One of the more interesting aspects of having dual roles (CTO & CISO) within BeyondTrust is attending conferences as both a vendor (CTO) and as a potential security customer (CISO). As a CTO, I’m attending events to share insights around security challenges that our solutions can help address, and I often present on topics related to privileged threats, privileged access and identity management, and vulnerability management. However, with my CISO hat on, I’m in attendance to learn about the latest security and risk challenges, to help me formulate and evolve a strategy to keep my organization as safe as reasonably and affordably possible.
The challenge in cybersecurity is that, even a CISO with unlimited resources to protect their organization could still potentially incur a security incident of some nature. IT risk management is all about understanding and managing risks. Winning means minimizing the acceptable risk as much as possible within a practical budget. Some residual risk will remain, but that is the risk you have accepted to live with (at least for now) and contain as much as possible.
While attending Gartner Security & Risk Management Summit (SRM) 2019 this week in Washington, D.C., I experienced that the reputation of BeyondTrust’s industry-leading solutions is certainly one key to our success, especially compared to our competitors. I also took note that many other security tools come with incredibly complex implementations, unproven longevity, and may be based on academic technology that might have a finite life and potentially limited long-term effectiveness. This leads any CISO to question—should they be an early adopter, leader, or laggard? The headache of implementation, cost, and long-term effectiveness in mitigating risk raises this question to the frontal lobe of every CISO.
So, what did I truly learn at the conference? I think one slide from the keynote captures it all for my CTO hat, and provides the foundation for the event: The “2019 Top 10 Security Projects” presented by Gartner are:
- Privileged Access Management
- Carta-Inspired Vulnerability Management
- Detection and Response
- Cloud Security Posture Management (CSPM)
- Cloud Access Security Broker (CASB)
- Business Email Compromise
- Dark Data Discovery
- Security Incident Response
- Container Security
- Security Ratings Services
As an IT security vendor, having BeyondTrust’s field of expertise (PAM) labeled as the number one priority is an absolute ego-stroke for everyone who works at my amazing organization. And yes, it is okay, once in awhile, to pat yourself on the back, but without ever forgetting humility because this was not always stature for PAM. In fact, while privileged access management (PAM) has existed as a product since 1985, only in the last few years has it emerged as the prime attack vector for threat actors to leverage accounts, resources, and assets within an organization.
Now, as a CISO with a quick hat change, I have a few critical takeaways from this ranking:
- My best defense is to make sure I am “drinking my own champagne” and internally use every product we make to the fullest of its capabilities. And, in fact, we do. Privileged access management and the concept of least privilege should be staples for every security-minded organization, just as they are for ours. That is a fact and not a bias, and Gartner echoes this in their top 10 list.
- Cybersecurity basics like vulnerability management, patch management, detection and response, and incident response are just as important as ever. Many of the presentations and vendor messaging at SRM this year focused on these topics, which should continue to be a high priority from policies, to procedures and products. Also, processing the data from cybersecurity basics to every level of the organization that needs to consume it—from engineers to key executives and the Board—is key. That message is loud and clear, and there where dozens of dashboard vendors across the exhibit floor.
- “The Cloud” occupies two places within Gartner’s top 5 of the list above. If you embrace the Cloud, these are just two pieces to consider. Please note that they are specifically labelled “cloud”, however, it warrants considering other attack vectors that may be relevant to your environment.
- Gartner’s last entry (#10) of Security Ratings Services is of unique interest. I expect to see growing demand for vendor and supply chain security management in the next few years and I believe this entry will evolve into something much more robust, like a credit rating score.
Final thoughts on the Gartner SRM Summit
With the Gartner SRM Summit now halfway done, I think it’s safe to share a few more observations:
- The show is getting larger every year, highlighting the importance of security and risk management. There is interesting bleed over to identity and access management (IAM) since this is a primary attack vector.
- The number of vendors with new offerings to manage threats is impressive. While some vendors/solutions are very niche, the capabilities and potential outcomes are pretty cool. Review the new vendor list (less than 2 years old) and you will see what I mean.
- Vendors should tone down the amount of flashing lights and cheap tchotchkes. As a CISO, I want tools that will help my organization succeed. Marketing does own this event – and I get it.
- Finally, please, do not give me a USB containing “anything”! I was surprised at how many booths had free USB sticks with documentation and trial software. This is just a bad idea. If you need to ask why, you should not be at this show in the first place.
If you’d like to better understand how BeyondTrust (a leader in the Gartner Magic Quadrant for PAM) can help you address numbers 1 (PAM) and/or 2 (Carta-Inspired Vulnerability Management) from Gartner’s list of top security projects for 2019, contact us today.
Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.