Last week I was at the Gartner Security & Risk Management Summit for the first time in three years and while there, a few things struck me. We’ve all seen the steady drumbeat of cyber attack headlines that expose millions and millions of people’s sensitive information. The attendees at the conference certainly have, too. Because it was absolutely packed; the show has grown tremendously in the last few years. Another interesting note for me was the prevalence of very senior security industry executives at the show – not just CISOs, but I saw many CIO name badges on people wandering the conference floor and stopping by the Agari booth.
It’s a good sign, in my mind, to see the issue of security moving farther up the corporate ladder. Not a moment too soon, either. I would say that a surprising majority of the people who stopped by our booth told us that they were seeing CEO and CFO spoof emails at their companies. The most common variants were spoofed emails purporting to come from the CEO sent to the CFO telling him to wire money related to a super-secret acquisition to some account. Controllers at the companies were also receiving similar spoofed emails purporting to come from their CFOs. Also extremely gratifying was, once we explained to visitors to our booth what we were doing with email security at Agari and how we are proactively solving the problem, many of them told me it was the most interesting thing they’d heard at the show.
Other top takeaways for me included the Gartner forecast that by 2020, 60 percent of security spending will be on post-infection or post-breach detection and remediation. Compare this to the 40 percent of security spending that is aiming to stop breaches before they happen. The shift in security spending tells me two things: First, that companies are – more and more – simply just giving up on trying to stop the breaches before they happen. Second, once breaches do occur, they are only becoming more difficult and incredibly more expensive to detect and remediate.
The shift in the security mindset, too, is proving difficult for companies to navigate. It used to be that security policies were architected such that once you authenticated yourself and were inside the walls of the organization, you were therefore trusted. If you were outside the walls, the default was you weren’t trusted. But now we’re seeing the growing trend of devices not being trusted as a default whether they’re inside or outside an organization’s firewall. There’s now this shift to no devices being trusted, but it is such a difficult concept to embrace and hard for organizations to change the way their security is architected across the board.
Suffice to say that with the packed attendance I saw, higher-level security executives and the difficulty organizations are having changing their security architectures to a no-trust-first model, security as strategic business competency is only gaining in visibility. And this is a good thing, because we as an industry have a long way to go in securing organizations from the unrelenting cyberattacks we see every day.