Day 1 at RSA wrapped up yesterday evening when the vendor expo opened and conference attendees had an opportunity to visit vendors and check out the latest and greatest products. The vendors are primarily products vendors which reminded me how important it is for a CISO to have a services partner to help cut through the FUD and deliver value.
CISO’s are inundated with point solutions, some of them excellent, but many of them duplicative of existing investments. I’ve found that in selecting products the process/project often ends with “100% deployment” leaving security organizations unable to measure the return on their investment. A simplified view of the process goes something like this:
- Identify a need
- Hold a “bake off” and select a product
- Set deployment objectives (entire enterprise, all Windows desktops, etc…)
- Achieve deployment objectives
- Declare victory with reports showing deployment saturation metrics
It’s a missed opportunity for security to instead align with the business and demonstrate quantifiable value by defining the project in the context of the business problem that is being solved. Security organizations can get myopic in viewing risk and laser focused on point solutions that address specific security requirements missing the opportunity to tell the story of the business issue they are addressing as a part of the bigger picture.
100% deployment isn’t the goal, that’s just your day job. Enabling the business to engage customers, capture sales and recognize revenue is the goal. When you are in the trenches everyday its difficult, sometimes impossible, to address the bigger picture but in my experience the organizations that do are the most effective.