Security Operations Innovator

Adapting to Evolving Security and Regulatory Challenges — A Conversation With Patrick Heim

Carmen Harris
by Carmen Harris
category Security Operations Innovator

Patrick Heim is a Partner and Chief Information Security Officer at ClearSky, a leading venture capital/growth equity group that invests in cybersecurity. A former Fortune 500 security executive, he serves as a trusted advisor for early-stage security technology companies.

In a recent conversation, Patrick shared his thoughts on the current state of the security market and how CISOs can address evolving technology and regulatory landscapes.

Q: What do you see as the major challenges facing security vendors today?

It seems that the more things change, the more they stay the same. Many of yesterday’s security problems were never truly solved and exist today with greater complexity.

For example, issues around access management, Active Directory, and directory unification still exist, but now you have to consider things like identity federation, web-based single sign-on, and third-party cloud access.

Consider infrastructure discovery. In the past, it was a challenge for customers to fully understand what was running in the data center or on the network. But today, infrastructure doesn’t just consist of static devices. Infrastructure is now virtual, dynamic, often cloud-based and defined as code. This creates greater complexity around visibility.

The new generation of security vendors has to respond to both existing gaps “legacy” technologies as well as cover emerging cloud-based risks.

Q: What impact has the COVID-19 pandemic had on the security market?

The pandemic has pushed many enterprises to respond in two distinct ways. The first is to accelerate digital transformation efforts to rapidly adapt their businesses to competing online. The second is by enabling the workforce to operate remotely. Both of these imperatives are happening in parallel and at breakneck speed.

Security cannot be an inhibitor to these existential transformations. CISOs need to be creative in how they become an enabler to speed these initiatives in a risk tolerable manner.

This dynamic is creating opportunities for security vendors and fueling innovation for start-ups. Those that enable have seen their business accelerate. Those that are not aligned with these two transformation trends risk being de-prioritized.

Q: Labor analytics firm Emsi reports that the U.S. has less than half the cybersecurity candidates needed to meet increasing demand. Do these skills shortages create opportunities for vendors?

The shortage of cybersecurity skills has been a big problem for years. As investors, we’re very interested in companies that help customers improve security outcomes without the need to onboard an army of scarce security specialists.

That why Extended Detection and Response (XDR) is such a compelling technology. It uses automation and analytics to detect, analyze, and remediate security threats — without additional headcount.

But XDR is just one of many promising security niches. Disruption in the DevOps space, for example, is also creating exciting opportunities for security vendors. 

Q: How do you see the market dynamics playing out between current market leaders and security start-ups?

Most innovation comes from small emerging security firms. The greater space of large established security vendors and innovative startups engages in a virtuous cycle that benefits customers.

Large players with established sales channels and customer relationships are acquiring these start-ups. These established firms have the distribution ability, ability to bundle and integrate products, and the ability to develop bundle pricing plans.

For example, when Palo Alto Networks acquired Demisto, it is now rolling out Demisto’s SOAR technology to a much broader customer base than Demisto could have done independently — a real win for customers. 

Q: Given rapidly evolving business and technology dynamics, what are the most daunting challenges facing CISOs?

We touched on specific challenges like skills shortages and DevOps transformation. And anything cloud-related, of course — cloud is moving quickly, and many companies are playing catch-up.

As for managing those challenges, there’s no universal answer. The primary but unstated role of the CISO is to prioritize. Companies are faced with a near-infinite attack surface, an infinite series of problems to defend against, an ever-changing set of threats and vulnerabilities, all multiplied by a healthy sprinkle of uncertainty. Security organizations are almost universally resource-constrained, with limited people and money to address these issues.

The CISO has to consider and synthesize everything —threat environment, vulnerabilities, evolving technology stack, business priorities, changing regulatory requirements, etc. The next step is to build a risk-based prioritization based on input from business stakeholders and draw a line. The line determines what can be done given resource constraints. If it’s above the line, it gets done. If it’s below the line, it doesn’t get done. If the business doesn’t want to accept the risk associated with below the line items, they can increase resources otherwise the business is accepting the below the line risks.

Another challenge is striking a balance between security and compliance requirements. Sometimes, in heavily regulated industries like financial services and healthcare, we see a strong emphasis on what the regulator mandates versus addressing the enterprise-specific risks. If you don’t maintain a balance between risk and compliance and polarize your program too far towards either extreme, you run the risk of failing.

Q: What do you think the key focus will be for CISOs as they look ahead to the 24-36 months?

The focus began in the 90s with infrastructure security (servers, firewalls, and networks) and evolved to include application security. As a result, organizations had to acquire a whole new set of developer skills around applications.

Today, most of the regulatory pressure is data-centric — data privacy and protection. I think CISOs will have to develop awareness and skillsets around things like data-oriented technologies and data warehousing.

There’s a lot of complexity that CISOs have to manage in the short term, driven by GDPR, CCPA, and other evolving global privacy regulations. How is data stored, moved, and accessed throughout the organization? How do data access and handling align with privacy regulations?

As I said earlier, the successful approach to data protection will require CISOs to prioritize based on available resources and strike a balance between data security and compliance requirements.