Author Archives: Jon Oltsik
Author Archives: Jon Oltsik
Several CISOs I’ve spoken to over the past few years agree that identity is a new security perimeter. The thought here is that a combination of mobile device and cloud use renders existing network perimeters obsolete so security policy enforcement decisions must be driven by identity attributes (i.e. user identity, role, device identity, location, etc.) rather than IP packet attributes. We see this transition coming to fruition with the concept of a software-defined perimeter (SDP) and technologies such as Google BeyondCorp and Vidder PrecisionAccess.Yup, this makes sense. Armed with identity attributes, organizations can make intelligent network access decisions on who gets access to which IT assets regardless of their location. Unfortunately, there is a big problem here. The IAM infrastructure was built organically over the last 10-15 years so it depends upon a morass of disconnected and fragile elements. This situation greatly impacts security. To read this article in full or to leave a comment, please click here
Several CISOs I’ve spoken to over the past few years agree that identity is a new security perimeter. The thought here is that a combination of mobile device and cloud use renders existing network perimeters obsolete, so security policy enforcement decisions must be driven by identity attributes (i.e., user identity, role, device identity, location, etc.) rather than IP packet attributes. We see this transition coming to fruition with the concept of a software-defined perimeter (SDP) and technologies such as Google BeyondCorp and Vidder PrecisionAccess.Yup, this makes sense. Armed with identity attributes, organizations can make intelligent network access decisions on who gets access to which IT assets regardless of their location. Unfortunately, there is a big problem here. The identity and access management (IAM) infrastructure was built organically over the last 10-15 years, so it depends upon a morass of disconnected and fragile elements. This situation greatly impacts security. To read this article in full or to leave a comment, please click here
Several CISOs I’ve spoken to over the past few years agree that identity is a new security perimeter. The thought here is that a combination of mobile device and cloud use renders existing network perimeters obsolete, so security policy enforcement decisions must be driven by identity attributes (i.e., user identity, role, device identity, location, etc.) rather than IP packet attributes. We see this transition coming to fruition with the concept of a software-defined perimeter (SDP) and technologies such as Google BeyondCorp and Vidder PrecisionAccess. Yup, this makes sense. Armed with identity attributes, organizations can make intelligent network access decisions on who gets access to which IT assets regardless of their location. Unfortunately, there is a big problem here. The identity and access management (IAM) infrastructure was built organically over the last 10-15 years, so it depends upon a morass of disconnected and fragile elements. This situation greatly impacts security. To read this article in full or to leave a comment, please click here
To use a long-forgotten metaphor, cloud deployment is moving forward at internet speed at many enterprise organizations. According to ESG research, 57 percent of enterprise organizations use public and private cloud infrastructure to support product applications/workloads today, and an overwhelming majority of organizations will move an increasing number of applications/workloads to cloud infrastructure over the next 24 months (note: I am an ESG employee).Now, no one would argue the fact that cloud computing represents a different compute model, but it is really based upon the use of server virtualization for the most part. And since a VM is meant to emulate a physical server, many organizations approach cloud security by pointing traditional security processes and technologies at cloud-based workloads.To read this article in full or to leave a comment, please click here
To use a long-forgotten metaphor, cloud deployment is moving forward at internet speed at many enterprise organizations. According to ESG research, 57 percent of enterprise organizations use public and private cloud infrastructure to support product applications/workloads today, and an overwhelming majority of organizations will move an increasing number of applications/workloads to cloud infrastructure over the next 24 months (note: I am an ESG employee).Now, no one would argue the fact that cloud computing represents a different compute model, but it is really based upon the use of server virtualization for the most part. And since a VM is meant to emulate a physical server, many organizations approach cloud security by pointing traditional security processes and technologies at cloud-based workloads.To read this article in full or to leave a comment, please click here
My colleagues Doug Cahill, Kyle Prigmore, and I just completed a research project on next-generation endpoint security. Just what the heck is next-generation endpoint security? Cybersecurity professionals remain pretty confused around the answer to this question. For the purposes of its research project, ESG defined next-generation endpoint security as (note: I am an ESG employee):Endpoint security software controls designed to prevent, detect, and respond to previously unseen exploits and malware.As part of this project, ESG interviewed dozens of organizations that were either supplementing or replacing traditional antivirus software on PCs of all kinds. I’ve written a few blogs about why these organizations were moving beyond AV alone, how they selected new endpoint security products, and some details about their testing and deployment methodologies. Aside from this technology overview however, I did come away with some strong theories about the next-generation endpoint security market in general. To read this article in full or to leave a comment, please click here
My colleagues Doug Cahill, Kyle Prigmore, and I just completed a research project on next-generation endpoint security. Just what the heck is next-generation endpoint security? Cybersecurity professionals remain pretty confused around the answer to this question. For the purposes of its research project, ESG defined next-generation endpoint security as (note: I am an ESG employee):Endpoint security software controls designed to prevent, detect, and respond to previously unseen exploits and malware.As part of this project, ESG interviewed dozens of organizations that were either supplementing or replacing traditional antivirus software on PCs of all kinds. I’ve written a few blogs about why these organizations were moving beyond AV alone, how they selected new endpoint security products, and some details about their testing and deployment methodologies. Aside from this technology overview however, I did come away with some strong theories about the next-generation endpoint security market in general. To read this article in full or to leave a comment, please click here
Back to one of my pet issues, the global cybersecurity skills shortage. According to ESG research, 46% of organizations say they have a “problematic shortage” of cybersecurity skills in 2016 (note: I am an ESG employee). By comparison, 28% of organizations claimed to have a “problematic shortage” of cybersecurity skills in 2015, so we’ve seen an 18% year-over-year increase.So there is a universal shortage of infosec talent but where are these deficiencies most acute? According to a survey of 299 IT and cybersecurity professionals: 33% of organizations say they have a shortage of cloud security specialists. This makes sense as it combines the shortage of cybersecurity skills with evolution of cloud computing. Other ESG research also indicates that large organizations are creating jobs for cloud security architects so demand is especially high. Cybersecurity professionals should think about pursuing a cloud security certification from CSA or SANS as part of their career development plan. There are more jobs than people and enterprise organizations are tripping over each other to hire talent as quickly as they can. 28% of organizations say they have a shortage of network security specialists. To me, this Continue reading
Back to one of my pet issues, the global cybersecurity skills shortage.According to ESG research, 46 percent of organizations say they have a “problematic shortage” of cybersecurity skills in 2016 (note: I am an ESG employee). By comparison, 28 percent of organizations claimed to have a “problematic shortage” of cybersecurity skills in 2015. That means we’ve seen an 18 percent year-over-year increase.So, there is a universal shortage of infused talent, but where are these deficiencies most acute? According to a survey of 299 IT and cybersecurity professionals: 33% of organizations say they have a shortage of cloud security specialists. This makes sense, as it combines the shortage of cybersecurity skills with evolution of cloud computing. Other ESG research also indicates that large organizations are creating jobs for cloud security architects, so demand is especially high. Cybersecurity professionals should think about pursuing a cloud security certification from CSA or SANS as part of their career development plan. There are more jobs than people, and enterprise organizations are tripping over each other to hire talent as quickly as they can. 28% of organizations say they have a shortage of network security specialists. To me, this really reinforces Continue reading
Okay, the presidential primaries are winding down, and while I expect lots of name calling, insults and general sophomoric behavior this summer and fall, it’s time for both parties to step up with a strong plan for cybersecurity.Cybersecurity? You’d really never know that it’s a national issue based upon the proceedings so far. Governor Bush put out a two-page overview while Dr. Ben Carson’s team drafted a high-level proposal. Neither one of these documents really dug into existing policies, domestic challenges, or International issues. With the exception of John McAfee, no one has gotten into any detail on this topic.Now I know that cybersecurity can be the geekiest of geeky topics so the Presidential candidates need to address it at the right level. The best plan will appeal to voters’ personal interests, offer financial incentives and opportunities, and demonstrate U.S. leadership in International affairs. Additionally, the plan should align cybersecurity issues with technology innovation and a changing economy.To read this article in full or to leave a comment, please click here
Okay, the presidential primaries are winding down, and while I expect lots of name calling, insults and general sophomoric behavior this summer and fall, it’s time for both parties to step up with a strong plan for cybersecurity.Cybersecurity? You’d really never know that it’s a national issue based upon the proceedings so far. Governor Bush put out a two-page overview while Dr. Ben Carson’s team drafted a high-level proposal. Neither one of these documents really dug into existing policies, domestic challenges, or International issues. With the exception of John McAfee, no one has gotten into any detail on this topic.Now I know that cybersecurity can be the geekiest of geeky topics so the Presidential candidates need to address it at the right level. The best plan will appeal to voters’ personal interests, offer financial incentives and opportunities, and demonstrate U.S. leadership in International affairs. Additionally, the plan should align cybersecurity issues with technology innovation and a changing economy.To read this article in full or to leave a comment, please click here
According to ESG research, enterprise organizations continue to invest in all types of threat intelligence (note: I am an ESG employee). For example, 60% of organizations have had a threat intelligence program in place for more than 2 years, 69% consume 6 or more open source or commercial threat intelligence feeds as part of cybersecurity analytics efforts, and 72% of enterprises plan on increasing spending on their threat intelligence programs over the next 12 to 18 months.Why is threat intelligence gaining momentum? Security professionals know that since they can’t block every conceivable cyber-attack, they need to collect, process, and analyze all types of internal and external security data to improve their incident detection and response capabilities. Many also want to use threat intelligence more proactively for threat prevention. In fact, 36% of enterprise cybersecurity professionals say that their organizations intend to use threat intelligence feeds to automate remediation actions over the next 24 months.To read this article in full or to leave a comment, please click here
According to ESG research, enterprise organizations continue to invest in all types of threat intelligence (note: I am an ESG employee). For example, 60% of organizations have had a threat intelligence program in place for more than 2 years, 69% consume 6 or more open source or commercial threat intelligence feeds as part of cybersecurity analytics efforts, and 72% of enterprises plan on increasing spending on their threat intelligence programs over the next 12 to 18 months.Why is threat intelligence gaining momentum? Security professionals know that since they can’t block every conceivable cyber-attack, they need to collect, process, and analyze all types of internal and external security data to improve their incident detection and response capabilities. Many also want to use threat intelligence more proactively for threat prevention. In fact, 36% of enterprise cybersecurity professionals say that their organizations intend to use threat intelligence feeds to automate remediation actions over the next 24 months.To read this article in full or to leave a comment, please click here
I just read a Bloomberg article proclaiming that Symantec cut its quarterly revenue forecast and announcing that CEO Michael Brown will step down. Unfortunately for Symantec, the company has had a revolving door of chief executives—four different individuals since 2008, and now onward to a fifth.When Symantec went through a similar CEO transition in 2014, I posted a blog to suggest what I would do as its next CEO, but surprisingly my phone never rang. Nevertheless, I reviewed my two-year-old recommendations this morning and many of Symantec’s issues back then still need fixing. Given this, allow me to review and update my CEO action plan for Symantec:To read this article in full or to leave a comment, please click here
I just read a Bloomberg article proclaiming that Symantec cut its quarterly revenue forecast and announcing that CEO Michael Brown will step down. Unfortunately for Symantec, the company has had a revolving door of chief executives—four different individuals since 2008, and now onward to a fifth.When Symantec went through a similar CEO transition in 2014, I posted a blog to suggest what I would do as its next CEO, but surprisingly my phone never rang. Nevertheless, I reviewed my two-year-old recommendations this morning and many of Symantec’s issues back then still need fixing. Given this, allow me to review and update my CEO action plan for Symantec:To read this article in full or to leave a comment, please click here
If you follow my blog at all you know that I am quite passionate about the cybersecurity skills shortage and its ramifications. Just to put this issue in perspective, ESG research indicates that 46% of organizations claim they have a “problematic shortage” of cybersecurity skills in 2016 as compared to 28% in 2015 (note: I am an ESG employee). Yup, the ESG research seems to indicate that things are getting worse on an annual basis, and ESG isn’t alone in this belief. For example: According to Peninsula Press (a project of the Stanford University Journalism Program), more than 209,000 US-based cybersecurity jobs remained unfilled and postings are up 74% over the past 5 years. Analysis of the US Bureau of Labor Statistics indicates that the demand for cybersecurity professionals is expected to grow 53% by 2018. Adding to this trend, Computerworld research indicates that more than half of security managers expect their organizations to increase cybersecurity headcount this year adding more pressure to the pot. To read this article in full or to leave a comment, please click here
If you are a cybersecurity professional, you’ve probably read the quote, “AV is dead” hundreds or even thousands of times. The thought here is that antivirus software is no longer effective at blocking modern exploits and malware, thus its useful lifespan is effectively over. Now, when any technology is declared “dead,” it is usually an industry analyst (like me) who makes this type of provocative statement. I remember the analyst declaration “mainframe is dead” from the early 1990s and the more recent refrain portending the death of the PC. In this case, however, many people attribute the “AV is dead” soundbite to a former Symantec VP quote in the Wall Street Journal, which seems to give it more credibility. After all, if Symantec, the market leader, thinks AV is dead, then it sure as heck must be.To read this article in full or to leave a comment, please click here
I’ve been following Google’s BeyondCorp project for a while. In fact, I was recently quoted in a Wall Street Journal blog on this topic. If you are not familiar with BeyondCorp, it is Google’s spin on what’s become known as a software-defined perimeter (SDP). SDP, also called a “black cloud” originated at the Defense Information Systems Agency (DISA) and is now being driven by the Cloud Security Alliance (CSA). To read this article in full or to leave a comment, please click here
Large organizations are embracing public and private cloud computing at a rapid pace. According to ESG research, one-third of organizations have been using public and private cloud infrastructure for more than 3 years and more than half of organizations (57%) have production workloads running on cloud computing infrastructure (note: I am an ESG employee).Of course, cloud computing is very different than physical or virtual servers which translates into a different cybersecurity model as well. And these differences lead to a variety of security challenges. ESG recently surveyed 303 cybersecurity and IT professionals working at enterprise organizations (i.e. more than 1,000 employees) and posed a series of questions about cloud computing and cloud security. When asked to identify their top challenges with cloud security:To read this article in full or to leave a comment, please click here
Large organizations are embracing public and private cloud computing at a rapid pace. According to ESG research, one-third of organizations have been using public and private cloud infrastructure for more than three years, and more than half of organizations (57%) have production workloads running on cloud computing infrastructure (note: I am an ESG employee).Of course, cloud computing is very different than physical or virtual servers, which translates into a different cybersecurity model as well. And these differences lead to a variety of security challenges. ESG recently surveyed 303 cybersecurity and IT professionals working at enterprise organizations (i.e. more than 1,000 employees) and posed a series of questions about cloud computing and cloud security. When asked to identify their top challenges with cloud security:To read this article in full or to leave a comment, please click here