Qualys staged day #2 of its Qualys Security Conference (QSC) in Orlando this week with a lineup of sessions designed to skew the general narrative and conversation wider around the key issues related to what Qualys CEO Sumedh Thakar likes to call the princess of ‘de-risking business’ today. With a session entitled ‘The Biz Case for Security Tool Consolidation’, Frank Dickson, group vice president of security & trust at IDC took the stage. Covering the main security challenges he sees lining up for 2024, Dickson admitted that some of these points aren’t new, but he wants to provide a new view on some of these cornerstones.
The idea of digital-first in the layer zero problem points to the existence of human users themselves. Now that we have left digital transformation behind (Dickson suggests) we’re now in the era of digital-first – and this means that there’s a key question of scale that we need to think about i.e. with the scope of the cloud at our disposal, just how big do we want to go with any given application or data service?
But the challenge with scale, he says, is that it creates complexity – and, logically enough, complexity is the enemy of security. Because most users feel they have a competent grasp on their own security posture, there is a heightened sense of how secure we really are – and the reality is that we’re (perhaps unsurprisingly) not as secure as we think we are.
Users are ‘buying’ IT
Because an estimated 50% of IT spend is now coming from Line Of Business managers outside of the IT department, that complexity challenge is perhaps even tougher to juggle. Inside this layer zero problem (of humans interacting with mission critical cloud applications), many of these non-technical users bringing in software but do not understand compliance, digital asset taxonomy, threat weaponization, code dependencies that need to be validated and locked down and so on.
Thinking about how DevSecOps is used today, Dickson says that developers understand that the proliferation of external APIs ranks high in the programmer’s mind. Paradoxically, if we ask the security professionals where the biggest risks are, they typically actually point to the developers themselves. If we now ask CISOs how they see their role developing today, most of them are envisaging themselves as business leaders says Dickson – this is not great news for DevSecOps teams that should really be focused on where the security perimeter is now being established with so many people working remotely, the new presence of edge computing across the Internet of Things (IoT) and the wider proliferation of mobile computing.
We need more staff
Problem 2 is the staff shortage i.e. the skills gap in the pure play security sector. Given the need to develop skills in data privacy, cloud security and new complex container-based systems development, the industry needs more people with broader competencies. Dickson says of all the factors we can influence in the security threat landscape, staff shortages are one of the most direct factors that we can potentially manage if we plan correctly.
The threat landscape itself is factor 3 and factor 4 is compliance, which Dickson suggests is perhaps the most overlooked element of the security industry as a whole. With economic pressures often impacting the way organizations approach their compliance responsibilities, the problem of ‘data subject access requests’ (when people ask for information about themselves) is increasing all the time, so tying down what organizations do with Personally Identifiable Information (PII) – such as driver’s licence, medical records and so on – becomes far more important today.
Recommendations for the future
To give us some recommendations for the future, Dickson says that the best advice is can give is simply planning. “I know this is the most boring thing I could say in this context, but it’s so true. When I first heard about DevSecOps, it’s not a question of which tools we use, it’s a question of whether we can use one tool that is truly effective,” he said.
Offering the audience some points to leave with Dickson upped his tempo (and volume level) and said that organizations should think about some key factors.
“When a security vendor comes to any customer, make them tell you what the product really does in terms of Mean Time To Remediation. Don’t just be impressed when they tell you that their product does Machine Learning (ML), demand to know what it can really do for the business. Further, question them on scalability, usability and support (from installation to API connectivity to maintenance and onwards) as key factors,” enthused Dickson.
Closing points cover the need for security buyers to check for future-proofing, know where their data is going to be stored at any given moment in time, understand the level of complexity in the platform and tools they are buying, question what key features they are getting from the technology and, finally, analyse what kind of time to value the business will really get from the product.
Closing thoughts & takeaways
Qualys started day one of its show with a really compelling presentation from ex-NSA security specialist (Rachel Wilson) who is now a managing director at Morgan Stanley, which enabled the audience to think about real world security threats. Following Wilson with IDC’s Dickson, Qualys continued that theme and brought the attendees outside of its Qualys brand to think about real world vulnerabilities before detailing more of the developments and augmentations in its own platform, which (arguably) worked equally well. This is not a cyber security show and Qualys is more than a security company now and should really be thought of as a risk management platform specialist. Stay safe everyone.
17 hours ago
