Thoughts and Lessons Learned From an Analyst and CISO Conference

The week of April 30, 2018, I spent a few days in the great city of London at “The IT security Analyst and CISO Forum,” a small, invitation-only event hosted by Eskenzi PR and Marketing. It was my first year at the event, so I wasn’t sure what to expect. After I arrived, it was obvious the Eskenzi PR team had this event down. It was well orchestrated and executed, and the entire team was very professional.

I was one of about 15 IT and security analysts from analyst firms representing the EU and the USA. There were about the same number of vendors representing a diverse set of solutions and services, and a similarly-sized group of CSOs and CISOs from various industries across the UK including finance, banking, and national government.

The first day was a sort of speed dating event not unlike others I have attended, where each analyst met with each of the clients in 30-minute sessions. They went by quickly, but unlike mega-conferences, where days of briefings can make everyone numb, the single day meant the analysts could pour more energy into the meetings not having to worry so much about keeping a reserve for more of the same in the next few days. Each party was thoroughly engaged in the discussion, creating an enriching two-way conversation where both the analysts and the vendors received value. I was able to create new relationships and reinforce a few old ones while getting useful information about the vendors. Simultaneously, I provided each of them with insights to aid them with information about their target markets, marketing approach, and feature development roadmaps.

The second day was different than most conferences I attend—it was more informative. It was a round table event with Q&A between the analysts, vendors, and CISOs. This format of having all three groups attend concurrently was unique to any other event I have attended in my 20+ year career as a CISO and five years as an analyst. There were two main differences:

1. Everyone had the opportunity to ask at least one question. Analysts and vendors queried the CISOs, and the CISOs could ask questions as well.
2. Unlike the U.S. events, the CISOs were very open about their challenges, issues, and goals across each question. The commitment to “Chatham House Rule” made all the difference.

For those of you, like me, who are unfamiliar with that rule, it was created to facilitate this type of candid conversation. Everyone agrees that all participants and their comments remain anonymous. In the ten plus years of the event, no one has violated the commitment. Having attended all of my previous events in the U.S., I have found that while in personal conversation, many people are willing to open up off the record or anonymously. However, the responses in this forum were significantly more open since everyone trusted that each attendee would follow the rules. Such is not generally the case in the open forums in the United States. 

As I understand it, the vendors support the event with an admission/participation fee. I specifically asked multiple vendors if they felt the event was valuable based on the cost, and all thought it was.

A few useful points:

1. Most of the CISOs support bug bounty programs for improving security so long as they are properly structured and orchestrated, so everyone participating knows the rules.
2. When addressing the technical skills gap, the highest priority was 9/10. The average priority was 6.5, and the lowest priority was 4. Everyone thought technology helped address the skills gap at some level. Interestingly, the lowest answers felt that the direct technology skills gap was as much of an issue as just finding interested people with the appropriate soft skills and attitude.
3. The bigger issue is the continued expansion of automation and orchestration across IT and security to create faster identification, response, and remediation of incidents.
4. With all the media around malware and (more especially) ransomware, many CISOs thought the focus was wrong. The real issue was whether an attack of any kind from any source will stop people from working or otherwise disrupt the business operation. The technologies are meant to keep everyone working regardless of the approach, and vendors of all kinds need to keep that in mind. Keep people working or get them working again ASAP.
5. Today’s tools need to deliver. Integration is the true value, not working in silos. Facilitate data sharing. If tools can deliver on that, then outsourcing to an MSSP will show more value because the MSSP creates the integrations and does the manual work on the back side.
6. MSSPs need to provide that sort of value without nickel-and-diming customers for everything. Sometimes, this comes from a lack of common language for defining terms. More often, it’s because the MSSP is not flexible enough and is thus seen as money grubbing. 
7. All of them believed the marketing around artificial intelligence (AI) was just hype. AI has not been achieved. The machine learning and deep learning capabilities are far ahead of what we had even five years ago, but the marketers need to stop touting AI.

There were other issues discussed throughout the day, but this is not meant to be a book, so I’ll stop here.

So, hats off to Eskenzi PR and the participants of the event! I look forward to more opportunities like this, and especially participating in this event again next year.