Risk-adaptive security isn’t fancy jargon, says Forcepoint’s Praveen Asthana

Companies continue to invest in the latest security technologies to stay safe, but the breaches never cease across the globe. Many CISOs and CIOs have sleepless nights over the fear of their companies being hacked. We spoke extensively to Praveen Asthana, CMO, Forcepoint  on why there is no silver bullet to beat bad guys and how can CISOs have a fool-proof IT infrastructure. Here are edited excerpts.

You lead all aspects of global marketing for Forcepoint’s business around Cloud Security, Network Security, Data & Insider Threat Security, and Global Governments. Isn’t it difficult to market security solutions amidst a world of incessant cyber-attacks?

I joined Forcepoint two quarters ago (from Oracle) as I saw a great opportunity with this security company. Forecepoint is the right size company – not too big, not too small – with outstanding technology and a diverse approach. The magnificence of cybersecurity is the fact that you are battling with someone else (bad guys) at all times to secure the companies. At a hardware-centric company it is more about manufacturing products that are more efficient. 

From a marketing perspective it is challenging because there are so many cybersecurity companies out there and we have to rise up against the loud noise. It’s like the security companies are jostling towards the potential CISOs and CIOs to tell their story. Forcepoint has a different and effective approach which, I believe backed by right marketing plan, accentuates our value prop for the companies. It’s not about having a better mousetrap with one more feature in DLP or another shiny stuff on the next gen firewall.

Does the messaging revolve around innovative solutions or stroking CISOs’ worry of breach? How do you maintain the equilibrium of tech versus fear-factor? 

There is no point for us to remind the fears to well-informed CISOs about their role and the threat landscape. The key problem for them has been too many investments in too many security technologies; but the big breaches still happen. 

Stopping breaches like a centuries-old philosophy of building a wall to stop the army intruding into your city is just not very effective. We have ‘Game of Thrones’ approach to security. Building the most impermeable wall and expecting bad guys to not get through does not work. The problem becomes more exasperating because there is no private network anymore— with different clouds, application providers, SaaS providers as new vectors.

The key message for CISOs is that building a protective network will not work. They should assume that the threat is already inside their network to maneuver the next step. Some kind of protective network isn’t enough as you don’t own the network in a complicated world. There are only two constants they should focus on– people and data – and think how to protect them. And that’s our key messaging to the companies and their CISOs.

But people and data can turn rogue anytime. How does Forcepoint with an extensive portfolio from firewall to endpoint to DLP ensure an effective messaging to the companies? 

We have been working for the last couple of years to integrate our products, and converging them as a holistic story. We have created a human point system which is no longer about the individual products. But companies can buy individual products and they need not buy all products. They can buy any product from us, and as they buy more products those integrate into the system. If you buy multiple products from us, it opens more avenues for performance and more channels to gather information. Many customers have invested in many different vendor products, and the fact that our products are interoperable has been our key design tenet.

In Datacenter space, the server-storage-network boxes went from separate boxes to converged boxes to hyper converged boxes. We see that trend in the security market where convergence platforms will evolve for companies buying point products and we are driving that trend with one of the broadest portfolio in cyber security.

What about marketing jargons like next-gen firewall, UEBA to name a few? Do they influence CISOs and their buying decisions?

CISO’s primary goal is to have an outcome on effective protection regardless of the jargons. But they get attracted to new concepts with a jargon spin, because they have tried so many things in security space which most of the times does not work. Maybe a new technology will work for them which is like trying a new medicine. I don’t think jargons work beyond a point. I am a fan of using simple English as in what you are trying to do and what is the way we can address it. We talk to the customers about – people and data –and how do you protect them.

We have a good analytics story powered with the recent acquisition of UEBA company RedOwl. The behavioral analytics is not enough by itself as it needs lot of data for the technology to work properly and deliver great results. In today’s dynamic environment, that is often not the case. Analytics is important but the backward looking data is not much beneficial for companies. We believe in real-time adaptive protection wherein analytics is one aspect but the second aspect is cyber behavior in real-time. We put a risk score for a customer environment.

The security infra for companies is becoming super complex and often gives sleepless nights to CISOs and CIOs. Will they get some peace in 2018 ?

Amidst hordes of digital events, the two broad sets are easy to classify as bad (like signature as a malware) or good event. The tricky ones in the middle zone are extremely hard to classify as either. Based on the available technologies, CISOs take a call to assume all as bad events with no access to data that leads to too many alerts or open up the access gates which looks like a good event. This is because there is no context to the event. It’s like watching one frame of movie and predicting the full storyline. Forcepoint provides context as our technologies monitor the rhythm of people and flow of data by determining the context of an alert through this notion of risk-adaptive security. 

CISO’s job is protecting the important data of company, employee, customer, and business partners; but the data is all over mobile devices and cloud. And to complicate things it can be accessed from anywhere. The second problem is that they have bought too many point solutions and there is no definitive policy around them. There is too much noise due to too many alerts. And the fourth problem is that when they realize the breach has happened, many times the data has already been stolen. Forcepoint addresses the four problems by delivering real-time risk-adaptive security. Forecepoint’ s human point system’s goal is delivering risk-adaptive security that gives the right context to the alerts and make CISO life simpler and more effective security posture.

The lines between CISO and CIO are more blurred as teams of IT and IT security are tightly coupled. Do you see more executives designated as CISO or CSO?

CISO or specific security officer role is becoming more important. CISO often report to CIO and sometimes they are peers, hence their lines of definite roles converge too in a connected infra of devices and users. Cybersecurity is becoming a board level issue especially for many public companies. The board’s role is managing risk; be it financial or cybersecurity, one of the biggest risks today. Hence they are appointing focused leaders for cyber security.

Our messaging this year and coming year is that security should not be viewed as tax. Many companies feel about security as a technology to spend money; but security is a real enabler to business. Our solutions can help the employees to be mobile and adopt latest cloud technologies so that they are freed to be productive on other aspects of IT and business. Barriers and checks can be installed through DLP product as a legitimate policy; but the access to data or apps can be blocked if deemed risky. Risk-adaptive security is important: if it is low risk, the access is given; and if it’s high risk for users, access is blocked. This makes the spectrum black or white, thus reducing the possible frustration of employees having blocked policies. When employee get frustrated they often find a way to damage the company’s reputation.

Employees of companies inadvertently click on a malicious link or phishing email. Does the cybersecurity awareness levels vary with LOB / BU users than C-suite executives?

Forcepoint is at the forefront to raise cybersecurity as a first class issue amongst multiple levels in the company. People have been trained to not leave their laptop unattended and physical theft is understood by most employees. Cyber theft will take more time as an average employee doesn’t think of cyber security as first class issue. A key part of our campaign is helping CISOs by giving them relevant tools to be successful. I also feel that many companies have not adapted a dedicated marketing messaging approach about security to their employees. More CMOs should have security awareness as an important component in their tool kit.

The major source of malware is impersonation. Hence cybersecurity training program is not to monitor you but protect you from impersonation techniques. As per Verizon report, more than 81% of the malware breaches were from stolen credentials. Cyber monitoring of company employees is not that C-suite execs don’t trust you; but it is to make you aware against the outside people who will steal your ID.

IoT is now moving out from over hype to hype cycle; but it poses enough security challenges. What other major trends do you see in 2018?

AI and ML are big trends. But the real issues hinges around monitoring, analyzing and securing the tons of data in real time. Privacy is another big trend in cybersecurity world. It is imperative for individual users to keep their info private because other companies have information about you which can get stolen. The notions of privacy and safeguarding the data is becoming super vital. And finally the increasing concept of borderless world with cloud computing, IoT and new technologies. IoT is more like DoT – Disruptor of Things and it does pose a new set of challenges for companies.