Connect with us

Hi, what are you looking for?


Management & Strategy

Awareness is Old News: Make 2016 The Year of Solutions

Boards and Executives Don’t Want to Hear Solely About the Problem Anymore

Boards and Executives Don’t Want to Hear Solely About the Problem Anymore

If you’re like me, and you hear presentations in various different settings on a regular basis, you’ve probably noticed something. The awareness drum seems to beat ever louder in the information security field. Every event, conference, or forum I attend seems to produce a constant stream of never-ending problem statements. Presenter after presenter gets up to sound the alarm that “cyber” is a problem that needs to be dealt with. Statistics and numbers detailing the gravity of the situation abound. Fear, Uncertainty, and Doubt (FUD) are in no short supply. But still, there is something missing. Something strangely absent from the scene. What am I referring to? Allow me to explain.

IT Security in 2016During the course of my travels, the feedback I overwhelmingly and continually receive from customers, prospects, and partners is very simple and straightforward to understand and internalize. Raising awareness is yesterday’s news. Almost everyone who is in a position of responsibility knows that security is an area of risk to the business that needs to be mitigated. Boards and executives don’t want to hear solely about the problem anymore. Enough already. They understand. They get it. What these decision makers are really looking for are solutions. How they approach their security leadership is often as follows: That’s great that security is a problem, but I didn’t hire you to complain about problems. I hired you to solve them.

Given that the operational security community has grown tired of hearing problem statements, I always find it amazing how many presentations consist of just that — and nothing else. The consensus from the operational side seems to be “throw me a bone.” In other words, enough of the hype — give me some practical, sensible, tangible advice and insights that I can evaluate and consider implementing.

Esoteric, academic, and unproven ideas won’t help me either. I need real ideas, new pathways to solutions, and different frameworks that I can consider, examine, and implement.

My pieces in SecurityWeek and elsewhere, as well as a few other blogs, forums, and publications strive to provide that practical, sensible, and tangible advice that operational users want to hear. But sometimes, it is difficult for the “hands-on” information to be heard above all the marketing, noise, and hype that pervades our profession.

Granted, 30, 60, or 90 minutes during a presentation is not going to be enough time to detail precisely how to implement solutions to complex problems, particularly when each environment is unique. But it is more than enough time to make constructive suggestions, lay out a problem-solving framework, or help people change the way they look at a given problem. Stop beating the drum of awareness and fanning the flames of fear — that is yesterday’s game. No one cares anymore, especially customers and others on the operational side.

Some people may have labeled 2014 the year of the breach. Yet others may have labeled 2015 the year of the cloud. I would argue that 2016 should be the year of solutions, even though I’m skeptical that it will be. I can dream, can’t I?

Advertisement. Scroll to continue reading.

You want to give a presentation? Talk about solutions. Talk about methodologies and frameworks that people can use to solve the problems they face. Help them understand how to break down big problems into smaller, more solvable problems. Share experiences of problems that were solved along with details of how they were solved. Stop describing the problem and listing the same set of challenges over and over again. Sure, a bit of that is needed to set the stage for the knowledge you’ll impart. But if that is all there is to the presentation, then that should be an indication that it is maybe better left unpresented.

Unfortunately, I’m not seeing a lot of talk of solutions out on the circuit, but rather, more of the same recycled, regurgitated material given over and over again. In my opinion, part of the reason this occurs is that people don’t have a lot of great answers or operational experience upon which to draw, and so it’s just easier to discuss the hype. Unfortunately, that won’t solve any real problems for anyone in the operational community.

There is no shortage of critics in the information security space. One needn’t try very hard to find someone lambasting an idea, criticizing an individual, or ridiculing an organization. But how often do we see helpful suggestions or recommendations in place of those cynical remarks? Sadly, not very often. Anyone with a Twitter account and an opinion can be a critic. But fresh thinking, new ideas, and helpful suggestions are what people, and especially those in operational positions, are really after. If you don’t help build things up, then you’ll forgive me for ignoring you when you rant and try to tear things down.

In the spirit of being constructive, I would advise those writing, blogging, or speaking to consider the points I’ve made in this piece when working on your next piece. The operational community doesn’t need to hear more from the echo chamber. They’re thirsty for real solutions. So please, help give them what they’re after if you can.

FUD, marketing, and entertainment, unfortunately, will probably always get the press and lauds. Fortunately, a select number of events, news readers, strong peer networks, and trusted information sharing communities provide us good tools that we can use to share and consume the information we really need. My hope is that presentations will become less hype and more hands-on and practical in the coming years. Regardless of whether or not that actually happens, we’ll likely have to keep throwing each other those much-needed bones.

Written By

Joshua Goldfarb (Twitter: @ananalytical) is currently a Fraud Solutions Architect - EMEA and APCJ at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.


Twenty-one cybersecurity-related M&A deals were announced in December 2022.