic Quadrant for PAM) can help you address numbers 1 (PAM) and/or 2 (Carta-Inspired Vulnerability Management) from Gartner’s list of top security projects for 2019, contact us today.

Photograph of Morey J. Haber

Morey J. Haber, Chief Technology Officer and Chief Information Security Officer at BeyondTrust

Morey J. Haber is Chief Technology Officer and Chief Information Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored four Apress books: Privileged Attack Vectors (2 Editions), Asset Attack Vectors, and Identity Attack Vectors. In 2018, Bomgar acquired BeyondTrust and retained the BeyondTrust name. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. Morey currently oversees BeyondTrust strategy for privileged access management and remote access solutions. In 2004, he joined eEye as Director of Security Engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was Development Manager for Computer Associates, Inc. (CA), responsible for new product beta cycles and named customer accounts. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

Microsoft Vulnerabilities Report 2021

Whitepapers

KuppingerCole Executive Review - BeyondTrust Endpoint Privilege Management

Webcasts

Ransomware in 2021: How to Strengthen and Fund Your Cyber Protection Measures

BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press

Languages

  • English
  • German
  • French
  • Spanish
  • Korean
  • Portuguese
  • Japanese
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2020 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.