Security needs to build again
There's too much solutioneering not enough problem solving
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
Recently, I read an article by Shomik Ghosh called “The Rise of the Field CISO.” He’s a friend, and we’ve shared many thoughts about the cybersecurity industry.
This article starts by acknowledging that cybersecurity is a bit crazy right now. The top public company CEOs have been dueling on the right approach to handling cybersecurity in an increasingly complex technological world with AI, cloud, etc. This is absolutely worthy of debate.
Palo Alto is saying that CISOs are having fatigue with point solutions and that platformization is the only approach. Crowdstrike is saying that is “fugazi” and selling a single-agent architecture and modules natively built on top of the same architecture is the better approach. Regardless, one thing is for sure, there’s a lot of noise in security.
It’s unclear who is right, but Shomik is right in acknowledging there’s a lot of noise in security. He proposes having a “field CISO” to help navigate these discussions for cybersecurity companies wanting to stand out from the noise. I agree and disagree with this idea. I would encourage you to read his article to better understand what he exactly proposes, but here’s a summary that will provide helpful context for the rest of my newsletter:
Now when you look at a security companies platform, you’re not really sure from the messaging where it fits into the stack and what specific problem it’s the best at solving. This is the perfect fit for Field CISOs.
They can come in and be the expert who is able to show the workflows, speak to the pain they experienced in this area running security internally, and get to help others in terms of getting them to adopt great products that actually solve that pain.
I agree that this might be a good solution in a crowded market, but it’s indicative of a bigger problem in the industry. I think Field CISOs might be a good stopgap, but as Shomik says, if you find the wrong one, it might be more damaging than helpful.
What is the real problem, and how did we get here?
Cybersecurity evolved too quickly
I’ll start with the latter half of the question above. Cybersecurity has been forced to deal with a changing environment, and I’ve stated this numerous times in the past. There was the cloud, DevOps, and now AI. It feels like change has been the only constant, and security has been playing catchup at best. As a result, it’s easier to solve problems with recency bias. “There’s a ransomware attack. Let’s solve that. There’s the cloud. Let’s solve that. There’s a vendor problem. Let’s solve that.” It goes on.
However, given the scrutiny and number of ongoing threats, CISOs and security leaders aren’t given time to think and understand the broader problems. Executive teams are forcing them to provide solutions to immediate problems and in a fast manner. It seems that the easiest way to do this is to buy solutions. That’s how we got here.
The problem is that these point solutions sometimes have a short shelf life. That is, they are useful to prevent or mitigate one attack, but many times, their broader use is unclear. Security keeps buying tools, but it doesn’t have time to figure out whether they solve the underlying problem. There’s definitely an over-tooling problem where security is blindly using tooling to solve problems rather than figuring out the best solution.
We need to start problem-solving again
The one thing that I do believe that a Field CISO can help customers do is problem-solving, but so what’s the point of the security leader and their team? Isn’t the point of security to solve … security problems? It brings back what is the purpose of a Field CISO. Maybe, the Field CISO can be more opinionated about how problems are solved. However, historically, security hasn’t been too opinionated on solving problems. In fact, if they were, the Palo Alto Networks vs. Crowdstrike perspective isn’t that novel or contentious.
Anyway, security teams have to problem-solve, but it’s become hard. They have been bombarded with solutions, and I’ve heard some teams spend all their time procuring solutions and managing vendors that they have no time to actually figure out if that’s the right thing to do. This is the heart of the problem that Palo Alto Networks is trying to solve. Security just needs more time to think and build.
Building needs to go back into security’s DNA
Before being bombarded with solutions, security used to do a lot more of their own building. I remember the days when security would stitch together tools or hack at a tool to customize it for their own uses. Those days seem to be gone.
I use “build” here more broadly. I don’t mean that security needs to build more than just tooling. It needs to build more solutions, which involve more than just technology. Tools are meant to help solve a problem not be the end-all solution. Problems are sometimes more complex and require potential process and/or people issues. As a result, these are problems that tools can help solve, but security still needs to build the ultimate solution, which has multiple components, of which one might be a tool.
I agree that security needs to have an opinionated way to solve its problems. These large security companies are offering that. In Shomik’s Field CISO suggestion, the Field CISO should do that, but I also think the Field CISO should meet the company where they are. The security team should come up with its own opinion, and the Field CISO can meet them where they are because the Field CISO will likely lack the context that the security team has. Alternatively, they can provide a different suggestion. At the end of the day, I’m not sure the Field CISO is the right solution even though I see this person offering value. Infra and SaaS companies typically offer an opinionated solution to a problem. Palo Alto Networks and Crowdstrike are doing just that. However, in the world of point solutions, it’s hard to be opinionated when you’re mostly a feature and a single product.
There needs to be a shift in how security operates. Rather than looking at tools, they need to start understanding root causes and having goals for their problems. As a result, they can craft comprehensive solutions that might involve tooling instead of relying on tooling alone. This requires them to have an opinion, but more importantly, it requires them to have time. In some way, that’s what Palo Alto Networks and Crowdstrike are providing just that. By consolidating tools, a security team can have more time to solve problems with these tools. Like all security tools, they aren’t the solution in and of themselves. Security teams have to find their own way to start building again.