Discussing not too long ago with a few colleagues (one of the most intellectually rewarding activities as a Gartner analyst), I shared a few thoughts about the evolution of cybersecurity products. Some of the participants suggested it would be a good idea to share these ideas more widely.
I thought this would be a good opportunity for my first Gartner blog post, a bit more than decade after I joined!
Here is the main thesis: anything interesting or new introduced in the last 3-5 years in cybersecurity does one or more of the following three things:
- Attack surface management: discover the current environment, identify relationships between components, identify external exposure.
- Security posture management: catalog and assess, identify misconfigurations, prioritize findings based on risk, propose remediations. This is asking the tool to ‘find out what is wrong with what is out there’.
- Detection and response: during runtime, identify suspicious behavior and alert or take action to remediate.
Add in front your domain of choice (cloud, applications, data, SaaS, endpoints, networks, …) and you end up with various acronyms such as: EDR (Endpoint Detection and Response), CSPM (Cloud Security Posture Management), SSPM (SaaS Security Posture Management), NDR (Network Detection and Response), ASPM (Application Security Posture Management). The surface management capability often comes combined with the posture management one, and sometimes all three are combined in a single platform. Examples of the latter are API Protection products and Cloud Native Application Protection Platforms.
Why would this be happening? Simply, because it is following the natural evolution of what security practitioners do in an organization. In a context where they participate less and less in creating, deploying and configuring infrastructure and applications, the role of security practitioners is to:
- identify what is out there
- find out what is wrong with it and propose fixes
- keep an eye for anything suspicious.
- Gold-Age Movies
- B&W and Color TV Classics
- Hand-Picked Quality Films
- 1930s - 1980s Films
- Big Studio Favorites
- Save favorites list
- Resume watching where you left off
- Search by region, rating, decade
- Nested playlists
- User-friendly interface
New security vendors (there is a lot of them) are fighting for attention. A new tool must be uninvasive but also easy to integrate with the existing tools and infrastructure. It must quickly provide actionable conclusions without expecting whoever operates it to devote their undivided focus on it.
Take for example Application Security Posture Management. Security professionals are less and less in charge of conducting code security testing – developers are. Application Security Posture Management tools discover and integrate with software development pipelines and code repositories, scan them for vulnerable components, pipeline misconfigurations and orchestrate remediation workflows. In doing so, they allow security leaders to enforce their security policies throughout the software development pipeline.
Generalizations require approximation. Not everything will align perfectly with this theory. I do expect that some of you reading might be already thinking of counter examples, where this logic might not apply. In fact, I am hoping that some of that healthy criticism makes it in the comments section.
- Material: Striped mini dress made of high-quality...
- Design: Tie-up color block dress features striped...
- Style: Spaghetti strap tank dress, stripe short...
- Occasion: Casual dress is great gift for Mother's...
- Size: Please Refer to the Product Measurement As...
- Fabric: 95% Polyester and 5% Spandex. The fabric...
- Features: floral printed dress, tie dye,...
- Title: tank dress midi dresses for women, summer...
- Occasion: Ideal casual long dress for lying with a...
- Notice: Please refer to our size chart on the last...
- Design:Wrap v neck, sleeveless, cruise party...
- Material:95% Rayon, 5% Spandex. Stretch fabric,...
- Features:Sleeveless, deep V-neck, side pockets,...
- Occasion:Formal Party, Dating, dancing, clubwear,...
- Size: Please Refer to the Product Measurement As...
But if we can agree that this reasoning generally stands true, the question is how does this help you (the typical Gartner client that I advise), the CISO? The truth is, I am not entirely sure. This is one of the reasons why these thoughts are captured in a blog post, rather than a Gartner research report. But hopefully, it should give you a method to cut through the noise when looking at new cybersecurity tools. The next time you are pitched a new cybersecurity product, try to identify these traits. The goal is not to look for a product that does everything. Rather, to understand more easily whether it will address your current needs and how. Does it perform discovery or expects you to describe the environment to it? Does it provide posture management, identifying things that need to be fixed in your current environment to reduce risk? Does it protect during runtime by identifying anomalies in behavioral patterns?