Security is a massive $100B category, fragmented across 30 to 40 subsectors. Each sector is characterized by best-of-breed point solutions.
It’s also one of the most active categories the last couple of years. In 2018, about 400-plus companies raised capital for an aggregate of $4 billion in financing. And 2019 is shaping up to be another record-breaking year.
So how do you make sense of all of it? How do you protect yourself in this environment?
The end of best of breed
Five years back, CTOs and CISOs were biased towards adopting best-of-breed solutions. However, this led to a massive problem: vendor sprawl.
Very quickly the security teams realized that their SOC analysts were getting overwhelmed with millions and gazillions of alerts every single day, and they're missing the signal in all that noise.
So we’re living with the problem of false positives now. We’re realizing that we can't manage so many devices with so many alerts even if they are best in breed. We need to have a single pane of glass or fewer solutions which prioritizes 10 or 12 actions I need to take across my infrastructure -- both on-prem and in the cloud.
At the orchestration layer, you can start to bring some of this stuff together even if the underlying platform is not one platform. As the demand is higher, we see technologies like orchestration automation addressing the problem of fragmentation.
Nobody wants to be front page news
Here’s the problem. If you look at sectors like mobile device management or asset discovery, just good enough visibility is good enough. That's the way they see it. The thought process there is that even if you have rogue devices, you can really harden your policy and authentication at that point as rogue devices fall off the network. Do you need to be best in class at every layer, network, identity, user behavior, cloud? Maybe not.
Even the best in class today is not best in class tomorrow; the efficacy of controls degrade over time.
You might be the best in class today, but by the very nature of the fact that you're good at that space, attackers will innovate around you and break you down.
That's why this is a perpetual life cycle.
The thesis of continuous monitoring
I think coach Phil Jackson said it best, “If you're not getting better, you're getting worse.”
Our thesis is that no matter what solutions you have, you need to constantly test and score yourself. You need to attack yourself. We call this our thesis of continuous monitoring. And we believe it’s an imperative for those who wish to succeed in the category. Today, the whole security category is driven by continuous monitoring as a solution to a fragmented space.
The Avengers analogy - why self-attack is the best strategy
Let me break this down using an analogy from one of my favorite movies - Captain America: Civil War. For those of you who haven’t seen it, the basic plot line is that the Avengers' team split into two opposing teams after a disagreement about the role of international oversight. Watching this unfold on the big screen made me think: If you believe the Avengers are the most equipped and competent fighters on the planet, what better way to test their strengths and weaknesses than to pit them against each other? And that's what the security space is all about.
If you believe you have the best security talent in-house, you need to get these very special talents to break your security systems.
That's why I believe the future of security is moving toward continuous monitoring. If there was one takeaway for all of you from a security standpoint, it's this: channel your inner “blue and red.” Attack yourself before somebody else does.
Why I believe in security orchestration
I was having lunch with the CISO of a large Fortune 10 bank. This CISO has unlimited security budget. The board has said, "We don't want any breaches. You've got unlimited security budget." What do you do if you have unlimited security budget and you want to prevent breaches? You invest in defense-in-depth. You keep layering up.
So some of it is systemic and some of it can be streamlined. But there is an important category of security orchestration that integrates or orchestrates the sprawl of solutions.
Increasingly, CISOs are realizing that it becomes a logistical nightmare to manage alerts from 700 different solutions day in and day out. You're focusing on alerts that don't make any sense and you're ignoring the real signals, which is why there is this concerted push towards an integrated architecture.
So there are a lot of challenges ahead in the security space, and there are no shortage of innovators looking to solve them. For me, it's a super, super, good spot to be in.