SINET ITSEF 2016
N2K logoApr 19, 2016

SINET ITSEF 2016

Finding ground truth in the security ecosystem.

The tenth annual IT Security Entrepreneurs Forum (ITSEF) opened in Mountain View, California, on Tuesday, April 19, 2016. Organized by the Security Innovation Network (SINET), with the support of the Department of Homeland Security’s Science and Technology Directorate and a number of industry sponsors, ITSEF intends to bring security entrepreneurs together with potential customers and investors in an ecosystem of innovation capable of addressing the challenge presented by sophisticated cyber attacks. The meetings this week are particularly meant to “connect the ecosystem of the entrepreneur in Silicon Valley.”

Rick Geritz, founder and CEO of LifeJourney, opened the conference with welcoming remarks that drew attention to the way in which ITSEF’s history has paralleled the emergence of the Chief Information Security Officer’s role in government and industry.

He was followed on the podium by Robert Rodriguez, SINET CEO, who shared his personal journey from a Secret Service career to the private sector and SINET. He was introduced in the early 2000s to the concept of public-private partnership—for him, this represented a new and novel world. The US Secret Service was then engaged in building an IT-security community of interest. As he worked on this program he found himself falling in love with the entrepreneurial spirit, and in particular with the way the private sector represented a reality principle.

After retiring from the Secret Service, Rodriguez was able to continue building connections between Silicon Valley and the Government through SINET, built with the support of the Department of Homeland Security’s Science and Technology Directorate. He closed by speaking to the importance of building relationships of trust before they’re urgently needed, and by noting that, while there’s no single dominant player in the cyber security sector, “we’re also not seeing disruption.” With that he introduced the conference’s first general session.

How to use the military Observe, Orient, Decide, and Act approach to operationalize cyber risk management.

The OODA loop—“observe, orient, decide, and act”—the decision cycle model developed by US Air Force air combat theorist John Boyd, has, this panel maintained, implications for how enterprises should operationalize cyber risk management. Moderated by RiskSense CEO Dr. Srinivas Mukkamala, the panel consisted of Mark Bregman (NetApp CEO), Captain Brandon Johns (US Cyber Command, Silicon Valley Points of Partnership Team), and Dave Mahon (Vice President and Chief Security Officer, CenturyLink).

Mukkamala opened the panel by asserting that the problem we face in cyber security is fundamentally one of maintaining situational awareness. “We need the right data,” he said, and suggested that we might learn lessons from other disciplines and other sectors, perhaps, for example, from biology and manufacturing.

Organizational silos, Bregman argued, can lead enterprises into the error of treating all data as having equal value. Since the central challenge of cyber risk management is protecting access to data, meeting that challenge requires an ability to assess the value of those data. “So we need to focus on attacks on data that are valuable. Yet no one tracks value consistently.” This failure to focus on what’s valuable creates a gap in the decision cycle between Observe and Orient. “We need to think about what's happening to the thing being defended. We need to manage data protection.”

“It’s easy to think,” Mahon said, “that, if you buy enough things, and make enough rules, you'll adequately defend yourself against an adversary. So we’ve created a generation of people who think about technical solutions, but not about the adversary.” CenturyLink follows a threat-centric approach to security. It follows a recognizably familiar classification of threat actors, from nation-states down to individual nuisance hackers. “In a threat-focused program, you want to study the adversaries.” Mahon noted that a company’s accurate self-understanding helps it understand why an adversary would come after it, and that this requires an ability to think like the adversary. “When you're developing a threat-focused program, you need people on your team who are other-than-technical.” Those other experts know the adversary, and know the adversary's culture and goals. “The adversaries study their targets. They know where the weaknesses are, and they work against those weaknesses.” Mahon advised thinking about your defense in terms of your strategic plan. CenturyLink’s approach is to embed their security engineers in the CTO organization, so they’re at the table when the technical roadmap is developed.

Captain Johns took the last word, quickly reviewing US Cyber Command’s mission (protect Department of Defense networks, provide capabilities to combatant commands, and conducting cyber operations is wartime. But he concluded with an interesting observation about OODA loops. Boyd’s theories of air combat were most fully realized in the F-16, which remains an extremely capably dogfighter. Yet it hasn’t been the US Air Force’s principal air superiority fighter. That role has gone to the F-15, an aircraft much less capable of getting and staying inside an adversary’s OODA loop than the F-16. The reason for this is a sound one—the F-15 is a platform that’s very capable of engaging an adversary at a distance. It doesn’t need to be a dogfighter. So, while Johns is unsure of how a company might actually get inside a hacking threat actor’s OODA loop, he’s equally unsure that it needs to. Perhaps you don’t need a dogfighter to win in cyberspace.

Adversarial modeling to develop effective defenses.

Philip Reitinger, President and CEO, Global Cyber Alliance, filled in for the scheduled moderator, Invincea’s CEO Anup Ghosh. The panelists represented different industries—healthcare transaction processing, business services, and cyber security solutions—but all made use of adversarial modeling in developing cyber defenses. The panelists included Paul Calatayud (CISO, SureScripts), Taher Elgamal (CTO, Salesforce), and Rick Howard (CISO, Palo Alto Networks).

Calatayud took the first word. SureScripts processes healthcare transactions, which inevitably involve significant issues of personal identity. They think it important to understand the adversary's economy and thus the adversary’s motive. “You can reset a credit card number, but not your identity. Perpetual identity is at risk in healthcare.”

Salesforce, Elgamal explained, is basically an extension of the operations of every possible business. Data those businesses hold have value; hence we need security. “Breaches are basically a failure of compliance.” When we try to understand how secure we are, we model our business in terms of kill chains. Adversaries has all sorts of motives, but their goals all come down to acquiring information. To do that, cyber adversaries “take advantage of all the unintended things computers can do.” So the kill chain enables you to do adversary threat modeling against your own system.

The kill-chain model describes what an adversary has to do to succeed in its mission, Howard said, and drew an essentially optimistic lesson from this: “The bad guys have to succeed at every point in the kill chain. The good guys don't, and so the good guys actually have an advantage.” That said, disrupting the kill chain remains difficult to do. This is why you now see vendors collapsing point products into single platforms. “Let’s reduce the problem set. How many playbooks does the adversary have to have?” There’s no obvious number, but it’s finite and manageable—perhaps around five thousand. So Palo Alto tries to collect and characterize all the playbooks, and use that modeling to put effective prevention techniques in place.

Calatayud wanted to draw attention to the value of stolen data—that appears to be about $200 per medical record on the black market, with the average credit card in contrast bringing about $1. So it’s clear what the adversary is after in attacks on healthcare systems, and here there’s an important cultural element: in healthcare, they focus on providing health, not preventing data loss. You must be able to know the threat to deploy defenses. But measuring the value of any security investment remains tough. Calatayud argued that we measure our ability to defend by taking controls, then mapping them against threats and the organization’s ability to use technology. Ability to use technology can be the missing piece. “There are many cases where organizations had controls, warnings, but were unable to act.”

“How do you defend against something you can't measure?” Elgamal asked. “We need intelligence, about adversaries, about partners, and about customers. It's not a twelve-step sequence.” For all the talk about Big Data, we need human intelligence to organize defenses.

Howard thought that our greatest weakness is our inability to measure risk. We have to get beyond characterizing risk as either high, medium, or low. “Cyber's not a risk; it's a vector. We should ask how you measure the material impact of an incident to a company.” He thinks that time-to-detect and time-to-mitigate are “absolutely measurable, and should serve as important standards.

Quantifying cyber risk: a manual for holistic enterprise risk and senior security professionals.

Ability to quantify cyber risk is, by consensus, essential to managing it, perhaps even more central to meeting the challenge of communicating risk to boards and C-suites. The panel on quantifying cyber risk was moderated by IKANOW’s co-founder and CTO, Chris Morgan. The panelists included Renee Guttmann-Stark (CISO, Royal Caribbean Cruise), Brian Johnson (CISO, Lending Club), Nathan Lesser (Deputy Director, National Cybersecurity Center of Excellence, National Institute of Standards and Technology), and Valmiki Mukherjee (Chairman and Founder, Cyber Future Foundation and Constituents).

Morgan opened by noting the difficulty of understanding and quantifying business cyber risk, and expressed his hope of eliciting some insights into this challenge from the panel. He invited them to characterize their approach to the challenge. Lesser’s organization, the NCCoE, works on technical challenges that can be addressed through standards and practices. He noted that, while there were many good tools, there were no panaceas. Johnson’s organization works on large data sets, drawing actionable intelligence from them. Guttmann, recalling time spent at NIST, was gratified to see the way in which cyber security now generally matters to most organizations. Mukherjee recounted some of his own career turnings, and lamented that we generally regard cyber in negative terms. How, he asked, can we move it toward something positive.

Morgan posed a second question to the panel. Noting a general lack of understanding of asset bases he asked how one might ferret out the true business value of one’s assets. Guttmann referred to the National Association of Corporate Directors and its Cyber-Risk Oversight Handbook. These guidelines represent a good starting point. But it’s important to consider how, if adversaries were after an organization’s crown jewels, they would come to get them. “People want exhaustive asset inventories. But you could be asked this question tomorrow,” and would have to answer it. Thus, she argued, we need a collective understanding of critical business assets. She sees reporting exceptions to policy as vital to developing an understanding of cyber risk. “Exceptions to policy are the canaries in the mine.”

Johnson advised looking at assets from the perspective of both internal and external threats. Understanding the outliers can help you avoid disasters. Achieving this kind of understanding is difficult, and solutions are tough to scale—you need people who can think like hackers. “It's more of a mindset, the ability to get into the attacker's mindset. It's not so much a lack of engineering talent, but a lack of talent that can think like a hacker.”

Lesser made a plea for better standards. “We don't have good actuarial tables for operating against a sentient adversary, but if you can appeal to standards and practices, you can point to something that represents community consensus. Attaching yourself to a consensus like the NIST Framework helps considerably.” Guttmann compared frameworks to table stakes. “But you also have to think about answering ‘so what’ and ‘so why.’” She wants to get us back to a value proposition. A framework is part of this, but more than a framework is needed.

“The cliché,” Lesser added, “that there are two kinds of company—those who’ve been hacked and those who don’t know they’ve been hacked—simply makes those not working in cyber security throw up their hands. They feel they might as well do nothing.”

The panel concluded with reflections on communication. Mukherjee noted that the issues of cyber risk management have both operational and articulation aspects. We lack a generally accepted taxonomy for organizing discussions of risk. “You need to train people in a business language, Guttmann said. “Your executives respect you more if you're more precise, and if you don't simply put the word ‘breach’ in front of everything.” And Lesser offered his opinion that we’re not seeing an improvement in the way technologists communicate with boards.

After the session was over, we spoke with moderator Chris Morgan, of IKANOW. We noted that much of the day’s discussion, during his panel and in other sessions, concentrated on the challenge of achieving enterprise self-awareness—awareness of the friendly situation. He noted that information security analysis should be able to develop an understanding of assets and their value from a business perspective. CISOs may lack a holistic business understanding of risk. And CISOs tend to come from an IT background, and they tend to lack the vocabulary they need to communicate risk.

There are tools, Morgan said, that can help us understand what’s on a network, but there are usually huge holes in our knowledge of any network. Then, once one closes those holes, there remain the challenges of understanding any asset’s criticality, and of measuring risks to those assets. His company, IKANOW, works to understand network topology, and then derives the value of assets on that network. You need to be flexible in modeling, especially in modeling against standards. He’s worked, for example with organizations that maintain a change management database in Excel, and with others that use far more sophisticated tools. The important thing, however, is to have and make effective use of a change management database.

We asked about the articulation challenges his panel discussed. Morgan thought there was, first, an issue of tactical understanding—are you simply, as a security or risk manager, generating more alerts, or are you developing actionable alerts? Then you need to be able to put business dollars against vulnerabilities. There is, for example, an inverse relation between cost to patch and risk to the organization.

Panelists throughout the day have averted to the general lack of actuarial data for cyber risk. We asked about this common risk managers’ complaint—absence of actuarial data make reliable assessment of cyber risk extraordinarily difficult. Morgan advocated “reverse engineering the dirty laundry,” and doing careful historical forensics. He’s not aware of any community-wide efforts in this regard. IKANOW would recommend looking at scan data, then threat intelligence, and correlating these with assets. They would add logs as the last piece in this process.

Finally, we asked him if there was anything he’d like to share with CyberWire readers about IKANOW, and there was—he made particular mention of the company’s release on April 19 of its Information Security Analytics (ISA) 1.5. This includes new features designed to provide contextualized search capabilities that place incidents in context. The release aims to reduce the time needed to investigate an identified incident and confirm an intrusion. A link to IKANOW’s release is included below.

How to filter noise and see signals in the security industry.

The last panel we attended dealt with filtering noise from signal. This was not, however, a discussion of filtering through spurious alerts and false alarms to recognize real attacks. Rather, it dealt with getting to ground truth about security offerings, with particular advice to entrepreneurs on how to reach potential customers who notoriously suffer from vendor fatigue. The moderator was Fast Orientation’s CEO Sam Small. The panelists included Brad Arkin (CISO, Adobe), Shardul Shah (Partner, Index Ventures), Joe Voje (CISO, City of San Francisco), and Mike Wilson (CISO, McKeeson).

Arkin began with a description of the tracks Adobe looks at when it considers security (while not a security company, Adobe is concerned with the security of the products it sells). They look at the tools engineers use, the products they sell, the broader IT environment, monitoring and incident response, and finally the overarching concerns of marketing. “Within each track we figure out how to deploy scarce resources to address challenges.” He finds in general that third-party security offerings tend to be too expensive. They also tend not to work as advertised: however successful they may be in the laboratory, deploying them in a real environment is typically a very different story.

San Francisco CISO Voje thought his central challenge was to get reliable numbers that would be relevant to the decisions about security the enterprise needs to make. “We're less mature than others,” he said, as surprising as that might be for a Bay Area city, “and our focus is on collecting data. We're reluctant to bring in new tools.”

Wilson discussed the planning cycle, but noted, significantly, that “a portfolio company is always buying—its units have a certain amount of capital to spend. If something fits a need, there's generally funding for it somewhere.” Shah, speaking from an venture capital perspective, agreed: “We don't look for exhibition of clear budget before investment; we follow a macro thesis.” He hold that the integration challenge a new vendor presents a customer is crucial to the vendor’s success. The easier the integration, the more attractive the product. If you can deliver ease-of-use, the budgets tend to follow.

Arkin agreed that ease-of-use was essential, and he reemphasized how different performance in a lab can be from performance in practice. And speed of integration is vital. “An eighteen-month log ingestion process isn't feasible. A 5-minute demo is.”

How effective, Small asked, are environments at big conferences, like RSA? Voje believed he’d learned valuable things at events like RSA, finding things that may fill a need. You should budget your time at conferences, find a few interesting solutions, listen to the vendors, and then find a network of people struggling in the same areas you are. Wilson finds such events useful. “It's good to be part of the club,” and you can also gain insight into trends and themes. “I use such events as education opportunities.”

Arkin also sees conferences as educational opportunities: “I always do a spin around the expo floor. I might listen to some pitches.” He wants to expand the number of touch points they have, and to return with accurate information.

The key insight Shah wished to communicate to entrepreneurs is the importance of knowing how to innovate from a go-to-market standpoint, “so you're not lost in the noise.”

Wilson advised start-ups that it’s not always about selling. Often it’s more valuable to discuss an idea, to learn something from the prospective customer. Building a prototype and eliciting feedback is a reasonable approach for an entrepreneur. Small concurred: it’s very good to get early ground truth about your product. You should avoid the trap of building a bespoke product for a single customer.

Contacts with customers should always aim at developing and maintaining trust. Voje said that developing trust early helps you become a vendor of choice. “I want you guys because I know you'll deliver and do it well.” Trust, Shah emphasized, was hard to earn and easy to lose (and if you’re in danger of losing it, he noted the efficacy of “dramatic, heartfelt, overreaction” in apologizing and redressing the damage).

Consensus advice to entrepreneurs: the warm introduction is very important, and cold calls are a waste of everyone’s time. (The panelists were particularly united in their dislike of cold calls, particularly calls and emails exhibiting an unpleasant passive aggression.) Customer advisory boards can be valuable (provided they don’t become a time-sink, in which case coaching can be a useful stand-in for such boards). Arkin noted (to general agreement) that there are a lot of veiled bribes out there, and that these are always deal-killers. Early stage companies must show the customer matters. Founders, not low-level sales staff, should have those early conversations. Finally, the panel advised entrepreneurs to do their homework about potential customers, concentrate on those with needs you can fill and connections you share.

Today’s Forum will continue the first day’s exploration of the cyber security innovation ecosystem.

Government support for cybersecurity innovation.

ITSEF’s second day opened with welcoming remarks and an overview of the US Department of Homeland Security’s cyber security science and technology program.

US Department of Homeland Security cybersecurity R&D goals.

Dr. Douglas Maughan, Director of the Cyber Security Division of the DHS Science and Technology Directorate, welcomed the day’s speakers and took the occasion to outline DHS cyber security research goals.

DHS S&T, he explained, is not a basic research organization. It's instead very interested in applied R&D and rapid transition. Maughan offered several examples of this approach. The Directorate’s Transition-to-Practice Program, for example, has accomplished six successful transitions of research to market, with one more transition coming. The Directorate’s partnership with the Treasury Department—a program built around the NIST Framework—has been designed to develop technologies to reduce financial sector risk, speeding transition of technology into the finance sector. The partnership has also produced a sound enterprise tech mapping matrix. (And, Maughan noted, anyone interested in learning more about this particular effort should contact CyberApex@hq.dhs.gov.)

Another recently established initiative is the DHS Silicon Valley outreach program, under which the Directorate has established an office in Silicon Valley. They’re working to explain the DHS mission to industry, and they’re working to put the entrepreneur in touch with actual operators (and help those entrepreneurs find their first customer). The Directorate isn't, he explained, a venture capital organization. It tries to fit in at the front end of the process, finding start-ups when they’re about six to twelve months into their lifecycle. DHS won't take equity in a company, and it won't take intellectual property. They have obtained, and use, Other Transaction Authority, an acquisition process designed to bring commercial style and speed to Federal procurement. Other Transaction Authority enables DHS to reach companies who otherwise wouldn't do business with Government. Maughan closed with a description of the Silicon Valley Innovation Program’s phases. Their first call to industry is for Internet-of-things security solutions—your participation is invited.

Canada’s Minister of Defense on the place of cybercecurity in national policy.

SINET CEO Robert Rodriguez introduced the Honourable Harjit Singh Sajjan, Member of Parliament and Minister of National Defense, Canada.

The Defense Minister explained that he comes from a background in military intelligence and police work (the police work have been specifically concerned with organized crime). In this work he learned that secure technology was critical, for all of the obvious reasons.

But cyber security is also about prosperity, especially in Canada, one of the most connected countries on earth. The Internet powers Canadian business and government. That connectivity is both enhanced and threatened by the very fluidity of the cyber world, with the threats arising especially in dangerous interplay of violent crime, terrorism, and state failure.

The Internet, of course, was not designed to be highly secure, but rather to be freely open to trusted users. It’s grown through a process of ad hoc, increasingly complex layering. New technology is built on legacy components, many of them inevitably out-of-date. This layering equates to vulnerability, and a single vulnerability can bring down giants.

He sees three pillars of the Ministry of Defence’s cyber security role: securing government systems, partnering with all levels of government for security, and helping Canadians stay safe online. The Ministry’s Communications Security Establishment (CSE) has three basic roles: collection, protection, and technical assistance.

CSE has been in the business of protecting government communications throughout its long history. In the 1990s and 2000s, governmental agencies established their own IT programs, which spawned a multitude of systems. Since then CSE has brought some 43 agencies' networks under its umbrella, and now protects a manageable handful of gateways. CSE has focused on automation of its defense systems, and now has the ability to block malicious activity without impacting user experience. No system, of course, is perfect, but CSE has placed Canada in a much better position to protect itself.

The Minister noted the importance of partnership, not only with its Canadian partners in government, industry, and academia, but internationally as well, especially with the Five Eyes allies. “We as a community are constantly addressing innovative threats.” Cyber security is a critical part of Canadian defence policy, but we’re challenged by the way the evolution of cyberspace can outpace our ability to protect it. Defining and predicting next-generation threats is very difficult, and he closed with a call for a robust partnership among government, business, and academia. He praised the daily efforts of CSE's personnel, and their 5 Eyes partners. “Working together means prosperity and security for our nations and our citizens.”

Converting cyber innovation into high-value enterprise solutions: a view from Australia’s Data61.

Scott Wilkie, Senior Advisor to Australia’s National Data Agency—Data61—spoke to give a sense of why Australia is engaging more heavily in cyber security. “The Australian spirit is to go in and do things proactively, and that's what the world is looking for in cyber.” Data61's role is to act as an alignment mechanism for the country as a whole because cyber collaboration is, for Australia as it is for the United State, a high priority.

Data61 serves as an education tool, as a research contract partner, and as a commercialization partner. While he couldn’t yet discuss Australia's new cyber strategy (due to be announced in about seven hours, and since released), he noted a strong interest in developing an indigenous cyber industry. “We agree with the US in supporting a free and open Internet. And we struggle with developing a cyber labor force.” He concluded with an invitation to further collaboration.

Closing thoughts on SINET ITSEF 2016.

We offer some quick notes and reflections on the closing sessions of SINET’s ITSEF 2016. The panels and presentations we describe today will, we believe, be of interest to the entrepreneur.

Risk management: estimation, innovation, and intelligence.

On estimating risk: Reggie Davis, panelist and General Counsel of DocuSign, noted that there’s no real consensus on how to monetize risk—specifically cyber risk. Other panelists discussed the tendency to use changes in stock price as a surrogate for rigorous risk quantification, and their consensus was that this was a very poor surrogate at best, especially since its tendency is toward systematic under-estimation. And, directors and officers, if you haven’t taken a look at the Delaware business judgment rules, you probably should. Those rules suggest some ways of minimizing your personal exposure.

On innovation for security, in the context of risk management: Uber’s Chief Security Officer, Joe Sullivan, noted that security professionals (himself included) tend to be, by temperament and disposition, risk averse (which is why at start-ups they’re always the people who want salaries instead of equity). But the pace of IT evolution makes innovation a security imperative. “We [security teams] need to stop being the AV people and start being as innovative as the most innovative people in Silicon Valley.” The goal of risk management is not to eliminate risk, but rather to enable the company to take smart risks. He offered some advice on forming an innovative security team: hire for good judgment and diversity of thought, hire for empathy (find people who want to protect others), get comfortable admitting you’re not perfectly secure, work to improve through collaboration, and, finally, get some dedicated engineering talent inside the team.

A big attack surface? That might be a good thing. Major League Baseball, according to Neil Boland, its VP for Information Security, is all-in on honeymesh technology. They configure a honeymesh with attractive targets that shine bright to the prospective attacker, watch the attackers, get to know them, and protect what’s really valuable. This approach has been particularly useful when you work, as Major League Baseball does, with a very large number of valued third-party partners. “Double your attack surface with false assets,” said Boland, “and you’ll halve your risk.”

Making it easy to become your customer.

It’s a big market. The security market today is estimated at about $75 billion, and hacking is thought by many analysts to have an economic impact of around $1 trillion. The market’s big, the threat’s dynamic (and growing), but there are still challenges to selling into it.

The fog of commerce. The 1300 to 1500 start-ups in security have contributed to a fog of commerce as dense as any fog of war. Large company CEOs and venture capitalists agree that it’s extraordinarily difficult to penetrate that fog. It’s particularly difficult to evaluate new products—no company, no matter how big or well-resourced, can actually evaluate, in a lab, the products pitched to them. Ground truth on security products is notoriously difficult to achieve. So their buyers fall back on peer networks.

And some events raise red flags. You may well like your vendor, but you tend to get nervous when your vendor’s acquired. Given the importance personal relationships in your buying decisions (“I always go with my gut,” said one panelist, and others talked emphatically about how they carried favorite vendors with them wherever they go professionally) will the people you know still be there? Will the company itself still be around in six months?

So what’s attractive, to customers and investors? They like companies with technical credibility, and are willing to nurture an attractive product even if it’s immature (for a while, and if it’s not too onerous). Vendors should make their offerings easy to install and test in the customer environment—and the faster the better.

Dos and don’ts for selling. Don’t send out messages that begin with something like this: “Company xyz was hacked last week.” It’s unpersuasive, and on one likes to see someone badmouthing from the sidelines. Do have a technical story about your product and what it actually does. Don’t come in to see a customer without knowing whether you’ve already talked to other people in that customer’s company. Do your homework about the company you’re pitching. Know their business, and have an informed idea of their needs. Don’t make the urgency of meeting your sales quota the potential customer’s problem—it isn’t their problem; it’s yours. Do get to the value proposition of what you’re pitching clearly and quickly. Don’t claim to have no competitors. Everyone has competitors. They may not do exactly what you do, but they’re competitors nonetheless. And finally, do back your claims up with data.

So what are companies buying security products and services looking for? They’re interested in, first, innovative ways of addressing the security of their partners. “I need,” summarized a panelist, “more products addressing security around partners and APIs. Both of these put us at great risk. Second, they’re interested in detection capabilities. Any really innovative threat detection solution would find a ready audience. And third, they’re interested in anything that measures security system efficacy.

Do your customers want you to carry cyber insurance? Yep.

Final thoughts from SINET’s CEO.

Robert Rodriguez offered some closing thoughts. He thinks the US Government is now ready to learn from industry, but that such learning may fail to translate to capabilities without “immediate acquisition reform.” He strongly advocated security workforce development, and he closed by counselling the US Government to strive for a cultural shift that would improve its ability to listen to its international partners.