RSA Observations: Startup Fever, C-Suite on the Hook, and the Problem with Dumpster Diving


RSA was very different this year, signaling bigger industry shifts. Here’s a run-down of my observations:

A bigger, better RSA than in years past

  • This year marks Netskope’s first RSA, and after more than two decades in the security industry, this was the biggest and most exciting RSA I have ever attended.
  • It was clear to me that there is more interest in security than in previous years. Additionally, I found that the really interesting discussions were not taking place in booths, but rather in meetings and events affiliated with the conference just around the show. I spent 95 percent of my time in meetings with CIOs and CSOs at Fortune 1,000 companies who are actively searching for solutions to meet their enterprise security challenges.

Out with the old, in with the new

  • Unlike in previous years, there was a lack of interest in traditional solutions. CIOs and CISOs told me over and over again that the challenges they are facing have evolved. They are no longer interested in the safe approach; they are desperate for the innovative approach.
  • There was a realization that security challenges are bigger and more complex than ever before, and historical solutions are no longer suitable for their needs.
  • More enthusiasm for startups—not just Netskope, but across the board—than I’ve ever seen at the show.

Security – no longer just a CSO concern

  • Something else rang true to me. Security is not just a concern for the CSO anymore. Today, security is squarely in the sights of the CIO. That’s because the CIO’s job is to enable the business. If there is a security problem, the business isn’t being enabled. Security’s profile has risen; it’s now a conversation across the C-suite.

Move to enablement – not control

  • A CSO at a major healthcare company I met with told me that today, anyone in IT or security knows that it would be impossible to completely shut down cloud and mobile activity – it’s just too integral to the business.
  • Now the major concern is how IT and security executives can enable cloud and mobile, while still protecting the business.
  • The most interesting thing about how this viewpoint has shifted is that CIOs and CSOs are now viewing their employees as users they are aiming to please, while still keeping activity safe.

Addressing insider threats when you’ve already enabled them

  • Decision makers posture towards users (employees, partners, even contractors) in general has moved from that of “controlling” to “enabling”. This has created a need for a more nuanced approach to the “insider” threat (which is posed by these same users who IT must enable), especially when it involves the use of shadow IT applications/resources.
  • In parallel there’s been a dissolution of the concept of a geographic or physical “inside” – users are now mobile and working from anywhere.
  • In an enabling culture, CIOs are looking to technology vendors to fit into this new dynamic. Unfortunately though, legacy systems—like next-gen firewalls and traditional gateways—do not have the architecture or capabilities to deliver the deep activity and transaction based visibility, context, insight, analytics, security and policy enforcement to solve the insider problem … let alone cover the many remote and mobile use cases.

‘Dumpster diving’ isn’t getting CIOs anywhere

  • Across the board, decision makers are struggling to gain insights into cloud app use and are admitting how unprepared they are to tackle this project.
  • Many of the CIOs I spoke with solve the visibility problem by ‘dumpster diving,’ or sussing out non-IT sanctioned use of cloud apps by poring through expense reports.
  • The problem with this approach is that cloud app use in most enterprises goes into the hundreds of apps (see more data in Netskope’s recent Cloud Report) and dumpster diving is simply too time-consuming to be an adequate solution.
  • Even companies that have data scientists are not capable of solving this problem because they don’t have any data to analyze.
  • However, CIOs are searching for help so they can better understand users’ needs and make them happier and more productive, while protecting the business at the same time.