NEW: Microsoft Vulnerabilities Report 2022 - Read the Findings of Our Annual Report Read Now

  • Partners
  • Support
  • Careers
  • English
    • Deutsch
    • français
    • español
    • 한국어
    • português
BeyondTrust
  • Products

    Privileged Password Management

    Discover, manage, audit, and monitor privileged accounts and credentials.

    • Password Safe
    • DevOps Secrets Safe
    • Privileged Access Discovery Application

    Endpoint Privilege Management

    Enforce least privilege across Windows, Mac, Linux, and Unix endpoints.

    • Windows and Mac
    • Unix and Linux
    • Active Directory Bridge

    Secure Remote Access

    Centrally manage remote access for service desks, vendors, and operators.

    • Remote Support
    • Privileged Remote Access
    • Privileged Access Discovery Application

    Cloud Security Management

    Automate the management of identities and assets across your multicloud footprint.

    • Cloud Privilege Broker

    BeyondInsight

    Experience the industry’s most innovative, comprehensive platform for privileged access management.

  • Solutions

    Use Cases

    • Cloud Security
    • Compliance
    • Cyber Insurance
    • Digital Transformation
    • Endpoint Security
    • Operational Technology
    • Ransomware
    • Service Desk Efficiency
    • Zero Trust

    Industry Applications

    • Financial Services
    • Government Agencies
    • Healthcare
    • Law Enforcement
    • Manufacturing
    • Schools & Universities

    Solutions

    The BeyondTrust Privileged Access Management portfolio is an integrated solution that provides visibility and control over all privileged accounts and users.

  • Resources

    Learn

    • Blog
    • Customer Stories
    • Competitor Comparisons
    • Datasheets
    • Demos
    • Glossary
    • Podcast
    • Whitepapers

    Attend

    • Events
    • Go Beyond
    • Training
    • Webinars

    Support

    • Changelog
    • Professional Services
    • Technical Documentation

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

  • Company
    • About
    • Leadership
    • Core Values
    • Partners
    • Careers
  • Watch Demo
  • Contact Sales

What it’s like to be a CTO/CISO at this Year’s Gartner Security & Risk Management (SRM) Summit

June 18, 2019

  • Blog
  • Archive

One of the more interesting aspects of having dual roles (CTO & CISO) within BeyondTrust is attending conferences as both a vendor (CTO) and as a potential security customer (CISO). As a CTO, I’m attending events to share insights around security challenges that our solutions can help address, and I often present on topics related to privileged threats, privileged access and identity management, and vulnerability management. However, with my CISO hat on, I’m in attendance to learn about the latest security and risk challenges, to help me formulate and evolve a strategy to keep my organization as safe as reasonably and affordably possible.

The challenge in cybersecurity is that, even a CISO with unlimited resources to protect their organization could still potentially incur a security incident of some nature. IT risk management is all about understanding and managing risks. Winning means minimizing the acceptable risk as much as possible within a practical budget. Some residual risk will remain, but that is the risk you have accepted to live with (at least for now) and contain as much as possible.

While attending Gartner Security & Risk Management Summit (SRM) 2019 this week in Washington, D.C., I experienced that the reputation of BeyondTrust’s industry-leading solutions is certainly one key to our success, especially compared to our competitors. I also took note that many other security tools come with incredibly complex implementations, unproven longevity, and may be based on academic technology that might have a finite life and potentially limited long-term effectiveness. This leads any CISO to question—should they be an early adopter, leader, or laggard? The headache of implementation, cost, and long-term effectiveness in mitigating risk raises this question to the frontal lobe of every CISO.

So, what did I truly learn at the conference? I think one slide from the keynote captures it all for my CTO hat, and provides the foundation for the event: The “2019 Top 10 Security Projects” presented by Gartner are:

  1. Privileged Access Management
  2. Carta-Inspired Vulnerability Management
  3. Detection and Response
  4. Cloud Security Posture Management (CSPM)
  5. Cloud Access Security Broker (CASB)
  6. Business Email Compromise
  7. Dark Data Discovery
  8. Security Incident Response
  9. Container Security
  10. Security Ratings Services

As an IT security vendor, having BeyondTrust’s field of expertise (PAM) labeled as the number one priority is an absolute ego-stroke for everyone who works at my amazing organization. And yes, it is okay, once in awhile, to pat yourself on the back, but without ever forgetting humility because this was not always stature for PAM. In fact, while privileged access management (PAM) has existed as a product since 1985, only in the last few years has it emerged as the prime attack vector for threat actors to leverage accounts, resources, and assets within an organization.

Now, as a CISO with a quick hat change, I have a few critical takeaways from this ranking:

  • My best defense is to make sure I am “drinking my own champagne” and internally use every product we make to the fullest of its capabilities. And, in fact, we do. Privileged access management and the concept of least privilege should be staples for every security-minded organization, just as they are for ours. That is a fact and not a bias, and Gartner echoes this in their top 10 list.
  • Cybersecurity basics like vulnerability management, patch management, detection and response, and incident response are just as important as ever. Many of the presentations and vendor messaging at SRM this year focused on these topics, which should continue to be a high priority from policies, to procedures and products. Also, processing the data from cybersecurity basics to every level of the organization that needs to consume it—from engineers to key executives and the Board—is key. That message is loud and clear, and there where dozens of dashboard vendors across the exhibit floor.
  • “The Cloud” occupies two places within Gartner’s top 5 of the list above. If you embrace the Cloud, these are just two pieces to consider. Please note that they are specifically labelled “cloud”, however, it warrants considering other attack vectors that may be relevant to your environment.
  • Gartner’s last entry (#10) of Security Ratings Services is of unique interest. I expect to see growing demand for vendor and supply chain security management in the next few years and I believe this entry will evolve into something much more robust, like a credit rating score.

Final thoughts on the Gartner SRM Summit

With the Gartner SRM Summit now halfway done, I think it’s safe to share a few more observations:

  1. The show is getting larger every year, highlighting the importance of security and risk management. There is interesting bleed over to identity and access management (IAM) since this is a primary attack vector.
  2. The number of vendors with new offerings to manage threats is impressive. While some vendors/solutions are very niche, the capabilities and potential outcomes are pretty cool. Review the new vendor list (less than 2 years old) and you will see what I mean.
  3. Vendors should tone down the amount of flashing lights and cheap tchotchkes. As a CISO, I want tools that will help my organization succeed. Marketing does own this event – and I get it.
  4. Finally, please, do not give me a USB containing “anything”! I was surprised at how many booths had free USB sticks with documentation and trial software. This is just a bad idea. If you need to ask why, you should not be at this show in the first place.

If you’d like to better understand how BeyondTrust (a leader in the Gartner Magic Quadrant for PAM) can help you address numbers 1 (PAM) and/or 2 (Carta-Inspired Vulnerability Management) from Gartner’s list of top security projects for 2019, contact us today.

Photograph of Morey J. Haber

Morey J. Haber, Chief Security Officer, BeyondTrust

Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

Microsoft Vulnerabilities Report 2022

Whitepapers

Cybersecurity Insurance Checklist

Whitepapers

Privileged Access Management: PAM Checklist

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support
  • Cloud Privilege Broker

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Podcast
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press
BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2022 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.