Overwhelmed by overchoice at RSA Conference 2018

ID MSSECURE:5A92E182D51998C5FC1403F4BC5189E7
Type mssecure
Reporter Jenny Erie
Modified 2018-04-25T16:00:26


As over 500 companies vied for mindshare at this years RSA conference - a cacophony of vendors pitching thousands of products from brightly colored booths - it reminded me of how challenging it was for me to separate signal from noise when I was managing global networks. And the rapid growth of vendors and solutions in the past few years makes me wonder how overwhelming the choice must seem for CISOs today.

This challenge extends well beyond the show floor of RSA. Security Operations Center (SOC) analysts parse through thousands to even millions of alerts per day working as quickly as possible to investigate them and determine which ones represent real threats. Enterprises need tools that can help them identify and contain threats quickly, but the SOC analyst dilemma of too many alerts is echoed on the show floor. There are just too many vendor and solution choices to pick from. This phenomenon known as overchoice leads to paralysis, obstructing our ability make confident choices and seek timely guidance. Psychologists have long studied this construct and found that along with paralysis, the presence of too many options can even push people into decisions that work against their best interests.

As more than 50,000 RSA attendees worked their way across the conference center floor, I watched as they encountered an endless array of ever-changing acronyms, software, and hardware to address problems they probably didnt even know they had. In the quest to create and name the next generation of most innovative solutions, new categories and acronyms abound from SIM to SEM to SOAR, and AV to EPP to EDR. Unfortunately, these new solutions can come so fast that the features may fuzz into buzzword bingo for attendees. With IoT and the intelligent edge, there are new security scenarios for enterprises to solve for. With that come new categories of security, and new offerings flood the market. Enterprise professionals are left fighting an uphill battle across a foggy landscape.

There is a way to address all this complexity. It starts with you and your enterprise. As the person who knows your enterprise best, you are positioned to drive the decision-making process based on real-world scenarios and everyday learnings.

Vendors often try to identify problems, solve them, and hope someone needs the solutions. But every enterprise is unique, and not all threats are prioritized evenly across the board. If CISOs can assess enterprise-wide learnings and lean on the vendors to interpret and understand real-world issues, a more coherent strategy and product should emerge.

Of course, its not always easy for enterprise CISOs to understand and prioritize their needs. If this is the case in your enterprise, third-party consultants can help assess your current security posture and forge an action plan for optimization. Once a plan is created, the buyer should drive the process and avoid unnecessary distractions that lead to evaluating dozens of options and trying to understand where the puzzle pieces fit together. CISOs can also lean on the vendor to help interpret and understand the enterprises defined needs once they understand their needs and have prioritized them.

To better facilitate this approach, first ask, "What is the business problem Im trying to solve? For example: Retail organizations may want to enhance their online store to include customer intelligence to provide a better customer experience. What type of privacy security will be required to do this? Will there be compliance requirements to do this? If general themes emerge rather than more nuanced security gaps, CISOs can use a known framework, like the NIST Cybersecurity Framework. Its a useful tool for managing cybersecurity outcomes, and it covers all the verticals of cybersecurity, making it easier to adopt and join with other frameworks you might also need to incorporate in your security program.

Once you have a solid grasp of the enterprise security requirements, start to look for solutions that specifically meet those needs. Once the business problems are identified and the researching of solutions takes place, youll bump into those pervasive acronyms again. Dont get sucked in - resist the urge to solve for every potential problem vendors are trying to solve for. Focus on the vendors whose solutions specifically address your enterprises problems and meet your requirements. Ask your peers for their own firsthand experience. Ask them which solutions have or haven't worked for them. You can even ask vendors for references to speak with.

Once promising vendor solutions emerge, confirm that the solution will solve your enterprises problem. Get proof that it will - which doesnt necessarily equate to knowing every single mathematical detail about the algorithms used in a solutions ML engine or reviewing each line of code. But it does mean seeing the solution in action. Demo and test-drive it, preferably in your own environment. This approach is about the buyer driving the process, and staying engaged. Like most things related to our safety and security, the more engagement, the better the outcome.

These are active times in cybersecurity. The great news is a lot of innovative, smart, and motivated companies are working hard to build intelligent solutions to thwart cyberattacks. But were all at risk of paralysis from overchoice. Stay on target by focusing on your business problems and needs, and demand that vendors cut through the buzz to focus on proving they can deliver results. See what Microsoft presented and our latest security innovations at the RSA Conference.