Why CISOs are consolidating their vendors and improving cloud security

At RSA 2019, Jeff Reed of Cisco discussed the company's 2019 CISO Benchmark Study and the top threats enterprises face.

Why CISOs are consolidating their vendors and improving cloud security

At RSA 2019, TechRepublic Senior Editor Alison DeNisco Rayome spoke with Cisco's Jeff Reed about the company's 2019 CISO Benchmark Study and the top threats enterprises face. The following is an edited transcript.

Alison DeNisco Rayome: So I know Cisco just released it's 2019 seasonal benchmark study. For that you surveyed 3,000 security leaders worldwide. Can you tell me some of the top takeaways from that study?

Jeff Reed: So what I thought was most interesting was we're starting to see really for the first time a consolidation in terms of the number of vendors customers are using. So a couple years ago only 54% of customers had 10 or fewer vendors within their environment. That actually has jumped to 63% in 2019. And I'm seeing that actually just when I talk to customers as well. The fatigue with respect to the number of tools, complexity that that adds, it's really been kind of a headwind on the overall effectiveness. So I'm glad to see that.

So that was one of the things that really stood out to me as part of the benchmark.

Alison DeNisco Rayome: Very interesting. Can you tell me some more of the kind of key industry trends that you've been seeing recently?

Jeff Reed: So the big one is cloud. Clearly we had our Cisco Live, our big user event in Europe, had a security VIP tour as part of that. I think almost every question I got, the leading question was about some move towards the cloud, what should I be doing, how should I be thinking about it, what are the implications on the security angle, and what are vendors and technologies involving to help me through that process. So that's been a big one over and over again.

Email security. Still important. It came out of people, I think there was a while that kind of people stopped thinking so much about the criticality of email, but we saw it in the benchmark study still the number one threat factor cited by CISOs. And it's been pretty steady there, kind of 56, 58%, kind of cite it as their number one. You know, we've introduced a bunch of new capability sets in that space in the last 12 months. That's interesting how that's, everyone uses it, it's critical for business. That's important as well.

SEE: Vendor comparison: Microsoft Azure, Amazon AWS, and Google Cloud (Tech Pro Research)

Alison DeNisco Rayome: Interesting. Going back to the cloud, I know something that we've heard from readers is that there's some confusion when it comes to who's responsible for cloud security. Is it more of the CISO? Is it the vendor? Can you speak a little bit to that and how to kind of determine what that is?

Jeff Reed: Yeah. So that's a, I'll try to shorten it. We can talk about this for a long time. I think there's, the way I kind of break down the cloud kind of whole model and a couple different things. So one is how to protect user to service. So we have people and things going to applications and data in the cloud. Like how that traffic, the traffic pattern to get there is changing with SDWAN, the types of controls that I want are changing, and so that is really, I think that's a CISO driven conversation first and foremost.

Then there's the how do I also protect the applications and data in the cloud? That gets more, I think there's a mix of what do you expect from the platform? My business actually is making decisions on certain platforms, so what are the expectation of what we want from the platform itself. But in a lot of cases I think it's important for us security folks to also have guardrails on that.

So for example we have a product called Stealth Watch Cloud is designed to watch basically behavioral analytics of your cloud environment. Who's talking to whom? It runs on AWS. It supports GCP Azure, super simple to set up, but it creates this understanding of like what is that cloud environment look like. So I may trust the... there's a certain set of questions I want to have confidence in my SaaS vendor and my IS vendor. There's also what I can do to make sure that I'm getting the visibility, and then also the control set of that cloud environment myself. So I think there's a number CASB kind of behavioral analytics, micro segmentation on the workload side are all things that I think are really things that CISO is and should be driving.

SEE: Network security policy template (Tech Pro Research)

The interesting thing though too is, think of it on the workload side, we're really early in this game. The way that we historically protected applications is not I think how we're going to do that in the future. When I'm building natively in clouds, so the types of tools and controls that I think are going to be more valuable moving forward is different than what we've been using historically.

But I think we're in that process where we're kind of figuring out which ones are the ones that will provide the most value for us security folks.

Alison DeNisco Rayome: And can you tell me a little bit more about Cisco's overall security strategy moving into this year?

Jeff Reed: So it's funny, I'll start a little farther back. You know a lot of people five years ago we were at RSA, but we weren't really like a... a lot of folks of Cisco as a security company. We had a classic layer through firewall, good email security product, that's kind of it. You know if you're at CISO what you cared about, we made a bet roughly five years ago that security's gonna be absolutely core to the strategy of Cisco as a company. It really was kind of on two pillars initially. One was leverage the network. Like the network can really help your security architecture. That's both how do we get visibility on threats using the network and threats to risk the networks after that. Then also how to do better job of segmentation. Really what's now we all call zero interest. But you know, least privilege, how do I kind of do that. So that was kind of that one.

SEE: Incident response policy (Tech Pro Research)

The second big one was around threat and how do we become a leader in threat detection. Required Source Fire. With that came Intellus research organization. One of the best IPS products on the market, this little thing called Events Netware Protection now is a multi-hundred dollar business for us. So we kind of started there. Then along the way came actually the one we just talked about, cloud. And so a lot of our focus now has been how do we help with that transition to cloud. How people and things are getting apps and data is changing, and we've invested, four of the last five acquisitions we've made are data SaaS companies. We acquired Duo Security because I think identity becomes a really critical aspect of this security profiles you do there. So there's a whole set of things kind of around that cloud transition.

Then the last pillar has been between kind of the 2013 and now we've spent six and a half billion dollars in security MNA, we've more than double R&D expenditure in this. We're actually the largest enterprise security company. So the last pillar of what we're focused on is how do we do a better job of integrating within our security products themselves with the rest of the Cisco portfolio, tying into routers for SDWAN security, et cetera. Then also I have a whole team focused on how do we do a better job integrating with third parties. It gets down to this we know customers are... we're starting to see that consolidation, but we're still not going to be the only security vendor in most of our customer's environments. How do we do a great job and they get more benefit from more Cisco products they have, but also work well with the investments they've made in SIM and orchestration, et cetera.

Also see