It has been a long time since I have been to an in person event. It felt good to be back exchanging ideas with peers, meeting new people and catching up with former colleagues. I must confess that my enthusiasm was mixed with a little bit of trepidation about being exposed to a Covid variant. The cautious tone was reflected in the smaller turnout (vs. 2019) and the omnipresent bottles of hand sanitizer.
For those of you who could not make it in person, here are my key takeaways from two days of conversations.
One person I talked to put it best, no company has ever been sued because there was a malicious actor in their network, but many organizations have been sued because they have experienced a data breach. Yes, application availability is important. Especially in companies engaged in online commerce, availability is directly correlated to revenue. Threats that endanger availability (DDoS attacks for example) are being addressed. Companies continue to invest heavily in ensuring frictionless and continuous availability of their platforms to the prospects, customers, and partners.
However, there is underinvestment in data security. The key elements of data security include data discovery, context-based access control and continuous monitoring of data usage. Security practitioners understand the risks and are attempting to prioritize investment in data security. They recognize that the decentralization of applications and data increases the complexity of the problem exponentially.
The constantly evolving nature of threats, shortage of cybersecurity resources or skills and limited availability of investment exacerbates the problem. While root causes of the current predicament vary, the most often discussed challenge in security seemed to be data security.
About a decade after the term was coined it is now the age of zero trust. It is also the age of the digital transformation. It is the age of customer first approaches. It is an application centric world. I can go on and on.
None of the concepts I mentioned above have one solution. There is no single tool that an organization uses to undergo a digital transformation. It is an approach and an objective. Similarly, zero trust is an approach.
No organization can implement a single solution and claim – we have now implemented zero trust, check the box and move on. Zero trust in the context of data security is different from zero trust in the context of end point protection. It is important that vendors define what they mean by zero trust in their context. If vendors do not clarify what zero trust means in their context, they feed into the buzzword fatigue the security industry is facing.
The most often asked question (of us, and in my unscientific poll of other vendors) was – “how are you different from…”, fill in the blank. Put differently, prospects want to understand your differentiation. Just stating that one provides SaaS security or application security, and you have a better way of doing it doesn't resonate. Differentiation from the customers’ viewpoint, is about understanding how they can achieve results with your solution versus other approaches.
A great parallel to this is the comparison to the railway system in the United States. The National Interstate and Defense Highways Act enacted under President Eisenhower certainly drove the decline of the railways. However, the decline was accelerated by the lack of recognition that railways were competing for transportation, not just against other railways. The objective was to move people and goods from point A to point B, quickly, conveniently and cost effectively.
The challenge for security vendors, in a space with over a thousand different offerings, is clarifying the problem they solve, addressing why current approaches do not address the problem and providing customers a clear path towards successful implementation. By no means an easy task!
Cloud is no longer a trend, a luxury or something coming sometime in the future. It is here and now. Customers are demanding a cloud agnostic or at least multi-cloud solution. The nuance however, is that the legacy world has not disappeared. It is here and will be here for a long long time.
Customers require an approach that not only meets the security needs of the cloud first world, but also addressed security for the existing applications that might be built on big iron or installed in traditional data centers. This is especially true for applications that are providing data security. Data does not exist on an island. It is distributed across a multitude of applications and platforms, and requires an approach that can bridge the old and new world.
We are not going to become a remote work only society. The head office, branch office and remote offices are not going to disappear. This also means that the notion of a “network” is not going to disappear. That “network” will have to co-exist and evolve to meet the needs of a hybrid workforce, and be redefined to encompass cloud and SaaS applications.
Networks will still need to be secured. Secure remote access is critical. But, very few vendors were talking only about network security. This was certainly not a topic of discussion with organizations that were looking to fortify their most critical assets – their data.
Of course, this is not a comprehensive list of everything I learned. There was plenty of discussion about the best cuisine, home buying, raising kids and more. But those belong in a separate blog. The write up above is restricted to my top 5 takeaways from Black Hat 2021.
Please share what you learned from Black Hat! Send an email to email@example.com with the subject line “Black Hat learnings.” Or, send us your comments by clicking here. If I get a broad response I assure you I will publish them in a follow up blog!