In May, we held our fifth podcast with Rafal Los, Optiv's Managing Director of Solutions Insight, who discussed the lessons he has learned over the years advising security leaders around the globe. Here's an excerpt highlighting our conversation with him. For more, tune into the full podcast below or on iTunes.

What are the top concerns for CISOs right now?

That’s a good question. From a security leadership perspective, what’s really top of mind right now is the interesting climate that we’re in from a business perspective – the mergers and acquisitions from the last couple of years have slowed down a lot of industries. The shine is wearing off of the initial FUD that has been used to implement various levels of security measures at companies. Security leaders are now taking a hard look at how security “really” starts to impact their organizations. I think we’re finally starting to see the tunnel at the end of the dark ages where everything was urgent and critical and now looking at where every dollar in the security budget should go. We’re taking a look at all the tools and technology we’ve implemented over the years. So what’s the top priority? I think it’s getting the house in order, frankly.

So “getting the house in order”, what’s the first step security leaders should take? How do they gain visibility to start?

There’s a couple of things. At the leadership level, it’s understanding the corporate priorities and understanding the dynamics of your company. The way you’re targeted, the way you defend yourself, and your tolerance for downtime and loss are all different if you’re at a healthcare company versus an educational company. So security leaders need to ask themselves what their company dynamics are, what resources they have at their disposal and what their current capabilities are. A lot of this is inward-reflective. What’s my budget, how many people do I have on my team, what are their skill sets, and how do I keep them here? The last part of gaining visibility is strategy assessments, whether it’s internal or by a third-party. Here’s what I think I know about my organization and how we should be defending ourselves. How does that line up with what, whoever is assessing us, is seeing?

You mentioned that security leaders need to be inward-reflective and ask themselves about budget and personnel. Where do you see most of those budgetary and personnel efforts being concentrated?

It depends really. I am seeing, like a lot of industry analysts have been saying, that there is a tremendous focus on tools rationalization strategy development. It’s the “we’ve bought a bunch of stuff but what’s actually helping me versus what’s hurting me” dilemma. I’m seeing a lot of services-driven product purchases to help organizations make sense of their space and how many different tools is it okay for them to have versus what would make more sense and make them more operationally efficient. There’s a huge emphasis on operational efficiency.

How do you measure, though, some of those internal tools that are deployed for efficiency, effectiveness, or identification of, let’s say, attacks?

The approach I take with the leadership I talk to is, let’s decide what value looks like, what you’re trying to achieve and whether what you’re doing and the tools you’re using are helping or hurting. The trend I’ve been seeing over the past seven to eight years is a shift away from defining process and strategy around tools, especially in the endpoint space because there are so many options.

We’re starting to realize that the tools we buy should support our strategy, our workflow and the way we operate – not the other way around. For example, let’s focus on that endpoint EDR space. What’s the impact to productivity? How fully deployed are you? How much time does it take to manage? Whether you have a technology gap or not, it needs to be able to fit with the world view that your organization has. Let’s pick on application whitelisting for a second. If you’re trying to do application whitelisting in a company which culturally and historically has not been used to restricting endpoints, you’re in an uphill battle.

Do you see any current trends or potential trends associated with people foregoing that potential for optimization or the opportunity to optimize what they’ve gotten truly maximized and realize what they’ve already invested in, in lieu of chasing the next shiny service, or the next shiny product, or the next aggressively marketed concept? Do you see that happening Raf or do you see a more metered and measured approach to being brought to bear amongst the CISO community?

Like I mentioned before, a lot of the fear driven slide decks that we’ve seen are going away because people are calling BS on them. Security leaders are now asking vendors to present how they’re going to solve the problems they already know exist and how the vendors are going with work with their existing environments. There’s still going to be the “I’ve got a nail poking out of my wall, somebody quickly sell me a hammer” people but I am seeing a shift towards a metered strategy that looks down the line.

We’re starting to take a more rational approach to enterprise security that incorporates conversations with legal, HR, and risk and that looks at tools, processes, workflows, and how people interact in company culture. It’s a shift from purely tactical and “management by headlines” to a more strategy-driven organization. I’m pretty excited that security leaders are becoming more focused on long term planning, short term adjustments, metered value, KPIs and KRIs. We’re learning how to spend our money wisely and expect returns on it without trying to calculate some black magic ROI on the backend to justify insane notions of absolute security.

Intro/outro music: "Groovy Baby" by Jason Shaw, licensed under CC BY 3.0 US