Day two of RSA and booth number 1641 is bustling. In fact, the entire Expo Hall is awash with new product announcements, compelling demos, and striking amounts of swag. The CyberSaint team has been exploring the neighborhoods of Moscone Hall since things got kicked off on Monday and we’ve seen many trends emerge throughout the host of exhibitors -
Risk and compliance becomes embedded
CyberSaint Chief Product Officer, Padraic O’Reilly, noted the amount of compliance and risk features and functionality emerging in products regardless of where they sit in the network. This points to a larger trend within the enterprise context that non-technical stakeholders are increasingly relying on CISO’s to articulate the cyber risks facing the organization. As we’ve written about before, though, the challenge is defining and articulating these new forms of risk in the same context as existing risk forms (financial, operational, etc.). This groundswell of business leaders relying on digital risk managers and information security leaders has driven vendors to begin integrating more and more risk quantification into their products.
Almost, but not quite...
Seeing more and more solutions working to integrate risk features into their solutions has some vendors working to play catch up. We saw many presentations using phrases like “understand risk and roll up it up,” again pointing to the need for this information to transcend beyond technical stakeholders. However, the challenge here is not simply collecting the data and possibly visualizing it but translating it into a context that is of value to non-technical stakeholders.
Padraic noted “I saw a lot of tools that used terms like ‘management dashboards’ but these tools did not [in fact] roll up to something that delivered context to non-technical stakeholders.”
The greater issue that the cybersecurity industry as a whole is facing is the need to shift the perspective from simply working as a misunderstood technical unit to a business function that is more and more depended on for business strategy, execution, and growth.
What’s tempting for organizations launching risk quantification features is the idea of cooking up a secret sauce and protect it as intellectual property. However, as we’ve seen with open source cybersecurity frameworks link the NIST CSF, the power of open source platforms increases the rate of standardization, innovation and security. Furthermore, empowering a CISO to articulate how they came to their conclusions on their organization’s risks is a critical step for communicating that to the board. Black-box risk methodologies stifle the rate that CISO’s can standardize and learn from others in the process, as well as their ability to discuss cyber risk, which in turn stifles an organization’s ability to grow.
The precursors to consolidation
Talk to anyone in cyber and you’ll hear about how congested the space is. What is apparent at RSAC 2019 is the beginnings of a consolidation - we saw it in the compliance space with Rsam and ACL and will continue to see more and more similar players start to merge and acquire in order to survive.
Aside from larger steps, we’re also seeing an increasing number of integrations across platforms. As CyberSaint CEO, George Wrenn, put it - “everything is salt and pepper.” This further points to value for the customer - rather than having to stitch together a patchwork of solutions (and even worse having to source them all with little guidance) we’re seeing vendors start to anchor around each other to create a network solution for end customers. As this network becomes tighter, the rate of M&A will accelerate and culminate with holistic solutions rather than specific function based products.
Integrated risk management is more than better GRC
For many vendors and practitioners, the view of integrated risk management is that it is the next step for risk and compliance and rightly so, it is how Gartner coined the term. However, what we’re seeing at RSA is that IRM is more than simply looking beyond checkbox compliance and shifting to a risk focus over compliance. What we see happening is IRM is the means to unite these disparate solutions. True IRM solutions are the single pane of glass that gives management insight into the digital health of their organization and unites the many facets of a cyber program while transparently helping CISO’s articulate the cyber risk facing their organization.
As more and more legacy GRC products attempt to rebrand themselves as IRM, but the fundamental principles of IRM continue to take shape, the disparity between the marketing of legacy GRC and its actual abilities will become more and more apparent. All other trends, from salt and pepper to the embedding of risk, indicate that the industry needs (if it isn’t already demanding) a unified approach to compliance and risk that empowers managers to make decisions and collaborate rather than swinging spreadsheets or spending hours bouncing through a heavyweight solution with little to show for it. As we've said before, in the immediate future there is room for both IRM and GRC - the long term impact, we predict is a change in function for legacy GRC platforms with IRM sitting atop.