In a couple of weeks, it’s anticipated that more than 40,000 computer security professionals will descend on San Francisco for our annual reunion/ 5-day bar crawl/swag collection fest known as the RSA Conference. Seriously, though, for as much crap as we security geeks unload on the RSAC, there is a ton of terrific, original content, new research, and knowledge sharing that somehow manages to surface among the phalanxes of polo-sporting territory reps and an ocean of booze. Besides, for obvious reasons, I’ll always have a soft spot for my little Moscone Monster.
That being said, uh, OMG. 40,000 people? 400+ vendors? A market that some analysts say consists of more than one thousand seven hundred companies that focus on information security? I think of RSA Conferences 15 years ago, when we looked at the “sea” of 200 vendors and told ourselves that the market could not possibly sustain so many players and that consolidation was imminent. Hah!
Consolidation, of course, did occur. But proliferation has outpaced it, and that’s a good thing. Continuous, near-fractal innovation is required to address the night-that-is-dark-and-full-of-more-terrors-than-we-ever-really-thought. But I pity the CISO that has to make rational buying decisions in 2017. The answer always seems to be “buy more security products”.
Huh. Funny, that.
At Verodin, we see things a little differently. We’re not alone. Recently the analysts at EMA said, “…before diving into your next (security) purchase, check out Verodin.” We talk to customers every day that are virtually drowning in their own pile of security products, desperately trying to quickly interpret bottomless wells of alerts and extract some kind of ROI from their defensive stack. The solution will not be found in another security layer, in another round of “lay it in and assume it helps”. Instead, at Verodin we think the solution lies in INSTRUMENTING security. Quantifying the cumulative effectiveness of our entire multi-vendor defensive stack, and identifying what’s working, what’s not, and where our best return-on-investment will be.
Security needs to grow up. We need let go of our fuzzy security-blanket “best practices” and all of the assumptions they entail. It’s time for security departments to be measured and held accountable like any other business unit. Quantitatively. Continuously. And always, always, with an eye on the bottom line.
How you ask? Your friends at Verodin have a few ideas….