In the lead-up to Black Hat Las Vegas 2023, host Sean Martin connects with industry analyst Eric Parizo about the upcoming Omdia Analyst Summit at Black Hat USA, covering topics such as proactive security, budget allocation, and emerging trends in cybersecurity.
Guest: Eric Parizo, Managing Principle Analyst at Omdia [@OmdiaHQ]
On Linkedin | https://www.linkedin.com/in/ericparizo/
On Twitter | https://twitter.com/EricParizo
____________________________
Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin
____________________________
This Episode’s Sponsors
Island.io | https://itspm.ag/island-io-6b5ffd
____________________________
Episode Notes
In this episode of the Redefining CyberSecurity Podcast, as part of our Chats on the Road series to Black Hat USA 2023 in Las Vegas host Sean Martin and guest Eric Parizo discuss the upcoming Omdia Analyst Summit at Black Hat USA.
Eric, the Managing Principal Analyst for the Omdia Cybersecurity Research Team, shares insights into the summit's agenda and the exciting research they have been working on. The summit covers a range of topics, including economic challenges in cybersecurity, proactive security, SASE, IoT and OT security, data security, managed security services, and AI in cybersecurity.
They also touch on budget allocation and how organizations are shifting their resources and investing in external security capabilities. While security budgets are generally holding steady or increasing, the economic uncertainty may impact the second half of the year. The conversation highlights the importance of demonstrating ROI and value in existing security spend.
The concept of proactive security takes center stage, as Eric explains that it involves finding and addressing threats before they impact an organization.
They discuss the three broad categories of security solutions: preventative, reactive, and proactive. Proactive security is seen as the missing piece in the cybersecurity puzzle, allowing organizations to get ahead of security problems and reduce overall risk. Eric teases the attendees of the summit with the promise of exploring specific proactive solutions and the potential for proactive security platforms that bring together various proactive capabilities.
Throughout the conversation, Sean and Eric provide a sneak peek into the summit's agenda, emphasizing the importance of the topics being discussed and the cutting-edge research being presented. The episode showcases the expertise and knowledge of Eric as a leading analyst in the cybersecurity field and offers valuable insights for security leaders and professionals.
Hosted by Sean Martin, the Redefining CyberSecurity Podcast provides listeners with thought-provoking discussions on cybersecurity topics.
Stay tuned for all of our Black Hat USA 2023 coverage: https://www.itspmagazine.com/bhusa
____
Resources
Omdia Analyst Summit: https://www.blackhat.com/us-23/omdia-analyst-summit.html
For more Black Hat USA 2023 Event information, coverage, and podcast and video episodes, visit: https://www.itspmagazine.com/black-hat-usa-2023-cybersecurity-event-coverage-in-las-vegas
Are you interested in telling your story in connection with our Black Hat coverage? Book a briefing here:
👉 https://itspm.ag/bhusa23tsp
Want to connect you brand to our Black Hat coverage and also tell your company story? Explore the sponsorship bundle here:
👉 https://itspm.ag/bhusa23bndl
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-cybersecurity-podcast
Are you interested in sponsoring an ITSPmagazine Channel?
👉 https://www.itspmagazine.com/podcast-series-sponsorships
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording as errors may exist. At this time we provide it “as it is” and we hope it can be useful for our audience.
_________________________________________
BHUSA _ Eric Parizo
Sean Martin: And hello, everybody. This is Sean Martin. I'm the host of Redefining ITSP magazine. You probably know that already. What you don't know is that I'm doing a chats on the road to Black Hat. If you're watching this, you'll see that, uh, that's what we're talking about today. And it's, uh, it's a chance for myself and Marco, when he joins me to kind of get a glimpse into what's happening at the events and, and other things around, uh, Acker summer camp that week.
And. We get to chat with organizers like Steve Wiley and keynote speakers and other presenters and panelists and really cool people. One of whom is Eric Parizzo. Eric, how are you? Hey, Sean. How are you? I'm great. It's good. Good to have you on the show. And, uh, I'm. I'm thrilled because I get to go through an immense list of, of, uh, sessions and summits and activities and find the things that inspire me that I think others would want to hear about.
And, uh, the summit you're running is definitely one of those. I was joking before we got started that I don't often get to go to those because they're, they're, uh, Chatham House rules and they don't allow press in. So when I wear my press badge, I don't, I don't get to go. Um, so I'm going to chat with you beforehand and you can share what you want and hide what you don't want exposed.
So very controlled conversation, but it should be exciting nonetheless. Cause I think you guys are doing some really cool things and that, and that session should be really fun. So before we get into that though. Uh, a few words about who Eric is, what have you been up to, what's, what's your current role on the end and, uh, tell us a little bit about what you, what you have going on.
Eric Parizo: Sure. Thank you again, Sean. Great to be with you. Uh, Eric Perez, managing principal analyst for the Omnia cybersecurity research team. So I have a little bit of a dual role. I support, uh, our research director, Maxine Holt in, uh, the management of, of our team and our research strategy. Uh, I get to focus on fun things like developing our amazing staff and.
identifying opportunities for research innovation. So it's a really cool role. And then in my quote unquote spare time, which is actually a lot of the time, I am also the, uh, the lead analyst for our enterprise cybersecurity operations intelligence service, which is all things sec ops, all things, threat detection, investigation, and response, everything related to the SOC.
So all the solutions that SOC Pros know and love from SIM and SOAR and XDR, EDR, all the DRs, vulnerability management, visibility, the list goes on and on. So that's what I do in a nutshell. I've been in, I've been here about four years now. I was previously, uh, with another research firm for about four years.
And, uh, before that for a, uh, very long time, I, uh, lived in your world, Sean. I was in, uh, media, uh, over at, uh, TechTarget managing their search security.
Sean Martin: I love it. The good old days, I'll say I used to contribute quite a bit to that. And, uh, if I'm not mistaken, that's probably how we know each other from, uh, from way back when.
But, um, I'm thrilled to have you on today and I'm going to quickly make a point that. You said you get to build a team to define how research gets done. And then sometimes you get to do actual research analysis and you, and you start, you start a list, all these things, and just your, which I'm sure is a summarized list is.
Pretty long. And part of your job is to create more lists and analyze things, which creates more lists and identify acronyms,
Eric Parizo: create acronyms. It's in the job description.
Sean Martin: Exactly. Which is why I think this summit that you're putting on is so important. It's, it revolves around budget. Um, if I'm not mistaken, but kind of give us an overview of, of what, what the summit's all about.
Um, because I think there's so much for. Security leaders to kind of understand and deal with the topic you're going to cover is super important.
Eric Parizo: Yeah. We're really excited about it. It's the third annual Omnia Analyst Summit at Black Hat USA. It's taking place. Tuesday, August 8th, uh, it's an all day events at Mandalay Bay.
Many people still don't know that Omdia is part of the black hat and dark reading organization. We're all one big happy family. So we're doing more and more of these kinds of crossover events where. You know, we do columns on dark reading and appearances like this at black cat. Our summit is an all day event.
It's really like our super bowl where we get to show the world all of the great research that. We've been working on all year long are just about our entire research team is going to be there about a dozen of us. Now we just keep growing. Uh, and it's such an exciting agenda. We have a keynote from our research director, Maxine Holt on the economic challenges organizations are facing from a cybersecurity standpoint, amid the current economic uncertainty and how organizations still may have, you know, a budget.
Constraints, but ultimately still have to provide the best security for their organizations that they possibly can. So she's going to talk about that. I'm going to talk about a really interesting emerging trend called, uh, proactive security. It's a whole new category of security solutions that. We think is going to be critically important to the industry going forward.
And then my colleagues are going to present on a bunch of hot security topics from sassy to IOT and OT security. Data security, managed security services. And of course you can't have a security event these days without talking about AI. So of course we'll be talking about AI and cybersecurity as well.
It's a packed agenda. Uh, we're really excited for it next week.
Sean Martin: Uh, it sounds, sounds super fun. And, and when we're talking. Budgets. I had a conversation a few months back, uh, where we're looking at budgets. And one thing we didn't get to during that chat was kind of where the budgets are coming from. Do you, I don't know, do you, do you see any shifts?
In how budgets are being allocated, are they still contained within a cybersecurity group or is there a crossover into some of the other categories like we see the merge of developers and operations and security for DevSecOps and do you see any shifts like that that are changing? The way organizations think about their budget and how they fund things and how perhaps even how the teams get, get flushed out then.
Eric Parizo: Well, I'll give you some interesting, uh, data points and, and these are based on our, uh, brand new 2023, uh, Omdia cybersecurity decision maker survey. We'll be debuting the results at the Black Hat Omdia Analyst Summit. Next week, but, uh, just for you, Sean, I can give you a little teaser on some of the things we're talking about.
So first we asked our respondents, how do you expect your, your organization's security budget to change in the next 12 months? And based on what we've seen, we see security budgets for the most part, holding steady, actually. Increasing in a lot of cases, 85% of respondents told us they actually expect their security budgets to increase in the next 12 months.
Only 2% said that they were actually expecting a decrease in their budgets. Now that said, in times of economic uncertainty, which we appear to be in now, security always feels the pinch to a degree. And it's the classic areas. As new purchases are delayed or pushed back. And demonstrating ROI and value to the business for existing spend becomes critical.
So we're, even though the data says that budgets are holding pretty strong, we're still expecting the, the realities of the growing uncertainty to, to take their toll in the second half of this year. Another interesting data point. We, we started, we're starting to observe what we think is a long term trend as far as how security spending is starting to shift.
We asked our respondents, how does your organization resource certain types of initiatives? And when it comes to mission critical GRC.
Threat detection, investigation and response, the majority of respondents said they continue to invest on internal capabilities to manage those areas. So they continue to do them themselves. However, when it comes to things like incident response, escalation, you know, really severe threats, um. And new security requirements, the majority of our respondents said they now resource those areas externally, either through consulting or ongoing services contracts.
So to me, it highlights how the industry is changing over time. Organizations are going to rely more on external security capabilities. This, we think this is going to be a pretty slow shift that occurs just a little bit over time, over the course of this decade, but it means that more and more security capabilities will be provided as a service.
Hence, managed security services providers will only grow in importance both to enterprises. And as a revenue source for solution vendors, and also speaks to why managed threat detection and response specifically is so hot right now, which is another topic that my colleagues, Adam Edrington and Jonathan Ong will be covering for us next week at the, um, the analyst summit.
Sean Martin: And it, it. Brings to mind the other point that you made, and I don't know what you can share here, but certainly a definition I suspect you can share on proactive cyber security. When I, when I hear that term, I immediately go to a point that I often or almost always make during, during my show is that if we could actually just define The way we build stuff differently, we can reduce exposure, minimize risk, and perhaps even reduce the effort and workload for the security team.
A good example is if there's a system that's constantly. Vulnerable because of lack of patches that need to be updated all the time. And your team is spending hours and hours updating that. Perhaps there's a way to change that system out to be something different. So you're not wasting patching time. So I don't know if that fits into the definition of proactive security or if it's more of.
That the traditional detection protection.
Eric Parizo: Yes. And no, that's a very specific take on a specific capability that falls within proactive, but we think proactive is, is, is pretty broad and, and, and let me explain it. So we define proactive security as the ability to find and address threats and threat conditions Affect the organization. So before an adversary is taking them and, you know, using them to either try to get in or gets in and wreaks havoc within your organization.
So, but what we break down. Security solutions into three broad categories. So there's preventative, and those are the types of things that have existed forever, the firewalls, intrusion prevention, malware, sandboxing, web gateways, the things that sit. On the perimeter, in most cases of your organization, prevent known expected threats from entering your organization.
You need those capabilities, but they don't stop everything, right? Then there's reactive security. That's the second major category where that's essentially everything TDIR, everything SecOps. It's the solutions you use to Find, investigate, and fix threats that are already inside your organization. You need those capabilities too, but when you think about preventative and reactive, it means security pros, organizations, enterprises, they're always on their heels.
They have to wait for a bad thing to happen for those solutions to really do any good. We believe proactive this emerging area is really the third area and what what's kind of the missing piece to these to the puzzle of cyber security solutions by having this class of capabilities that allows you to get ahead.
Of security problems before an adversary is knocking on your door or banging down the door that's going to enable your organization to prevent so many problems later in the attack life cycle, not to mention reduce the overall. Risk that your organization is facing. So we're going to look at that in some detail, talk about some of the specific types of proactive solutions we see out there and why this is the precursor to a whole new type of, of solution category that we see called proactive security platforms, that's going to bring together a lot of different, but related.
Proactive capabilities into one solution set
Sean Martin: and I I think in pictures diagrams oftentimes and This could either be linear or cyclical or Venn diagram, which would you, or something else completely, how would you
Eric Parizo: that's, uh, that's the exciting teas. We're going to leave for our attendees at the Omnia analyst summit next week.
Cause we definitely have, uh, most, if not all of the above.
Sean Martin: Love it. So looking at budgeting, my, my experience with budgets in the enterprise, uh, is you often start with, what did you do last year? That's, so that's kind of like the baseline and you say, we want to kind of keep things the same. We might want to adjust slightly.
Um, what's your view on that in terms of cyber security? Is that, is that typically how budgets are formed? And if that's the case, how do you see the mindset needing to shift for something like a proactive security? Set of capabilities about to hit the space.
Eric Parizo: You're absolutely spot on Sean. And it's, it's one of the things that we do talk about in our, in our session on proactive at the Omni Analyst Summit next week, because proactive sounds great.
It seems like the, where the industry is going, but if you're a CISO. And you hear that it's like, okay, great. But now I have to go back to my board or my CEO or whoever controls my budget and say, I need a whole new class of security solutions in addition to everything you're already paying for. And when security is.
often, you know, a non starter because it's generally not a revenue producing element of most organizations going in and asking for more budget is a real challenge, right? So one of the things that we recommend that organizations do is go back to their organization, start really thinking about what their cybersecurity architecture.
Looks like and see how many capabilities they really have that are proactive versus preventative versus reactive today and start that long term process. Cause you know, Rome wasn't built in a day. You know, organizations aren't going to be able to massively shift their cyber security budgets from one year to the next because you do have a lot of set costs, right?
You have your staff, which is, you know, the, usually the biggest chunk of it. You have existing solutions that you've already invested in, often on multi year contracts. You know, you often have a services agreements, uh, whether it's, you know, consulting or just, you know, product updates, threat intelligence and the like, so there's a lot of baked in cost in most year to year.
Uh, secure cybersecurity budgets that kind of, you know, move, just roll over from one year to the next. So we're advocating just starting to start the process of thinking about it from a. Uh, budget allocations perspective and see how in the next few years, you can start working to, to allocate more budget toward proactive, because ultimately.
We strongly believe that's where organizations are going to want to start moving significant amounts of, of spending just because would you rather have solutions that, you know, stop threats at your door, you know, help you find the threats that are inside or preventing the threats from getting to you in the first place.
So. We're thinking that, we're thinking that's an equation that's going to start shifting.
Sean Martin: And, and speaking of equations, the output is. You do some math and you get a result, um, which hopefully is meaningful and can be measured and, and the collection of those outputs can tell the story. Um, do you see a change needed in, in the way we look at budgeting to tell the story to our leadership team and to the, to the board?
Does again, proactive and some of your finance and the research you did say something needs to change on that front as well. How do we measure? How do we know we're spending the right?
Eric Parizo: It's sort of, to me, it's a little bit, Sean, of a chicken or the egg problem, right? It's like, where, where does the cycle start?
Do you look at your budget and say, You know, I really don't like how this stacks up. I want to change some of these allocations. Or do you say, gosh, I really am not getting the performance I need. I'm not stopping the threats that are really impactful to my organization, or I'm not getting to them as quickly and as efficiently as I need to, um.
I feel like it's sometimes it's a little bit of both, but usually it's more about, you know, the problem, the problems that change or emerge that lead to changes and how the financial picture is allocated from a budget standpoint. So, are, you know, are, do changes need to be made? Sure. I think the, the, the day to day week to week year to year reality for most CISOs is that, you know, they're, they're under constant pressure from all sides.
And I think the need to just, you know, to find a way to kind of usually scrape a couple of nickels together to figure out how to. Pay for all the things that the budget doesn't afford anyway, is sort of the, the, the biggest problem with, you know, the, the long term implications often kind of being secondary.
Now, does that, is that an ideal picture? Should most organizations be a bit more proactive and think about how their security budgets look three to five years from now, absolutely. It would be to their great benefit. To do so because it'll be make it easier to get ahead of these kinds of big changes that we see like proactive security.
But I think the reality is it's much, much harder to do that. Um, than it, than it seems. Yeah.
Sean Martin: And this is where I wish I could be in the room. Cause I, I can only imagine the conversations of all the levers, right? Cause it's not, I'm going to staff. I want to buy tech. I'm going to run the program. It's, it's all those levers.
I'd have to, have to communicate and, and to your point that you just made, something changed. I'm under new pressure for something and everything that I've defined at the beginning year for the budget. I'm not prepared for what just happened.
Eric Parizo: We haven't even spent a lot of time talking about compliance and security still to a large degree is a compliance game, right?
It's that's where a lot of this budget comes from. It's enabling the ability for the organization to meet compliance regulations. So that is still, you know, top of the board for a lot of organizations and ultimately dictates where that budget goes.
Sean Martin: Yeah. And, uh. Um, so I'm, I'm afraid we'll, we'll start to get too deep into what
Eric Parizo: I am an analyst you can never get too deep.
Sean.
Sean Martin: No, no. For trying to give, give things away for the session, but, um, I think what I'll leave you with and you can answer with yes or no, or as deep as you want on this, but you mentioned it. So I'm going to, I'm going to also say we can't have this conversation without talking about it. at some level, AI.
So, so clearly AI has a role to play in the threat landscape, has a role to play in, in the security technologies, uh, presumably in the operations. My question is, what about, I'm sorry, the technology, my, my question is then what about the operations and the team? And then ultimately the. The budget can AI help us with some of those questions?
Um, Where should we be spending our money?
Eric Parizo: It's a really interesting topic, Sean, AI and cybersecurity and particularly generative AI to me is the number one trend, um, across the entire, uh, cybersecurity landscape in 2023, I think the arrival of chat GPT late last year kind of caught everyone off guard because it was the first time people realized, Hey, wait a minute.
Suddenly these AI capabilities can be opera operationalized in really interesting ways that nobody had really prepared for. And suddenly there were some implications that nobody was really ready to deal with. So, um, it's been really interesting in 2023 kind of seeing, um, All that come together. So now that said, there are, you know, there's, there are things AI is good at and things that AI is still clearly not good at, right.
It's good at searches. It's good at, uh, especially complex searches where, you know, you being able to use human language to run a complicated query and get really meaningful, uh, results it's good at. Correlating, finding the pieces of data within certain parameters, um, and analysis and presentation, helping you find the needle in a haze in the haystack that in maybe in a way you didn't even know was there, but it's still not so good at things like automation and creativity and definitely not at replacing how a human thinks or the value that a flesh and blood human provides.
So it's still early days, but. We think a lot of organizations of all types should be, um, thinking now getting prepared for the coming implications of, of AI and cybersecurity. My colleagues, Kurt Franklin and Kiki Bourdais will cover that at the AMD Analyst Summit at Black Hat next week. For now, I think we're only starting to see the, how AI is going to impact the cybersecurity industry.
I'm more. In the short term, frankly, I'm more concerned about it from an adversarial standpoint, I'm really worried about what attackers will be able to do when suddenly they have, you know, the AI at their disposal to determine all the different possible avenues of attack and ways of attack relating to a new vulnerability they may have discovered.
So I think it's. It's, there's going to be a lot of chaos in that regard, uh, in the short term. In the long term, I do see AI providing a lot of value, but I think it will primarily be in the context of most of the existing cyber security. Uh, solutions we see today. So for instance, again, I cover SecOps primarily.
So I think you'll see AI have a pretty significant impact in solutions that help enterprises manage the TDIR lifecycle, threat detection, investigation, and response, being able to more use AI to kind of conduct an investigation or. Orchestrate that, uh, initial part of the response where, you know, a certain type of threat comes in and the AI can automatically tell you, Oh, this pit puts these certain types of endpoints at risk.
Let's put these mitigations in place to ensure that. This threat doesn't, um, become a problem until you can fully mitigate it. Things like that will increasingly be common within the context of, of security solutions. Are we eventually going to see kind of the massive, you know, uh, AI platform that does everything for you maybe someday, but I don't think it's on the horizon anytime soon.
Sean Martin: Yeah. And the, the, the possibilities are limitless. It seems as you, as you're talking about some scenarios, I was thinking of. Two or three more. Not that I wasn't listening, but two or three more that could easily surface as really cool capabilities to help help those teams. He covered one that I thought was really cool.
They, depending on what you're seeing. What controls are compensating controls or mitigations? Can you put in place to again, prevent it from happening the next time?
Eric Parizo: Yeah, I mentioned that just because it's a pain point for many organizations still, right? You can detect threats, you can investigate them, but then figuring out, okay, what do I do?
How do I actually stop this threat and fix it from being an impact to my organization? That's still where a lot of organizations fall down. So it's certainly the kind of thing that AI can really help.
Sean Martin: The other one that comes to mind is. that back to the budgeting, given this set of parameters and levers that I've pulled, what story do I need to tell my team, my executive team for what it is and why I need it.
So sometimes it's a great point too.
Eric Parizo: We're going to see it. They have an impact there as well in terms of being able to produce, you're using the same data to have AI automatically. Produce a report that helps your SecOps team understand the threat, but also help your CEO understand what the impact is to the business.
Yep. That's going to be powerful too.
Sean Martin: Yep. Lots of stuff to think about. And, uh, I get to talk about it, which is cool. You have to do all the crunching, which I think is cool too, but at a different level.
Eric Parizo: Um, let me talk about it a little bit too. I got the Omnia Analyst Summit at Black Hat next
Sean Martin: week. That's right.
That's right. Remind us when that is, Eric.
Eric Parizo: It's next week as part of Black Hat USA, it's taking place on summit day at Black Hat. So that's Tuesday, August 8th at Mandalay Bay.
Sean Martin: Nice one. Well, I appreciate you, uh, being on the show and giving us some insights and teasing us with a few nuggets. Um, yeah, I, I'll say it again, that's, it's where the conversations are going to be held where a lot of this stuff is going to make its mark in the budget and in the program.
So, uh, Thank you. Great to, great to have you on Eric, hope everybody enjoys the, enjoys the summit, enjoys the conference. And of course we'll link to the summit. I don't know what the registration status is, but at least they can learn about it and connect with you. And for those listening, we still have tons to, uh, tons to go here with our coverage of Blackout USA 2023.
So stay tuned and, uh, subscribe, share and, uh, and have fun. Hopefully everybody's enjoying the coverage. Thanks again, Eric.
Eric Parizo: Thanks, Sean. Take care.