Cloud Security , Data Loss Prevention (DLP) , Endpoint Security
ISMG Editors: DSPM, DLP Converge to Reshape Data Security
Also: Impact of NIS2 Directive in Europe, Cloud Governance Challenges Anna Delaney (annamadeline) • October 18, 2024In the latest weekly update, ISMG editors discussed the strategic convergence of data security posture management and data loss prevention technologies, evolving priorities of security leaders and the urgent readiness challenges posed by the NIS2 Directive.
See Also: Securing the Cloud, One Identity at a Time
The panelists - Anna Delaney, director, productions; Tony Morbin, executive news editor, EU; Michael Novinson, managing editor, ISMG Business; and Tom Field, senior vice president, editorial - discussed:
- The growing convergence of DSPM and DLP solutions, highlighting key acquisitions in the market, the influence of generative AI on data security, and the challenges of integrating these technologies for enterprises, especially in regulated industries;
- Emerging trends in ISMG cybersecurity roundtables, related to cloud transformation, observability, ROI, governance and the latest regulatory expectations - plus a heightened focus on operational resilience and compliance;
- Compliance with the new NIS2 Directive, which aims to enhance cybersecurity across European Union member states by streamlining incident reporting, enforcing stricter sanctions and fostering a "secure by default" approach.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the Oct. 4 edition on Russian cybercrime syndicates under siege and the Oct. 11 edition on how Chinese hackers raise stakes in cyberespionage.
Transcript
This transcript has been edited and refined for clarity.
Anna Delaney: Welcome to the ISMG Editors' Panel. I'm Anna Delaney. Today, we'll explore the critical trends reshaping cybersecurity, from the evolving priorities of security leaders to the strategic convergence of data protection technologies, and the urgent readiness challenges posed by the NIS2 Directive. The excellent panelists today include Tom Field, senior vice president of editorial; Tony Morbin, executive news editor for the EU; and Michael Novinson, managing editor for ISMG Business. Very good to see you all. Tom, as always, you've been jet setting across the U.S., as you said, moderating roundtables with security leaders on a variety of important topics. So, what emerging trends have stood out to you in these discussions?
Tom Field: For the past week, I've been to Los Angeles and Charlotte, and the conversation has been all cloud. Now, it's interesting because I found myself in Charlotte on Monday and realized that I was staying in the same hotel where I was in 2020 when COVID shut down the world. I remember being there and the professional basketball league shut down. The professional hockey league shut down. As I was waiting for our event to start, I was hosting a dinner. Attendees kept dropping off because their companies were telling them, by policy, that they no longer could attend public events. And then 45 minutes before we would start, the sponsor said, it's irresponsible to host a public event, we're going to postpone this. And so suddenly, I was there for an event, got sent back home and never flew anywhere again for 18 months. And so it was a little eerie to be back in that very same hotel that I left and didn't travel for a year and a half. But, it made me think about the conversation about cloud, because if you go back to the conversations I was having pre-COVID, and I hosted a lot of roundtables about cloud, invariably, you had attendees talking a little bit about single cloud or multi-cloud, but mostly about we're just dipping our toes in the water right now. We're just getting started. Suddenly COVID came. They had to enable remote work. Everything changed, and those that were dipping their toes, within six months were swimming over their heads. So, it was nice to go back and have these cloud conversations here in 2024. So, in Los Angeles, in the session sponsored by Broadcom, we were talking about the cloud journey and observability across network, cloud and security with the premise that network security and cloud are user experiences that are coming closer together now because of the convergence in the migration. So, we talked about cloud transformation, observability, ROI, skills and the goals that the attendees want to learn more about cloud security still in their migrations. They wanted to talk about how you detect anomalous behavior from new practices in the cloud, and how they evolve their governance for the cloud. And concerns that came up were how much can we rely on the cloud? How customizable can it be for our organization? I had a cloud-native organization; their representatives stood up and said, "We have 320 SaaS apps in our environment. How can we possibly govern those?" And so, there was a level of maturity in terms of organizations that have migrated to multi-cloud environments but still some very fundamental concerns in some organizations, including a large restaurant group talking about what risks do we have if we shift fundamental programs over to the cloud, and if there's any kind of an outage, we can't afford to have any of our restaurants down for any period of time. So, interesting that some of the conversations haven't changed. In Charlotte this week, the conversation was about accelerating cloud transformation, particularly compliance, and whether compliance is starting to catch up with the cloud. So, we talked about regulatory expectations for cloud strategies, shifting focus on operational resilience of organizations and the evolving role of managed services to help organizations manage their cloud presence. So, key points we talked about there were the evolving regulatory expectations and Michael this kind of went back to conversations that we had at Black Hat, where we had the gentleman from ENISA talking about how innovation starts in North America but regulation starts in Europe. When it comes to cloud and AI particularly, a lot of the regulation is evolving there, and people in the U.S. are paying attention to that, because their one concern is that they know more about cloud than the regulators do, but also keeping an eye to see what might we see in 2025, particularly when it comes to cloud environments and the use of AI/gen AI, particularly in cybersecurity. And as you noted in an earlier conversation this week, Michael, a lot of people are paying attention to the U.S. presidential election, because depending upon which administration gets in, there's going to be a new administration. How are they going to approach cybersecurity, privacy and regulation? And I maintain that cybersecurity is no longer one of those issues that's bipartisan. It's very partisan. And what priority it becomes, and whether there's a Congress that can come together to pass any kind of regulation, is something we're going to be looking out for. Another interesting point was that you no longer have people looking at cloud migration as a cost-saving area. There's a realization now that you're not going to save money; you are going to gain some efficiencies, and you're going to be able to improve user experience, perhaps, but you're not going to save money. You are making a change that reflects the way that we continue to do business today and the way business has evolved since that very day in 2020 when I got sent home and didn't move for 18 months. So, those have been the conversations I've had over the past weekend. I should mention that the second conversation I had in Charlotte was sponsored by Deloitte and AWS.
Delaney: Whole set of rich conversations. So, have you noticed any shifts in priorities for CISOs and security leaders in these discussions, particularly on the cloud?
Field: The biggest thing is when you start talking to people at the very outset, and they introduce themselves and talk about their perspectives. Even some of the state and time-tested companies are declaring themselves cloud-first. They can't say cloud-native, but they can say cloud first. And that certainly is the desire that many organizations now do not put their money into their data centers when it comes to infrastructure. When it comes to infrastructure, when it comes to application, when it comes to services, they all mostly are thinking cloud-first, and governance is a huge issue, because they now have to get their arms around every part of their enterprise where investments are being made in the cloud, and some of those investments can be coming from individuals, not just business units, but you've got company data exposed there, and there's got to be a level of governance. And so that and then the tried and true data security; those are issues that everybody's talking about.
Delaney: Thanks Tom. Speaking of data security, Michael, this week, you've reported on a trend that reflects the growing convergence of data security posture management, DSPM, and data loss prevention, DLP, solutions, as seen in Cyera's $162 million acquisition of Trail. So, tell us about this trend. What are you seeing?
Michael Novinson: Thank you for the opportunity, Anna. So, DSPM - data security posture management - has been one of these red-hot areas over the past 18 months. Certainly, the adoption of generative AI has driven that, as you're having so much more data coming out through these large language models and data that are being fed in from organizations. There's been a lot more thought around how do we secure and safeguard the information that's either being fed into LLMs or coming out of LLMs. So, this has driven tremendous interest in the DSPM space to the point where we have seen six acquisitions of DSPM startups since May of 2023 and I know some people are like, "Oh, wow! I didn't even realize there were six DSPM vendors," but there were. So, we've seen pretty much the biggest names move into the space. We've seen IBM, Rubrik, Palo Alto Networks and CrowdStrike enter the market. They all spent at least $100 million to buy a DSPM player. Then in June, Tenable bought Eureka - a little less expensive, just over $30 million. Then, deal number six came just this week, which was Netskope, which is still technically a startup buying into the space. And they're buying into the space by buying Dasera, which is fairly early stage, raised about $20 million. So, Netskope's recent buy is interesting because they started up in this Cosby market. That has moved more broadly to SSC, and then their feeling is, and perhaps not without reason, that SSC and data security are going to converge, and that they're expecting, as part of the SSC portfolio, that customers are going to expect some data protection, at least of the DSPM variety. So, Netskope had already built out DLP natively. So, they're taking their native DLP and then the DSPM that they bought and planning to bring them together. And it is increasingly being branded as data detection and response, or DDR. We're seeing Netskope moving into there. And so, that was the first move. Then, as you had alluded to Anna, what's kind of interesting at this point is, if you've had six DSPM companies bought, who remains? What's up here, increasingly appearing to be the dominant player, in this ESPN market is Cyera, and if you look at their growth trajectory, it's not one we've seen much since the economic downturn. So, back in June of 2023, they raised $100 million at a valuation of half a billion. Then, nine months later, they then go and raise an additional $300 million, nearly tripling their valuation to $1.4 billion; that was back in April. Then, they turned around and used more than half the money they raised to buy a company this week on, and they bought a company that had 40 employees, was in self-mode, and wasn't even publicly known. They spent $162 million to do that, and it's unusual. This is the type of behavior we saw a lot in cybersecurity in 2021 and 2022. Huge valuation jumps, multiple funding rounds, large M&A where companies were raising money to go buy. It's not something we've seen much since 2022 and to a certain extent, it's because this is an AI-adjacent market. It's defying some of the laws of economic gravity that are affecting most of the rest of cybersecurity that most companies, candidly, would have trouble raising this type of capital at ever-increasing valuations if you're not in a field that's considered directly impacted by AI. So, some very aggressive moves by Cyera. They were clear even back in April that they were looking to get into DLP. They found a next-generation DLP vendor in Trail, where certainly DLP is a pretty outdated area. Most of the big market share players have been doing it for 20+ years. So, from Cyera's standpoint, there's a bit of a land grab going on here, that if you have CrowdStrike, Palo Alto Networks, IBM, Rubrik and Tenable, who all have DSPM as well, there's certainly a large green field. Most organizations do not have anything for DSPM right now, but there's a sense that you need to move quickly, and that essentially, from a pricing standpoint, Palo and CrowdStrike can bundle. They can offer packages with other security technology areas that it's going to be hard for a pure play such as Cyera to compete on. So, you need to be reaching customers first, and you need to be able to articulate why what you're doing is better than the DLP bolt-on or the DSPM bolt-on that some of these broader platforms have. And it's a big challenge. People certainly are focused on being cost-effective, and certainly, some of it is also laying out that roadmap and explaining, like, okay, fine, so this other vendor bought a DSPM company, but our roadmap is solely focused on data protection. And here are all the go-forward investments we plan to make in this area. It's not, oh, we bought a product. We bolted it on, and now you can get it as part of a bundle, but that we have a full road map around this. So, certainly unusually aggressive moves from a startup. Three-year-old startup in Cyera, but certainly the market opportunity justifies it.
Delaney: And Michael, from your perspective, what are the challenges you foresee emerging and integrating these solutions for enterprises, particularly in those more highly regulated industries?
Novinson: That's certainly fair, and it's kind of a proactive, reactive scenario where DSPM has been on the preventative side, it's focused on data at rest and it's what your time Sega ever compared it to during our conversation yesterday was let's say you're moving and you can't remember where you put your rice cooker. But essentially, what Cyera does is it will virtually look through your 100 boxes and spots - there's the rice cooker. That DLP is focused on data in motion, and you don't want to slow the speed. So, that's wherever all the boxes are being carried out to the moving van, and you need to figure out somehow where the rice cooker is. But, you can't without slowing down the moving truck and not getting your U-Haul there on time. You can't physically inspect every single box. So, it's a different set of capabilities that are needed to understand data in motion. What they're trying to do is to use AI to be somewhat more predictive, because this kind of traditional, AD-based endpoint was very much based on signatures and patterns and known, unknown bad activities. They're trying to become more predictive and less and less focused on some of the more traditional DLP methods. So, it's about figuring out how to build this around a single platform and to sell it to customers. And it is important. Certainly, it's where we're heading because nobody buys Cosby or CSPM on their own right now. People buy cloud security or CNAPP. I imagine 12 to 24 months from now, nobody's going to be buying standalone DSPM, but there's certainly some heavy lifting involved. It is about trying to maintain a high degree of efficacy in what you build natively as well as what you're bolting on later. Because inevitably, what you see is whatever companies did first, they do best, and then they buy or they build something else that's adjacent, and usually it's good enough, but it's not best in class, and certainly for a company like Cyera, where all you do is data security, all of those components need to be best in class, because, you're going to be in an uphill battle trying to compete against a Palo or CrowdStrike enterprise.
Delaney: Excellent work. Michael, thank you. Thank you for that analysis. Tony, the NIS2 Directive moving to the EU now came into force early last year, it was January, giving member states until this week to transpose it into national law. And this directive takes cybersecurity up a notch. So, tell us about it, and whether you think organizations are truly prepared.
Tony Morbin: Yes. 21 months ago, the EU gave member states 21 months to meet the requirements of the NIS2 Directive in their national legislation. The aim was to strengthen cybersecurity measures, streamline incident reporting obligations across the nations, and as I say, 17th of October was their deadline. The initial move reflected concerns that growing digital connectivity was exposing economies and societies to ever-increasing complexity and scale of cybersecurity threats, while the economic and social impact was also growing exponentially. Now, that's reflected in the fact that the global security market is now predicted to reach $400 billion in 2026. The original NIS Directive sought but it failed in its aim of achieving a high common level of cybersecurity across the EU member states. Instead, by their own admission, fragmentation remained at different levels right across the internal market. And now NIS2 seeks to address these failings in the security of supply chains, streamlining reporting obligations, and introducing more stringent supervisory measures and stricter enforcement of requirements, including harmonized sanctions across the EU. So, it therefore intends to increase the level of subsecurity in Europe over the longer term through these measures.
Delaney: So Tony, is more regulation going to solve this problem?
Morbin: Strict free marketeers would argue that all such regulation is unnecessary, that products, for example, made in Singapore will work equally well in China or France because they have to meet market requirements to be sold. But of course, in reality, that's not true. And the U.K. was in the EU for 47 years, but I traveled to Berlin earlier this week, and my laptop didn't fit into the hotel's electric socket, and as the variety of adapters on sale at the airport demonstrates, on a global basis, the lack of harmonization is immediately apparent. So, getting back to NIS2, even though it only applies directly to EU nations, it's got quite a task to achieve on that alone and needs enforcement. But along with, say GDPR, it's also setting benchmarks for expectations that are largely expected to be replicated or receive equivalents in other territories, including this particular NIS2 forming a basis for the U.K.'s upcoming cybersecurity and resilience bill that comes out next year. But like GDPR, isn't primarily about the individual requirements or even the swinging fines so much as driving a reset of approach to make privacy by design a foundation for data handling. Similarly, NIS2 is not so much about tackling particular threats as promoting a secure-by-default mindset that puts security at the heart of software development. Of course, it goes beyond simply reiterating the shift left strategy of including security at the earliest stage of software development, but it also does give specific advice on how this can be achieved. Approaches include the promotion of automation when it comes to implementing quality and security gates so that manual errors are avoided and consistency is achieved. Also, more entities and sectors are going to be called into scope with the increased security measures that include telecoms, social media platforms and public administration. It's also calling for greater alignment of incident reporting requirements with 24 hours for the initial report, and the new sanctions for non-compliance coming into force with administrative fines of up to 10 million euros or 2% of global worldwide turnover, whichever is the higher. For many practitioners, one of the more anxiety-producing requirements of NIS2 is that managers are explicitly held responsible for overseeing the implementation of these measures, and they can be held personally liable for infringements, including penalties and potentially temporary bans from management roles if gross negligence is found following a cybersecurity incident. We've seen CISOs set up as the fault guy for breaches in the past, including ending up in court, such as the famous recent case where the judge decided not to imprison the CISO because he felt the CEO and other members of the board should have been in the dock alongside him. Now, the CISO in question said that he was hired for technical expertise and punished for lack of legal knowledge. And it's not surprising that NIS2 advocates training. However, what NIS2 says is that management must participate in specialized cybersecurity training to stay informed about the latest threats and best practices. So, this could easily be construed as assuming that those who framed the requirement were thinking of people like the CEO and the CFO rather than the CISO could already have this understanding. Therefore, companies thinking that they can delegate responsibility to the CISO need to think again. A secure-by-default mindset means senior management including security as a foundational activity in achieving resilience for the organization, and whether the organization's mission is generating electricity, selling widgets or providing services; security is also part of their business.
Delaney: Excellent. Very well said. Lots to keep organizations on their toes here, and we've both recorded a few interviews in the past couple of months. So, I know InfoSec Europe, and more recently, if any organization needs more insight into the NIS2 Directive but also incident response reporting and board accountability. So, encourage anyone to follow this further. I'll include the links on the landing page.
Field: You've done a great job, and it's an evolving conversation.
Delaney: For sure. Thank you all for your excellent insights into the conversation. Appreciate it.
Field: Thank you.
Novinson: Thank you, Anna.
Delaney: Thanks so much for watching. Until next time.