CRN spoke with the CEOs and CTOs of a number of cybersecurity companies, including Proofpoint, Palo Alto Networks, Rubrik and CrowdStrike, during RSA Conference 2024. Here’s what they had to say. While the many implications of GenAI for security continued to be discussed and debated at last week’s RSA Conference, an array of other issues were front and center—including for many CEOs and CTOs at leading cybersecurity vendors. During interviews the week before RSAC 2024 and mainly during the conference itself, top cybersecurity industry executives told CRN that dealing with data challenges in security, defending against intensifying attacks and the many other pressures on security teams have been among the major topics of discussion. [Related: RSAC 2024: A ‘Mindset Shift’ In Cybersecurity Industry As Vendors Prioritize Integrations] Ultimately, looking ahead to a world of increasingly AI-powered cyberattacks, Evan Reiser, co-founder and CEO of Abnormal Security, said, “I don’t think as a civilization we’re on track to defend against those attacks.” More customers, Reiser said, should be demanding this from the industry: “’Tell me how you get me on a path that ends up in a positive state.’” Meanwhile, the CEOs of companies including Proofpoint, Rubrik, Mimecast, Trellix and Netskope, as well as the top technology and product leaders at companies including Palo Alto Networks, Check Point Software Technologies and Zscaler—plus a number of other executives—also spoke with CRN. What follows are comments from CRN’s interviews with 20 top cybersecurity executives. (Comments have been edited and condensed.) I think what’s interesting at this point is a dynamic that I see between security and IT. I do believe the solution to that dynamic, to make it healthy, would be formulating an architectural approach to cyber … identity and access, EDR, SASE, human-centric [security]—and then automation on top—those five boxes are your architecture. The rest are basically components that should either be consolidated into those five boxes, or should just become mere extensions of them … The underlying dynamic becomes unhealthy and non-trustworthy if you’ve got too many point products doing too many things versus managing the risk at the infrastructure and human side. An architectural approach—with holding the providers of the solutions in the architecture accountable for what they do and how they integrate—is the approach, in my opinion, where the handshake between CIOs and CISOs can be much stronger than what it is today. It’s a little shaky at this point in time. Cyber resiliency is about cyber posture, which is [getting an] understanding of the data and user activity on it, and then delivering remediation. Now it is dawning on [customers that] the cyber industry framed the whole discussion wrong. They said, ‘prevent, prevent, prevent.’ So everybody is focused on risk and threat. Now it is dawning on them that Change Healthcare is not an isolated event. Cyberattacks are inevitable. So how do you ensure that you can be a continuing operation even in the presence of successful attacks? Data was always a problem that we never solved very well. … The usage of AI [is revealing] the problem of data in a much bigger way. We always had the problem of data, but we kind of ignored it. And we use the fact that it was segregated in different places and we give you access to someplace, and have access to another place, and kind of [tacked on] these controls. With AI, it becomes more difficult because we want all the data to speak to each other. We want people that implement AI systems to have access to all these elements and [enable] more data collection. It’s really becoming very hard to [control]. So the ability to keep some authorization and some control level on data becomes harder. I’ve been in the cybersecurity space for 25 years. There has been the rise and fall of platforms in the cyber space. When I got into cybersecurity, McAfee and Symantec were the big platforms, and they sort of disintegrated. I was at IBM Security when we built that into a huge business. I think now you’re seeing some very interesting platforms on the infrastructure side. … I think with the pressures that customers are facing on budget right now, they’re looking for every one of their vendors in these different segments [to] ‘do more for me.’ … I think there’s a big move toward spending as much [as possible] with fewer vendors. That’s that platform play. If I were to look across cybersecurity, the biggest topic from my perspective is the need for cybersecurity to be real time. There are too many places where technology has not kept up with the pace of attackers. And we’ve shared data on this, from initial attack to breach being, even just a few years ago, 40-plus days. Last year, based on our data, it averaged about five days. But we’ve seen attacks that have been in hours. And so that time window is the amount of time that companies have to be able to detect and remediate in order to disrupt the attack before it completes. We believe that that will continue to narrow, requiring security to be as close to real time as possible. One of the things we’re seeing, obviously, is the accountability has gone up significantly. CISOs are held accountable for potential breaches that might cost the organization somewhere in the hundreds of millions of dollars. So there’s a huge responsibility there. Also, CISOs are often presenting, and are on the agenda, for the board of directors to talk about the potential risks that face an organization. Yet at the same time, we still see them not with a full seat at the executive table often. And we also see they have limited resources, and they don’t have the budgets of some of their C-suite peers. So there’s a little bit of a dichotomy there—with a really high amount of accountability and not necessarily a really high amount of resources to be able to take action in the correct manner. Some of the larger organizations here are bringing not just CISOs. I’ve had more meetings with CIOs, more so than in the past. I think CIOs have realized that they have to understand [cybersecurity]. And that’s a great thing. The CIOs run network, they run infrastructure, they run the apps … But they’re all colliding [with security]. They’re all converging. … The CIO is realizing, ‘Wait, the world is changing.’ The network is in the cloud. Security, which maybe they weren’t as versed in before, is a top board topic. And end users? They’re working remote. It’s all changed. And so I think a CIO has to have a better sense of how they handle that properly. If we thought the world of attacks was bad the last few years, it’s really going to get worse. We see [the growth of] attacks powered by AI now. AI has democratized cyberattacks. Maybe before it used to be a highly experienced or very technical person who was able to launch those. But now, you don’t need any technical depth. You don’t need any technical skills. You can literally launch an attack with very little skills. So that’s a scary thought. On the defender side, I know we feel very good about the pace at which we are moving. … If you can imagine fast-forwarding a year or two, the pace of innovation, the amount of innovation that will come into the market—the entire ecosystem of security practitioners and security vendors are coming together to fight this war, this cyber war. I think there’s a lot of misunderstanding of the technology and how it’s going to evolve. I speak to individuals who are asking me if all the human analysts are going to be retired, and it’s all going to be fully automated AI technology. I don’t think that’s going to be the case. I don’t see humans going away. I see humans getting much faster, much more powerful, because they’re being assisted by AI. It makes a lot of sense if you think about what the threat landscape looks like on the flip side. You’re not having adversaries replacing themselves with AI. They’re using AI to get faster, to get smarter. For everybody, the percentage of IT security out of IT spend is growing. The price of cyber insurance is growing. [But] security is not improving. The businesspeople are constantly on [the security team] for delaying their project. And they are in the middle with their limited budgets and their limited head count, and they’re looking to somehow make it work. And things are going to become much more complicated by the introduction of AI for the attacker, which means more sophisticated attacks at a larger scale, more capable deepfakes and financial fraud. The attacker continues to innovate. So that crunch that people feel today is going to only get worse. There’s always been this disparity between [security and] the pace of the developer and software development. The sheer number of developers to security people is just exponentially higher. And now it’s like developers are on steroids—now they’re producing code 40 percent more productively than they were before [with GenAI]. It’s like the haves and have-nots—the companies who have leaned in more aggressively in application security had more of that automated. They’d already been building it into that software development life cycle. They’re at least close to being ready for GenAI. Whereas for other companies who hadn’t shifted left, there is getting to be even more of a disparity between the developers—and the pace of software—and security teams just trying to keep up. A third of breaches are still coming from the scan and exploit of vulnerabilities. The importance of connecting assets and threat intelligence for optimal detection, investigation and response— it’s really fundamental. And it’s been an uncracked challenge for the industry, really for its existence. And so the ability to prioritize and contextualize and focus the work of patching to where there is actually risk, and the risk is highest, and there are no compensating controls—it just gets that flywheel of focusing resources on where things need to be protected. I see a lot of customers struggling. And they’re very frustrated, [feeling] like, ‘I’ve never spent so much money on security stuff, and we’ve never had more cyberattacks.’ People feel like they’re treading water. And so I think when you get really overwhelmed, people have less of an ability to really plan long term. I’ve been trying to just ask people, ‘Let’s just imagine it’s five years from now. And you have every petty criminal on the internet using ChatGPT 7. And they’re all writing the most sophisticated social engineering attacks we’ve ever seen. And they’re not just going through email, but through every communication channel. … I don’t think as a civilization we’re on track to defend against those attacks. And I do think AI must play a role in helping us survive in that future world. I want to try to recruit more customers to demand from the industry, ‘Hey, tell me how you get me on a path that ends up in a positive state. Because we’re not in a good state right now.’ Usage of AI is continuing to grow. How do you safely use AI? For everybody, that is top of mind. ‘I need zero trust not just for users and workloads—I need zero trust for AI.’ … In most cases, they are not able to figure out how to do it. And the answers are either, ‘Let’s block everything.’ Or, ‘Let’s open it up and see what happens.’ Everybody talks about AI, everybody wants AI [because it’s] going to enable productivity. But the risk factor of it is not well-understood. I’m not going to mention names. But over the course of the last two days, it’s interesting [to hear partners talk about vendors and say], ‘You know what, they’re not focused on our concerns anymore.’ Or, ‘They’re choosing to go around us. They’re not giving us that same loyalty.’ And it makes a difference. AI has a lot of layers. There’s AI for security, AI as a security risk, AI as a platform, AI as an application. And there’s a lot of innovation. … The way to think about AI is it’s not just a security problem. It’s a legal problem, it’s a lot of other problems. But AI could also be used amazingly for security. Security remediation is a data problem [and] you can apply AI for prioritization, for remediation, for automation. It’s like the Y2K moment with the difference being that with Y2K, everybody knew the date and time when the problem would come. Here, nobody knows that yet. But the threat of quantum computers being able to break traditional cryptography is real. To address that, people have to now upgrade their encryption keys and their algorithms and their applications, all three of them, to start using quantum-safe mechanisms. And post-quantum cryptography is this class of algorithms, which are developed to be resistant to quantum computers. At this time, what we are seeing is a lot of organizations, large enterprises, governments—they are starting to get ready, educating themselves, trying to get an inventory of everything that they have as it relates to cryptographic assets in their environment. And when they’re ready, they need a plan on how they will be able to upgrade from traditional cryptography to post-quantum cryptography. So I think right now the world is still in that assessment period, trying to take stock of what’s out there, and getting ready for that imminent threat. There is a bigger question about how to tie cybersecurity efforts and spend to the business. A few years ago, CISOs really wanted to have a seat at the table at the board, to present to the board about cybersecurity. And a lot of them got it. [Now] a lot of them wish they had not because the CISOs were speaking a language that the board absolutely did not understand. … More and more, what we are seeing now is a lot of CISOs are really focusing on, ‘How do I take an overall risk-based approach to my cyber efforts? How do I quantify my risk in terms of business impact? And how do I communicate that risk to the board, to the CFO, to the IT team?’ There is a misnomer or a misperception that passkeys cannot be stolen, like passwords could be. But what is a passkey? A passkey is basically a digital certificate or a cryptographic key that you store on your device. And Google, Amazon, Apple all basically supported the FIDO standard and said, ‘Hey, you can store passkeys on your device and, by the way, we’ll sync it to the cloud.’ And that’s fine for the consumer use case. [But since] your passkey is now getting synced to somewhere in the cloud, it is possible to be stolen. Just because it’s not a password doesn’t mean it cannot be stolen. So to make sure that passkeys are appropriate and secure enough for the enterprise, you have to make sure you don’t do cloud-sync passkeys, and you [need to] have policies that govern the flow [of passkeys] and where the passkeys are actually stored, and how, and who can access it. Literally every prospect or customer I’m talking to has exactly the same problem, which is, ‘Whatever place I’m sending data to, it’s full. I’m spending as much as I can possibly spend on it.’ What got you to 2024 is not going to get you to 2034. The same strategy that you built over the last decade [where] all the data goes into the SIEM, it’s just not viable. And so they’re all looking for, ‘What do I do now? Because I can’t keep spending 30 percent more every year.’
This article was autogenerated from a news feed from CDO TIMES selected high quality news and research sources. There was no editorial review conducted beyond that by CDO TIMES staff.
Need help with any of the topics in our articles? Schedule your free CDO TIMES Tech Navigator call today to stay ahead of the curve and gain insider advantages to propel your business!
