This is an updated repost from the Axonius Medium blog.
I’m a huge fan of the CISO/Security Vendor Relationship Podcast, and one episode featured a great conversation about how security teams really want a way to consistently execute on security basics rather than buying narrow technologies focused on the edge.
Narrow and Exciting vs. Broad and Boring
First, Justin Berman, CISO at Zenefits:
“I think that there’s a reinforcing cycle going on in which vendors are telling everyone at every company that they have to be concerned with what I might call ‘the edge’ or the most sophisticated or advanced adversary groups and thus they have to be engaged in deploying expensive and narrow technologies, when in reality most of these companies haven’t gotten inventorying, or vulnerability management, or patch management right.
Because all those things are hard but they’re also not sexy or flashy technologies. So for me, I want to see companies that are really authentically making those spaces consistently executable for security teams, and not another ‘we can stop the APT’ because for the vast majority of companies out there: a) you probably can’t stop the APT with your point solution and b) it’s not an important part of the threat model. If you’re telling every company that it is an important part of the threat model, you’re at best causing them to be turned off and at worst confusing them into thinking it is an important part of the threat model.”
When asked “is there a way to make the basics sexy? Is there an attractive way to sell the basics, or is it just like you need new tires for your car whether you like it or not?” Mike Johnson, CISO at Fastly said:
“I think there is. We’re starting to see a few companies come up around asset management. And asset management is absolutely one of the basics of security, but it’s not exactly sexy. But there are some companies that are making a go of it, and part of how they’re doing that is making it easy and making it so those security teams can consistently execute on asset management. I think that part of the way you make it sexy is coming up with a way of solving these foundational problems nobody has done before.”
Justin Berman added:
“I actually want to push back and say — and this may be controversial — I don’t think we need to make it sexy. I think it is possible to acknowledge that in the same way that you go to your dentist, and your dentist tells you to brush your teeth and floss. You say ‘I will’, and you come back and have cavities, more than likely the problem is that you’re not following your dentist’s consistent advice. If I could invent a machine that could clean your teeth for you while you sleep or put some nanites in your mouth that would automatically clean your mouth, that would be great. I don’t need to make patch management sexy per se, I need to make it automatic.”
“Tell me how much time it’s going to save my security engineering team. Tell me how much money it’s going to save me — not relative to a breach- but to how much time, energy and money is spent doing this poorly right now.”
It’s a better listen than read and starts at 8:44 below.
Making cybersecurity Asset Management Consistently Executable
I love this conversation and think that Mike and Justin hit on some really important points that we constantly hear from our customers:
- Solve the basics first — We often hear from CISOs that are just joining a new company, and their first priority? Getting a basic asset inventory to understand what devices they have, what software is installed, the patch level, and their security solution coverage. Until you have a solid understanding of the environment, you can’t make use of the more sophisticated technologies.
- Make asset management automatic — One of our customers put it best (I’m paraphrasing): “I could have my team build our own system to do a pretty good job at asset management. I could have our engineers build scripts, and any time I want an updated asset inventory I could get it in a week. But do I really want my most valuable resources dropping everything to do that? Not a chance. I’d much rather have a solution that does it automatically in minutes, and if it can get us to 100% with no resources vs. 80% with dedicated people time? That’s worth spending money on.”
Show me how much I’m saving — Justin nailed this one in the podcast: We hear customers say that they want to know how to quantify the value of getting a system to automate asset management compared to how much they spend doing it poorly now. Like Justin mentioned, just comparing the cost of a solution to the potential cost of a breach doesn’t work.
Here’s something we’ve been using with customers on the last point.
We ask for 4 pieces of information:
- Number of IR staff that investigate incidents
- Their yearly salary
- The number of incidents the team investigates daily
- The number of minutes spent gathering asset-related context per incident
Given that information, we can see:
- The yearly cost of the time spent gathering more information about assets to investigate incidents
- How much would be saved if that time could be reduced to 5 minutes
- How much would be saved if that time could be reduced to 2 and a half minutes
This is just one use case, but instead of just comparing the cost of a solution against a potential breach, customers understand what they’re spending now on an inefficient process compared to the amount of time and dollars they could save by automating.