Good afternoon, ladies and gentlemen, welcome to our Koa call webinar cybersecurity investment priorities, 2020 I'm Martin Koor co-founder and principle Analyst at Koa Cole. And for the next 30 to 40 minutes, I'll talk about what we see as the areas you should invest in when it comes to cybersecurity in 2020, but also how to focus and shape your investments, given that budgets always are tied.
So the question also is how do you figure out where to best spend your money before we start some quick information about Cola and some housekeeping information co and co we are an as, you know, an Analyst company headquartered in Germany, we serve three practices, plus a couple of other topics, our practice, our identity and access cybersecurity and artificial intelligence.
And for these practices, we deliver a variety of information and services, including our research, such as executive view reports and leadership, combust documents, our inquiries, direct conversation and advisory projects and direct support for your strategy or roadmap, things like that.
We do a lot of events, webinars conferences, such as our European identity conference and eLearning. When we look at our research, we have a couple of formats. The most important ones are leadership compass. We compare vendors in defined market segments and identify leaders they're in.
And that us leave all of our, our flagship product. We have our executive view reports, which focus on specific services and products and described in a very concise manner. We have advisor notes around trends and other recommendations and sure leadership briefs, which help you make targeted decisions. What's new is that to gain access to our research, we have introduced a new brand new content and research platform, Casey plus.
So if you go to our website, you'll find a Casey plus link at the top, which is then very easy to search, very easy to find the documents and it's available on different types of devices.
So easy access from mobile devices and other things you can download PDFs, but you don't need to anymore use it in the way, which is most appropriate to new way of working. And the cool, I believe is you can pay once and then read all the content. It's only 800 years to get full access to all our research for the next 12 months. So don't miss the opportunity to access KC.
Plus we also have a of advisory products which are around strategy around portfolio management and also project guidance tools choice. I don't go into detail here because I touched some of the aspects in the context of how to really select the best investment. So to speak. I'll go into detail later on in this webinar, we also have a number of events, cyber, or around cyber security, consumer identity, and AI coming up. Some of them pretty soon, some of them come up in the next year, like our European identity conference, 2020, which is the mainly went around identity and access.
And you shouldn't miss to attend this for the webinar itself. Audio controlled your muted centrally. We are controlling these features so you don't need to care about this. We will record, we are recording the webinar. We will make the podcast available usually by tomorrow. And also we will provide a slide deck for download, and there will be option to ask questions by the end of the webinar. So you can enter questions at any time in the go to webinar control panel so that I can then pick these questions.
When we, when I come to the end of my presentation and walk through these questions. So let's look at cybersecurity investment priorities and where I wanna start is what, what really leads to the scenario, where, where we all know we need to invest more. We always still have to fight for budget, and we have a couple of other challenges, and that is also why we need to, to change the wave.
We do cybersecurity and why we need to focus our investments in a well sought out manner. So the frequently perceived number one challenge.
It's a big challenge as the skills gap, we really find all the experts we like to hire. And, but there's also too little security knowledge of the average users. So cybersecurity is still something where, where we don't really find much expertise and we clearly need to look at that. And that's a challenge that we need to also figure out ways to deal better with that, which involves also our investment priorities cause things which help us to close the skills gap. To some extent, obviously are pretty hot on a list of investment priorities.
We have an ever increasing number of attacks regarding both the number and the severity of attacks. And there are no real signs of any change here and these things happen permanently.
So also in that context, the zero day attacks trust this morning, I've got the, the news button, new attack vector, which affects Microsoft internet Explorer. The patch is here right now, but it's one of these zero day attacks. So which is actually a minus day attack.
So the, it has been detected a while ago, and there's the risk that attacks already are running until the patch comes out. It's sort of an open window effect of cybersecurity, and we clearly need to figure out ways to deal with that. We also need to understand, we never will have a 100% security. That is also because there's an industry behind that. There's a business model. There's an industry behind cyber cyber crime. There's an imbalance. And that's the other problem. We always will face an imbalance of ADC and defense.
We, as the defenders, we have to protect ourselves against one attack.
The attackers against all attacks. The attackers only need one successful attack vector. So it's far easier for them than it is for us.
Also, again, we need to understand how can we protect and what can do we need to do well beyond protection. We have environments which are not as stable anymore. They are more agile and we must adapt to that. There's the cloud.
So data, so to speak, sprawling applications are sprawling. We need to get a CRI on that. And finally, there's the ever increasing business impact. So when we look at what can happen with cybersecurity, cyber attacks, these con consequences, these days are definitely beyond just the downtime of systems. They can kill your business. If you're a bank and you run out of business or run out of it for two or three days, then you're in real trouble.
And we have seen when you look at some of these very sever attacks around ware and other stuff, which have fit certain types of companies, pretty, pretty hard, then there's a big business risk behind it.
And we need to protect against them. That obviously impacts the investment priorities. So what do we need to do before we then move to all this investment priorities? What do we, what are sort of the premises for successful cybersecurity?
The, from my perspective, most important one is we need to go beyond protect and defend. This is not enough anymore. And we need to spend on extending what we are doing beyond that. The first premises you are a target. Every organization, every individual is a target at least by automated attacks. And if you somewhat relevant in some way, your supplier, you have some important knowledge in your organization. So for instance, a manufacturer, your financial service organization, then you are always target of targeted tax. You are under attack.
There will never be a second point, never be a 100% security that it just will not happen.
You need to assume preach. You don't need, you shouldn't assume you're secure. Feeling safe is definitely the worst thing you can do assume breach it will happen. It probably happens trust. Now there's obviously the notion of zero trust. Yes. And you shouldn't trust the single, the Ts firewall or whatever else system, because all of these systems can be breached. The more information you collect, the more proof you have that this is a correct and, and well access. The better it is.
You need to stop the letter and movement and you need to combine a lot of things here. You need to plan for the worst. And that is maybe my biggest point around what to do around cybersecurity investment. It's not only about cybersecurity, protect and defend. It's also about recover. So you need to look at what can you do to get back to a secure and reliable state.
Immediately, cybersecurity must become more than trust the defense part. It's also about how can you get up your systems or can you get your systems up and running immediately? And all this is also beyond tools.
So tools are important, but organization, process policies, all these things have to work hand in hand up to the, the, the black suit and communication. So when something goes really wrong, your sea level needs to be prepared for a well thought out and well prepared, crisis communication. And having said this, my perspective is we need to shift the focus, so to speak recovery first. And that is when we look at at investments, clearly a, a shift. So most of the investments today still go into protection. Maybe also some extent detection, yes, important, but not enough anymore.
You need to be able to restart your business, your critical services, your essential services rapidly.
You need to be prepared for that. That means also that we need to increase the focus of what is cybersecurity.
So, and when you look at some of these circles and, and other flows you have for identifying, protect, and defend and whatever they, at some point come up with, how can you recover? But there's not really an emphasis on that is on the other end, from my perspective, and from my recommendation, the essential thing to look at right now. So you need to understand your risks. That's the first thing don't ignore them. Don't make them smaller than they are. They will not go away. And even if you ignore them, they're still here. So yes. Understand your risks. Yes. Prevent it's still important.
So keep or build a strong layer of defense. Yes. But still assume preach. That will never, ever be enough.
Again, you need to understand what is happening to be able to react immediately.
Obviously, if you understand there's something happening it's better than to recover from it.
So yes, you need prevent. You need detect, you need the analyzes of what is happening. You need strong technologies here going beyond traditional theme, into supported things, supported by AI. So what is called today? So our so R so all these complex analytics things. Yes. If you can defend, if you can respond wonderful, be able to stop, but still assume the things can, and in some instances will go wrong. Something bad might happen. That might be not super critical, but it also can be really, really critical. And we have seen several scenarios, many scenarios of that.
And then it's important that you can recover. Whatever happens, be able to get your systems up again rapidly. That is what is powered from my perspective today of what we do must do in cybersecurity.
We can't leave that part separate. It's part of our circle. It's part of our approach. Then we can improve and try to improve both security and resilience. Yes.
So this is what, from my perspective, when we look at where to spend money over the next couple of months for the next years, when you, for instance, in the budgeting process right now, that is essential to look at that also means that there's are things which need to be changing in, in the organization. So, so what are essential organizational actions, as I've said, it's technology.
Yes, but there are other things you need to do. Policies process, etcetera, at education is one of these things do at UK cyber security awareness trainings, educate your organization, ask the experts. And you also can ask us about how to do it, about how to support you on that. Understand your business risks goes through and well analyzes that, what does it mean when whatever I set happens?
So what is the consequence of outage? Don't cheat yourself. Don't ignore the reality, build a secure DevOps environment, which is really always taking security into account.
Not only DevOps, it must be staffs. And it's something which goes beyond the C. My perspective is we need to redefine a role. We need to define a role where the C is responsible, not only for the prevention, the protection, but for the entire thing. He must support that the business is able to continue to run. And that includes BCM business management and check your portfolio.
Literally, all organizations, I have seen have too many tools. And on the other hand, they have gaps. The problem is if something goes wrong, or if there's something which might go wrong, which becomes popular as all the warnings you read in the magazines and online, et cetera, then the, the typical reactions, oh, we need something to protect again against this.
Then there's another tool, too many tools don't really help. You need to understand which tools do you help. And you need to understand where are my gaps. That is what you need to do. And this is what I would do before.
I would decide about a budget is going into a rough cybersecurity tools, portfolio analyzes understanding. And I'll talk about is more in detail in a minute, understanding what are the, the, the tools which are, are really essential and what are the tools that are of less I relevance? Where should you put your focus on what is lacking? Understand that, look at this. And that starts with what is the risk? What are the things you need to protect?
So go back to the risk and understand what are your organization's grow ground tools in the sense of information, in the sense of processes that matters to work in the sense of system that must be up, what are the things which are really your big risk and what can happen to these?
And can you protect, can you detect, can you recover from these attacks? What do you need to do there without really adding this recovery piece? You will inevitably fail. So what are our key topics then to do in, in cyber security? So where should you put your investment priorities on?
I will not talk about buy whatever, no, forget about it. Net next generation firewall by that or that or that.
No, that is not a point. It is about understanding. What are the topics, the areas where you need to focus on to understand where you spent the money. The first thing is, keep your business alive. So understand this. I touched it, understand what can kill your business? How resilient are you? How can you restart, et cetera? Are you prepared? That is the first thing that is where you need to start. What are the really, really problematic things that might happen?
And what can you do to protect, protect, and recover?
The second area is security operation center or cyber defense center, or however you'd like to call it. Is it something which is really then something which helps you to, to, to defend, to, to react immediately. Do you have service providers that assist you? Do you make use of all the AI capabilities that you have around? So are our security intelligence platforms modernize it, build the organization, build the processes, get this thing up and working. This is a clear investment priority. The search thing is optimize your tools. Landscape. It's not about having too many tools.
It's about understanding which tools you really need. Do it, check your portfolio, optimize your portfolio education. Yes. Still important, always important. I'd already touched her. Also have a process which says if there are certain types of new fishing mails and other stuff that quickly informs your people so that they are aware, okay, this is another thing better.
They ask one, one time more that then they click on the wrong mail and the wrong link. And if you have factory floors, don't forget them.
And if you have IOT, don't forget that operation technologies on the factory floors, all this data stuff, etcetera, IOT, the internet of syncs and industrial IOT. All these are related to what you're doing in cybersecurity. You can't keep that these parts of security's OT security isolated in, in this age of smart manufacturing, you can't keep it segregated. You need to serve both security and safety and you need to integrate because data is flowing. There's a connection. And simply said, once you're connected, you are under attack.
And once you connect your factory floor, your factory floor is under attack. So look at this as well. If you're affected by some of these technologies areas, what are the key technologies?
Some of them are already touched. And these are again, the technologies, which are hot on the list of investment priorities, including AI, that, which I will touch a little bit more in detail on the one of the subsequent slides. So all of the security intelligence, whichever term you use today, sort of theme sips or UBA, all that stuff. Yes.
The stuff which helps you identifying anomalies, the outliers, the things which are not normal and react on these quickly or help you analyze these quickly are important because obviously it's better to understand what's happening, but you never will catch all of the attacks. There always will be things which you don't identify.
I access management from a technology perspective, super, super essential at the end, it's about authenticating the user, having a well sought out access management, understanding who has too many entitlements, all the stuff you needed, and you need privileged access management.
There's no way to get rid of, or to avoid privileged access management. If you don't have it, put it super, super high on your list. By the way, if you miss some of these things, you never will pass an ISO 20,000, 20, 27,001, two slash two audits, things like that.
You need to have these capabilities and yes, you have to have a strong foundation identity, a modern one. And we had many webinars around identity fabrics and other approaches. How do you do identity management in the modern way? Ready for the hybrid reality of your business? Look at the recordings of our webinars. Defs yes.
Do it right. Manage this environment.
Well, automated, fully integrated it, OT IOT. I just touched it and add AI, wherever it works. There's a lot of very interesting technology. So what is the set of technologies to add beyond that? And that is, again, going back to this business continuity aspect, it's beyond cybersecurity business continuity is key, and it must be part of what you do in cybersecurity. It's not a separate thing anymore. It can't be a separate thing anymore. It's not sufficient to focus on the security tools. So what do you need? You need a back and restore.
And one that allows you to know that you have a backup that is not affected by a longer running attack, something which allows also for rapid recovery. You need data management, understand where your data resides, how it is protected and how you can recover. If you don't know where the data resides will fail.
There's there are a lot of technologies out these days, which help you understanding where is am I structured data? Where are the relevant, the critical data, and where is the little unstructured data? There are technologies that help you get a, getting a CRI on that.
You need these technologies, you need virtual workspaces in some way. So before you walked to all the PCs and the notebooks, etcetera, trust restart them in a way. And the same, if you do virtualization, ization and keeping a consistent state of these containers, well, then it's easy to bring up systems. Obviously the more legacy you have, the harder it gets, but the, the shift towards containers and microservices helps helps you in, if you, if you really do it well and do Def zag ops to restart services far quicker, this is part of what you need to look at.
How can you get cut this things up and cloud infrastructures? So one thing is it's, it's really easy to restart a lot of stuff there, but it's also usually a better protect thing.
Obviously, you also need to be aware of the fact that even large prominent cloud service provides might be hit by a server attack. So you need to have something which is for the really critical workloads, also an exit strategy or a backup strategy in that way.
Yes, but again, a lot of things are better from the security and recovery than they are in your typical own data center. So obviously the question always comes up is AI and ML is just the holy grail of cybersecurity, all this artificial intelligence. So there's brain in the machine.
No, it's not a brain in the machine. It's just some mathematics used.
Well, maybe that's also a little over the top, but it can support cybersecurity.
Yes. And there are couple of areas where it helps and all the detection is one of the things, the more data you have, the better systems tendency are in identifying what is not standard, what is not normal. It can help you in decision support, reducing complexity in a variety of ways. Things like analyzing all the various documents, which describe stuff around and, and attack. There's a lot of text understanding capabilities, etcetera. There's some interesting use cases out there.
AI definitely can help fast search. So identifying stuff, which you don't use. The text understanding, I trust understanding of text. This is used in a variety of areas, does include analyzing all these notes around new, new incidents, all these, this, all, all the, the background information, cetera, threat intelligence.
What, what are the new threats? Again? This is some sort of analyzing a broad amount of data and comparing it, user behavior analytics, also sort of a specific discipline of animal detection, threat analyzes.
So doing details, understanding complex things across systems, and to some extent, make decisions, understand, and, and automatically mitigate risks. So in several areas, AI can augment what you do. So having said this, I touched a couple of points around, where should you spend your money? What are the big areas I recommend?
And I also touched the point that it's important really, to understand this to something which helps me, which really delivers benefit. And I, and we have in our right advice where we have a couple of standard methods, which help in easily comparing technologies and then easily doing a portfolio management. I will give you a little bit of an, an impression on that right now here. So the one thing is you frequently have situations where you have different types of technologies. So you might say, okay, one approach to solve my, my IGA, my identical and restoration is going for, for on premises.
The other is probably going for IGA. And one of the things we recommend, we use it as in, in for instance, our leadership com and other types of research, we do. So defining the relevant dimensions, have a look at some of the most relevant dimensions in the next slide. Then you can rate the technology. So where do they stand with respect to these dimensions? And then you can make your decisions. It helps you to get a better perspective, make it graphic, make it sort of try to, to make it attractive.
And then you can use, or, and try to use common dimensions that propose several of them later on, and also include obviously standardized ratings for tools then when you compare different stuff. So when you then look at the tools within one of these spaces after have made the decision I go to left, or right then tools such as our leadership compass obviously help, and you should really go through it and try to validate, do my existing tools really to deliver to what I need today, or are they actually pretty weak in what we need?
So if you do that for existing tools, you might end up with a very interesting learning that some of these tools not really deliver. So they're pretty much center will have a lot of weak areas, and then you should reconsider, are there better things to do? So what are some of the aspects to look at? One is cost, obviously, what is the total cost of ownership, deployment, operations, et cetera. And also that's one of the challenges.
You might have some tools, which were great in the earlier days, but which became overly complex or tools, which just are super complex to integrate today because they're somewhat outdated. The second super important aspect obviously is risk mitigation. So that is maybe even the most important one, but at the end cost us from a reality perspective, equally important, but risk mitigation at the end is maybe the really the most important one.
So today really help you in mitigating risks, take a clear perspective on that.
Look at what does the today's, what is today's situation regarding all the cybersecurity attacks, the attack, vector, your risks. Do these tools really help you today, or are there things which help you much better? So if most of your users are mobile and access to cloud, it might be that your firewall has lesser relevance than it had before. When most of your digital workloads already are shifted to the cloud, but there might be different types of technologies now, which help you much more in protecting these workloads in protecting this access.
And at other point is feasibility, can you implement and operate a technology or tool? So I frequently see organizations which have really cool tools, but the tools are just so to speak too big in quotas for them time to production.
How long does it take to make this work? So the time to mark of your tool stuff, which doesn't help you now doesn't help you much. Does it support your, the reality of your business? Does it support your own premise and your cloud applications? Does it support your factory floor? If you have one cetera, how mature is the technology? So it can be too mature.
It can be immature. You need to find the right balance sometimes yes, you need to go for modern new hype technologies because you don't have an option. On the other hand, we all know that these technologies might be replaced by something different rather rapidly or might merge into other technologies.
So we, for instance, see a lot of the, the UBA and U EBA sort, the user behavior analytics stuff, merge and converging into other tools instead of remaining a separate, broader category.
And obviously also other vendors and providers, depending on the model, stable enough for what you need. And the other thing you should do from our perspective, this is something where we can very well support you is, is portfolio management. Understanding. I kept us very, very neutral here.
Understanding then when you look at a broader set of technologies, so spider is more for comparing two or three or four approaches. But if you look at all the tools you have, you might start really with one map. That looks a little bit like that, which that's okay. We have our total cost of ownership. 10 is low in that case. Zero is higher. We have our risk mitigating impact. 10 is higher. And very obviously the upper right Coran is the one which makes more sense. So if you have something which costs you a lot of money, lower left quadrant, it costs you a lot and it has little impact.
Then there must be another very good reason to keep that technology. So the more it goes to the lower left worse, it is the more it goes to the upper, right? The better it is.
Again, define the dimensions and you can use, for instance, these two, you can also create a couple of these metrics. This was different dimensions. That's very frequently, very helpful. Then you can rate the technology and tools. As I've said, different ratings, you can bring in maturity and other stuff, and then you make your decisions and optimize your portfolio. So what I recommend for you to do when it comes to cybersecurity, investment priorities, extend the scope of what you're doing. It is more than trust traditional cybersecurity tools, specifically look at the respond part.
This is, and the recover parts already. The recover part. This is really the essential thing you need to integrate cybersecurity in business, continue to management and look at what you have and what you're missing to take a step back and reflect about your cybersecurity portfolio, your tools and service portfolio, because you can, can't manage a too complex portfolio and you should be very, and you also should be look at what is really where you spend your money best because of the, has the biggest impact on helping you to protect, to detect, to recover.
That is we don't have endless money.
Most of you, at least probably not. So look at it, do it right with that. We can come to our Q and a session. So I don't have a question in here yet, but maybe there are some, some direct question other way, otherwise really feel free to reach out, to ask for your questions.
And if you need, for our support, we have, as I've said, a variety of services around that from our research and the new Casey blast capabilities to our services, such as our portfolio analyzes, which is a standard package service you can get from us for your cybersecurity rating.
And obviously also services around strategy around organizational feedback. All this stuff go to our events, look at our research. And there's a lot of research around that. So as you see here, we have so many and this just a very, very small part of it.
Again, Casey blues gives you super easy, very affordable access to all our research. So if there are no di, if there are no direct questions right now, then I thank you very much for listening to this call, webinar, hope to stay in touch with you. Hope to have you soon back at one of our other webinars or with our onsite events. Thank you. And that last day.
