Should security professionals set industry-wide standards with SOAR?

People & Leadership Security & GRC Threat & Vulnerability Management +3 more

427 views1 Upvote11 Comments

Deputy CISO, 10,001+ employees

Look at the ISACA's, are those successes or failures. A professional organization driven in the security industry, is ISACA a good thing or a useful thing? In my 30-year cyber career history (that obviously predates ISACA), I can't ever think of a time where ISACA brought me like, "Here's the thing going on,” that Krebs didn't bring first. I get we should do it. We should be able to do it, but we don't. And if we can’t do it with ISACA, how are we gonna do it with this?

1 1 Reply

VP, Chief Security & Compliance Officer in Software, 1,001 - 5,000 employees

Chris, I'm right there with you. Right there. But then at some point, someone has to stand up and say, enough's enough. We are going to lose these battles. Because the actors, they all collaborate. They don't have this internal squabbling.

VP, Chief Security & Compliance Officer in Software, 1,001 - 5,000 employees

The threat landscape is changing so aggressively. The reliance on automation and the ability to ingest; the threat, the intelligence, the risk, the ranking, we have to be more intentional about it. You can't drive toward automation without having a plan, without good processes and without being intentional. The threat actors, they have one mission and one vision. They're united. They work together a little bit more seamlessly. Then for us when we have strategic jockeying from a political perspective, so the CTO, or the CIO. They're able to drive a united vision faster sometimes than we can.

With the forward movement and forward focus of our technology teams and product teams, there is an aggressive move to the cloud. This gives us the capability to shape the conversation of next generation security architecture. I think we as professionals have a clear line of sight into the risk posture, the inbound impacts, the change in tolerance that our clients have around carrying the risk, and expectation that as a company you carry the risk. I think we have the ability to leverage; don't waste a crisis. And I think we have the ability to begin that paradigm shift and say, "There is a fundamental basis that all new technology has to onboard with and comply to." We're at that point. Because here's the thing, if we don't make this statement now, we're about to repeat the catastrophes that we're trying to manage in deprecated systems. We are going to rebuild it in the cloud.

1 1 Reply

Director of IT in Healthcare and Biotech, 1,001 - 5,000 employees

I'd agree. I'd say just making it part of onboarding a new software application, anytime anybody does retirement or refresh.

Deputy CSO in Services (non-Government), 1,001 - 5,000 employees

In a bigger sense, our profession does not have a security architecture, our profession is led by vendors. The vendors say, "Hey, look what I've got, it's brand new." CrowdStrike or SOAR, whatever you want to do, AI and ML. And we jump on the bandwagon. Traditional IT had an architecture, and it had a roadmap, and it moved along with it. Until the security profession builds a security architecture, creates those standards, we're going to be really just hanging on the coattails of the vendors and their next new thing that they say is going to protect us.

1 Reply

Director of IT in Healthcare and Biotech, 1,001 - 5,000 employees

Adding on there, it's going to be a hell of a lot easier to go to the board and say, "Hey, I can spend a billion dollars on a SOAR product, or you can give me 10 developers."

Deputy CISO, 10,001+ employees

I don't know how to tackle security standards. I would love to do it if somebody said, "Hey, we're going to have a meeting of the minds." I would love to be part of it. I don't know how to do it, because IPG is not going to invest, "Hey Chris, you take two weeks off to go do this."

VP, Chief Security & Compliance Officer in Software, 1,001 - 5,000 employees

I've struggled with standards, because it's really just a method for another industry to make some money. We certify against what we now picked up another industry cert we got to certify against it. And I got nine certs plus we respond, we had 440 audits last year and then nine certifications. And the reality is they're all self-testing the same control.

3 Replies

Deputy CSO in Services (non-Government), 1,001 - 5,000 employees

It's turned into a way for revenue.

VP, Chief Security & Compliance Officer in Software, 1,001 - 5,000 employees

It's killing us. But how do you tell a client, "I've got 90 other certs that you can pick from, but they want this one cert in order for us to sign a contract. So load it up, another cert."

Deputy CSO in Services (non-Government), 1,001 - 5,000 employees

If we could ever come to a universal or a common control set, it would theoretically make that easier. But they all throw their own little nuances in there that they want blue not green.

Content you might like

Which leadership style do you believe is most effective in your organization?

People & Leadership

Autocratic5%

Transformational42%

Servant15%

Laissez-faire6%

Democratic8%

Coaching20%

Others3%

144 PARTICIPANTS

2.8k views1 Upvote1 Comment

What steps are must-haves to ensure data security in automated processes?

Security Strategy & Architecture

325 views

If you had a magic wand - what's the #1 daily business challenge you'd eliminate?

People & Leadership Strategy & Architecture Cloud +57 more

CTO in Software, 201 - 500 employees

Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.

142 19 Replies