My Big Takeaways After Countless Customer Conversations
Last week, the Agarians and I wrapped up a phenomenal week at the security industry’s largest annual conference, and the activity level and number of vendors — including startups — was astounding. With tens of thousands of security professionals descending upon San Francisco for the RSA Conference and conference session titles such as “Metasploit Kung Fu” and “Threat Intelligence Is Like Three-Day Potty Training,” there was never a dull moment. At the same time, our industry faces significant challenges and opportunities as cybercrime continues to proliferate. Here are three of my top takeaways from this year’s conference:
- Attendance at the conference this year was likely up from the record level last year and the actual number of conversations and engagements is up exponentially, which is terrifically exciting. But as I asked customers what interesting things they were seeing at the conference, the answer I kept getting back was similar across the board: “Not too much.” There are scads of startups — all of them seemingly focused on either malware, breach detection or threat intelligence — but we’re not getting new vendors or solutions that really solve the problems that bedevil our digital economy today. There is a huge opportunity for the security industry as a whole to grow up and work to solve the inherent security issues that harm brands and people.
- Companies at the board level are now concerned about security en masse. Just five years ago, there were precious few boards of large companies that gave even a second thought to security. But now, with high-profile and costly breaches at Anthem, Home Depot, Sony, Target and others, they must address it. What used to be conversations principally about speeds and feeds are becoming far more nuanced and about the real business value of cybersecurity. There are huge opportunities for a much more business-oriented approach to security rather than the smartest engineer in the room gets the job — an approach we at Agari have championed since our founding.
- This more business-oriented approach to security is a great boon for CISOs, particularly for the strategic CISO. Against an unrelenting drumbeat of data breaches, the CISO is increasingly being called upon to secure not just companies’ IT infrastructures, but also their customers. If large companies get breached, valuable personal information gets stolen, and customers get burned. They lose trust in that company, its brand, and they go elsewhere. I would be very surprised if, this year, there are any Fortune 500 companies that don’t have a CISO in the room for an important board discussion.
The reality is, in our industry, there’s a very asymmetrical battle raging in which our opponents — be they nation-states, terrorists or individual actors — have a tremendous advantage. They can be right once but we have to be right all the time. They don’t have to get to the CIO or the CISO to get the goods; they can get to the goods by exploiting a company’s vendors, its Active Directory, or spear-phishing individual employees.
When I started Agari, I asked myself how we could fundamentally fix the technology stack upon which criminal innovation lives. That led us to spend three years building open standards to generate a network effect of threat-data sharing and a virtuous cycle of trust and security. For us, that’s DMARC as a transformative technology. For our industry as a whole, it’s not about building more widgets. Widgets are ephemeral. It’s about recognizing the importance of building a truly business-oriented approach to cybersecurity and safeguarding customers.