Transcript
We're going to be discussing security and IT alignment today with Darren Gosin. He is the Senior Vice President of Product Management at Avanti. Morning, Darren. How are you? I'm doing great. Thanks. Good to be here, Michael. Thank you so much for making the time. So I want to start by taking on this challenge of security and IT alignment, and specifically want to do this, get a sense of the challenges it can create from a cybersecurity standpoint. Yeah, well, it's a great question. You know, in many organizations, security and the IT organizations are not fully aligned. And what that does is it really introduces risk within the organization, because you can't be able to find and remediate the risk most effectively. You know, one of the main reasons for this is really the differences in the goals and responsibilities between the CIO and the CISO. CIOs are often focused on business growth, innovation, whereas your CISO is more focused on cybersecurity risk and compliance. And CISOs will approach risk management from the standpoint of prioritizing security over speed and agility and productivity at times, and your IT department is doing so different. And also, when you think about the responsibilities, your CISO is responsible for finding and identifying the risk within the organization. And oftentimes, your IT department is responsible for remediating it. So when those two are not aligned, when they're not communicating well, it creates gaps in that overall process to be able to remediate the risk within your organization. And that can be a challenge from a cybersecurity standpoint for any organization. Why are large enterprises struggling to solve basic hygiene issues, such as vulnerability and patch management? Well, that's another great question. You know, and there's a couple of different reasons for this. Number one is scale. Obviously, our attack surfaces are increasing every single day with the technology that we have, the users within the organization. So really expanding the attack surface creates a much bigger challenge each and every day for organizations. And ultimately, they don't have the full visibility of what the issue is. They don't have full visibility of their assets or their attack surface or the exposures on them. Even when they do, it's hard to identify what you focus on first. So prioritization of the information that you have can be another challenge for organizations to solve those basic hygiene issues. And then, like we talked about, security and IT better working together is a good place to start for organizations that are trying to increase the practice to solve basic hygiene issues and vulnerability and patch management. I know siloed data is another common problem. I want to get a sense of what is your advice for improving integration and collaboration between teams? Yeah, I mean, siloed data is a significant problem, not only on the security side for organizations, but I feel like it really can sap the potential of organizations by not being able to make data-driven decisions. But if you think of it from a security perspective, they create a significant challenge. Number one is oftentimes an organization's view of their attack surface is in multiple different areas. So it might be in spreadsheets. It might be in data sets that the security organization has or the IT organization. Same for vulnerabilities. You might have multiple vulnerability scanners, but not doing an aggregation of those. This is why we actually see convergence of security suites within products. And convergence of discovery, asset and vulnerability discovery, endpoint management and endpoint security really coming together. Platforms within organizations do a lot of data normalization across these areas. So they break down those silos to enable you to be able to make better data-driven decisions, have a more comprehensive data set in which you're doing remediation to secure your environment. What capabilities should organizations be looking for in an integrated platform? Yeah, I mean, in an integrated platform, I think the number one data, being able to have a complete data set that's correlated and reconciled across different data sources is the one key value. Let's break down those data silos. Number two is, from a security perspective, you need to have the ability to be able to plug threat intelligence into this as well, so that you can understand what's happening with the vulnerabilities within your organization. And this gives you the ability to be able to prioritize. Like we talked about before, organizations can be overwhelmed with the amount of cyber hygiene that they need to do within their organization and risks that they need to be able to remediate. So you need to have context of what the risk is and how it relates to your environment. This gives you the ability to then start to make risk-based decisions, risk-based remediation decisions. When do I patch? Where do I patch? What are the most critical patches that I need to deploy to my organization? And then, of course, being able to access that data through dashboards and analytics and the ability to be able to slice and dice that information yourself so that you can get a good understanding as well as report within your organization and build more of a security-driven culture. Can you show any examples of organizations that have met these challenges? Yeah, absolutely. I mean, we have a customer in the financial industry that has kind of flipped over the way in which they think about cybersecurity. And rather than trying to meet every single SLA of a vulnerability that they have within their organization, they're taking a very, very risk-based approach. And that allows them to rebaseline what their risk acceptance level is and then be able to put in a practice that allows them to hit that risk acceptance level. So they're taking an approach around exposure management, which really is looking at the tolerance that you have within your organization and then ensuring that your cybersecurity posture meets that risk tolerance. So, you know, that's a way in which they've been able to reduce the noise within their organization and be able to remediate and secure the risk or secure the vulnerabilities that are going to be most impactful to their company. And I want to get a sense from you of what your advice is for anybody who's looking into modernizing their environment and improving alignment between security and IT. Yeah, another great question. You know, I think there's two aspects of this here. One is around processes or culture within your organization. And then the other would be a couple of things to look at from a technology perspective. Number one is across the company, foster a security mindset and culture. So it's not just security and IT, but it's everyone's responsibility. We know that users are a vector that threat actors are using to be able to infiltrate organizations. So really, security has to be top of mind for everyone within your organization. Two is going back to the first question, align the goals of security and IT to both be risk-based, but also business outcome-based. Both the CIO and CISO's organization have an objective to be able to achieve the business outcomes of the organization. And to do so, you need to create a secure environment. Third, from a process perspective, is secure what's important. Bring risk-based and prioritization into that overall security position and posture and program that you have. And then the second is from a technology perspective. Number one is ensure that you can access everything within your organization. And things have shifted with everywhere I work, and people are working on different networks. They're working outside of the network. They're really working from everywhere. SaaS-based solutions are really good to be able to ensure that you have reached and can manage and secure all of the endpoints and assets within your organization. And two is limit the number of vendors that you have. These vendors will create data silos within your organization. They'll increase the number of integrations that you need to create and maintain to do so. So really looking at vendors more holistically, ones that are bringing security and IT together to be able to create a better security posture in your organization from a platform and technology perspective, would be some good places to start. And finally here, for people who are interested in learning more about this topic, what do you recommend? Well, a great place to start is avanti.com. We've done a ton of research around exposure management. We have a number of resources there. So that's a great place to start. Terrific. Darren, thank you so much for the time today. I appreciate it, Michael. Absolutely. We've been speaking with Darren Gosen, Senior Vice President of Product Management at Avanti. For Information Security Media Group, this is Michael Novenson.