TechRepublic’s Karen Roby spoke with Bob Blakley, operating partner at Team8, a venture capital think tank, about investments CISOs should be considering in 2021. The following is an edited transcript of their conversation.
Karen Roby: Bob, talk about two big areas that really stood out in your recent survey.
SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
Bob Blakley: We ran a survey of our community of CIOs, CISOs, and information security professionals. We have about 350 people in what we call the Team8 village, these are executives from our customer and partner organizations, and we asked them what areas they were prioritizing for investment in 2021. And two of the areas that we had mentioned by a lot of our CISOs were security automation and application security. I think it’s pretty evident why those two areas in particular are our focus areas for 2021.
In the case of security automation, it’s well known that there is a big talent shortage in the security market. Automation allows you to increase the leverage of the talent that you already have by enabling them to codify their wisdom into automated actions and have those actions applied without having to hire more people to do them manually. In the case of application security, what we’re finding is that more and more of not only the security job, but of all jobs, is shifting left into the application development phase of the product cycle. What this means is that developers, who by and large are not security experts, need to have better tools to help them build security into their applications. And that’s the basis for investment in that area.
Karen Roby: Bob, from that survey, 64% of those who responded said that cloud security is their top priority this year. No surprise, with all of the people working at home, it’s more important than ever.
Bob Blakley: As you mentioned, 64% of the CISOs in our village survey mentioned cloud security as their top area for investment in 2021. I think there are two obvious reasons why cloud security is an area of increasing focus. The first is that cloud adoption, partly driven by the pandemic, is accelerating and is happening maybe faster than people had planned for. And along with adoption of cloud comes the requirements to secure operations in the cloud. And the cloud operates quite differently from on-premises infrastructure and applications.
There’s a lot of investment that is going to be required to get enterprises up and running on high consequence applications in the cloud, just because it’s a different environment. The other reason I think that people are investing in cloud security is because they are increasingly moving operations that normally they would have performed on-premises into the cloud, just because the employees increasingly with pandemic restrictions are working from home and because upgrading infrastructure and deploying things on-premises requires getting a lot of people into the building to do the work. In some cases, it is quicker to adopt a cloud technology than it is to implement an on-premises technology when you’re operating in a distributed mode and a lot of your employees are not on-premises.
SEE: Looking for cybersecurity experts? Consider hiring veterans (TechRepublic)
Karen Roby: I know you have a lot of conversations with CISOs, and the ones that I have with the CISOs, CTOs, CIOs, so many of them are feeling really overwhelmed, stretched very thin now as this pandemic has raged on. In the beginning in March, it was a race to get employees home, to get them set up to work remote. And since then, it just seems so many of these IT professionals are really stretched very thin.
Bob Blakley: I think it’s definitely the case that security organizations have been stretched actually for years. I mean, it’s well-known that there’s a big talent shortage in the sector and that the problems continue to get more serious every year. Certainly the pandemic has stretched people even thinner, partly because it raised a new set of problems. You put a bunch of people outside of the corporate network, outside of the corporate premises, and that creates a set of security requirements which weren’t designed into the controls in the on-premise infrastructure. And that’s one of the reasons why we are emphasizing, in our new cyber brief that we published recently, both smarter security, which is the application of not just automation but artificial intelligence and other technologies to the operation of the security program, but also shift-left and increasing adoption of cloud security technologies to allow the security organizations to make more efficient use of the limited staff resources that they have.
Karen Roby: Yeah, there’s definitely a disparity in the supply and demand when it comes to experienced, educated security professionals. Bob, in closing here, going back to this survey, talk just a little bit about some of the things that really stood out to you, what you really think people need to know.
SEE: 6 enterprise security software options to keep your organization safe (TechRepublic)
Bob Blakley: We recently undertook the preparation of what we call a cyber brief. The idea behind the cyber brief was we wanted to lay out our thesis for what trends and developments were likely to influence the development of information security and cybersecurity for the next three to five years. So, we laid out a series of seven themes in the cyber brief, and we’re getting quite good engagement and discussions on the themes. Cloud security was obviously one of the themes in the brief. Resilience and recovery was another of the themes in the brief. And we think that’s important because while security in general is pretty effective, it’s never going to be 100% effective. So, you have to be good at responding to the incidents that do occur.
And we also focused on smarter security, which we’ve already touched on in the earlier part of the interview, and on shift left, providing better tools to application developers to create applications that don’t have as many vulnerabilities in the first place. I guess I would summarize the brief by saying this is our view, informed by our conversation with the teammates CISO village of what is going to drive the security market for the next couple of years. We hope people will read it and we hope also that they’ll engage us in conversation on it.