At RSA Conference, Most Security Vendors Still Not Shifting Left

A week at the sprawling cybersecurity conference known as RSA Conference always sends you home with tired feet and a full brain. With attendance as high as ever, top-quality (and more diverse, this time around) keynotes, a myriad sponsored evening events and—crucially—a week-long San Francisco drizzle that kept attendees engaged indoors, the momentum seemed ever-present.

However, as someone coming to this industry from cloud computing, containers, open source and DevOps, I could not help but notice a wealth of “old world” pitches and a dearth of newer ones. If you are in the market for perimeter or beyond-perimeter solutions, ethical hacking or endpoint security, you can spend far more than the allocated few days to explore all the talks and vendors on offer; but if you are trying to face the cloud-native immediate future by shifting security to the left, and are looking for insights on this shift, then not so much.

Rusty lock


A time of painful change

As Snyk CEO Guy Podjarny recently pointed out in his talk at QCon London, DevSecOps is a highly overused term that few stop to define for themselves in depth. In his approach, DevSecOps is actually an umbrella term for three areas of required transformation: technologies, methodologies and models of shared ownership.

In this reality, modern and modernizing IT organizations are facing tremendous disruption on several levels:

  • Cloud computing, microservices and containers represent a technology shift on a scale unseen in recent history, as was discussed with IBM’s IBM +0% Jim Comfort in my last post. This isn’t about training people on a couple of new tools—it is about re-thinking what technology enables, and how technology affects the operational and business structure.
  • From Agile to DevSecOps and beyond, methodologies can help accelerate technology adoption, but they also tend to trigger significant shifts in culture and process. This is one reason why, as I detailed in a previous post, early mass-market users of technologies such as Kubernetes require operating models, not nifty click-to-deploy SaaS tools.
  • As companies attempt to hire new talent to address new challenges, and as technologies from the last decade are being phased out, a skill/generational gap emerges between young cloud-native developers and long-in-the-tooth operators, fluent in Linux system administration and server configuration management. As Jim Comfort implied in that IBM IBM +0% post, re-skilling probably can’t keep up with the pace of technology change.

Security vendors are starting to get it

It’s a classic case of the innovator’s dilemma. While most traditional security vendors realize the need to adapt, they have large and stable revenue streams from legacy products, which makes the transition slower than the pace of change their customers are experiencing. That isn’t to say that the existing transition isn’t meaningful: we are well on the journey that started by securing the server amd moved on to securing the VM, cloud estate, and—more recently—container. Put that together with the rise of external open source code that developers leverage in practically every new application (including proprietary ones), and with the understanding that an increasing portion of risk comes from inside the perimeter, and you get to the obvious conclusion: the urgent ‘cybersecurity’ battle is for securing the developer’s workflow, in real time.

Another interesting change is a decoupling of the user and buyer identity. The budget might still sit with the CISO, but increasingly, portions of those security budgets are being allocated to developer tools. This disrupts a long-existing equilibrium in the security market, and therefore it is no wonder that many vendors are re-engineering the product-services mix, as they figure out where their customers are going. Expect IT organizations that collaborate across the engineering-security divide to be more resilient in the face of exploit attempts—and expect vendors that adapt quickly and effectively to this future to have a better chance of survival.

New partnering models are key

Cash is usually king, and many of these so-called ‘cybersecurity dinosaurs’ will survive and thrive by leveraging their reserves, but it may be a painful and protracted process. To make it less so, vendors would be wise to rethink go-to-market strategies; re-align strategic partnerships; and prioritize capabilities for risk mitigation over risk adaptation—all in an effort to understand that developers will continue to move fast, and savvy security officers need to enable that to happen within the right guardrails.

Both security teams within IT organizations and incumbent security vendors would be wise to follow the guidance of members of the PagerDutysecurity team, interviewed on The Secure Developer podcast, who said that their job, in the end, is to make it easy for developers to do the right thing.

(Originally posted on