Thought Leaders in Cyber Security: Leo Taddeo, Chief Security Officer, Cryptzone (Part 3)

Leo Taddeo: The second challenge I think a lot of them are facing is the complexity requirement and the specialization of the IT security staff that they need. CISOs in every private enterprise and in every government agency out there are competing for the same talent. They’re competing for the same experts. The lack of these experts and the cost of these experts is driving up security cost. It’s bringing security down because the turnover in security personnel reduces the security posture for an enterprise.

It is making it hard for security officials in both government and private sector to stay on the roadmaps that they have. If buying a tool like an antivirus or a next-generation firewall is an upfront expense that requires additional staffing to manage, then it is an issue across the board to every CISO in the country. I think that will abate over time because the demand is high now, and we have universities and other institutions producing cyber security experts.

For now and for a couple of years to come, we’re going to be in shortage for technical talent to manage our IT security programs. The third trend that I’m seeing is a focus on the regulatory atmosphere that we are all operating in. On the one hand, the security officials are focused on real security – on getting the tools that work for the right price and that can managed efficiently. On the other hand, they have to meet compliance requirements that don’t always align with their security requirements.

In many cases, the threat of an additional oversight, negative public exposure, or non-compliance is a bigger threat than the adversaries. Many CISOs and CSOs are looking at tools for how they interact with the compliance requirements for an enterprise. While security, cost, and efficiency are primary concerns, an additional concern that can sometimes outweigh all the others is how does this tool fit in my compliance function.

Can I use it to produce the kind of reports and demonstrate that I am in compliance, or is it adding to my compliance and reporting burden? I think that’s a big issue for CSOs, especially in highly-regulated industries like Finance and Health. All of these regulatory requirements add additional burden that are factored into the selection of tools and the cyber security roadmap that a company develops and executes.

Sramana Mitra: I’m going to double-click down on one of the points that you made, which is your first point of justifying value of the investments. Could you go one level deeper? We have probably done 50 Thought Leaders in Cyber Security stories with different vendors. Each has their own point of view. That’s probably only 20% of the vendors out there who are doing something in cyber security.

If I’m a CISO and these 200 vendors are coming and pitching, how do I sort this? Where do I know in my research and in my organizing principles of what are the problems that I am willing to spend budget on right now? If I were to pick the top three budget areas where I have committed budget, what would be my organizing principle?

Leo Taddeo: Great question. It all depends on the leadership in the enterprise and the financial support that you’re being provided. I talk to CISOs with fixed budgets who, in effect, can’t spend any new dollars. For them to buy a new tool, the question often becomes what do you displace. If you’re a cyber security vendor and talking to a CISO with no new dollars, you have to be able to demonstrate that you not only add security, but also what do you displace?

If you’re dealing with a CISO who has new dollars and has a supportive executive leadership team in terms of financing the maturity of the cyber security posture, the question becomes, “How do you fit into my long-term roadmap? How do you integrate with other tools? How do you provide my user and business processes with value? How can I demonstrate to my leadership, whether through numbers or articulable security benefits, that you are going to work as advertised?” It depends on who you’re talking to and where they are in their maturity process, and whether they have new funding or not.

A cyber security vendor has to be prepared to address all of those issues. Some enterprises are more focused on displacing existing technologies while some enterprises may be more interested in developing long-term roadmap with security value that will pay off in dollars and in other efficiencies for a longer term.

This segment is part 3 in the series : Thought Leaders in Cyber Security: Leo Taddeo, Chief Security Officer, Cryptzone
1 2 3 4 5