Optiv CEO on security tool sprawl and what’s next for zero trust

During the days when Optiv focused mainly on reselling security products, the firm would’ve been thrilled to have customers use massive numbers of security tools in their environments. But today, customers are looking for something different — with many aiming to reduce the complexity of their security programs.

And that means that the Optiv of 2022 is more focused on helping customers to use all of its security tools effectively — and if there are any that aren’t helping, to eliminate the use of those tools, says Kevin Lynch, CEO of Optiv, a prominent security solutions and services provider.

Lynch says that Optiv — which focuses on serving mid to larger-scale enterprises — sees an average range of between 75 and 130 tools within its customer base. (While the concept of “tool sprawl” is well-documented in cybersecurity, that is an even more significant number than some other figures that’ve been reported.)

Misused tools

Lynch says he’s less focused on that statistic, though — and more focused on a different stat: For clients that are new to Optiv, or are engaging with Optiv in a bigger way, 30% of their security tools are not deployed correctly — or at all.

That, in effect, is the larger problem, according to Lynch. “For us, if a client is going to carry 130 tools, if all are being used to great effect, that’s not a bad thing,” Lynch said in an interview with VentureBeat. “For us, it’s more around optimal use of technology.”

In the interview, Lynch discussed how Optiv is helping customers to deal with security complexity, his thoughts on zero trust security and innovation in artificial intelligence (AI) and machine learning (ML) for security. Denver, Colorado-based Optiv serves more than 7,000 clients and works with 400 security vendors as partners.

“We could have as many as 5,000 partners, if we wanted to, in security. It’s a very vast landscape out there,” Lynch said. “We try [to] focus on just the very best in every category and the leading edge in every category.”

What follows is an edited portion of the interview with Lynch.

Tool sprawl

VentureBeat: This average range for security tools that you’ve shared — 75 to 130 within your customer base — that’s an eye-popping figure. What are your thoughts on how things got to this point?

Lynch: If you go back in time and I’ll arbitrarily pick five to seven years back, I think you’d find that the chief information security officer was generally marked on success by how much technology they acquired and embedded in their organization. That was the status quo, in an older market condition.

Today, you’ll find a very different market condition, which is what we call an outcomes-oriented market — where from the board of directors down, the remit is, “How effective is our security posture, if one of the following were to happen?” The expectation is less around, I procured a firewall. I’ve procured and built a SOC (security operations center). We’ve got a good SOAR (security orchestration, automation and response) system in place. I have the following partner around co-managing my SIEM (security information and event management) after hours. Those are all inputs to, “What will be the outcome, when and if we have a breach and how long will it take us to stand the organization back up if we choose not to pay the ransom?” That’s a fundamental underlying thematic shift that influences a lot of our choices.

VentureBeat: When do you think that shift really started happening?

I think we’re in the middle of it. No question. For Optiv, the chief information security officer remains our predominant buying persona — although we serve boards, we serve senior teams, we serve CIOs, we serve digital transformation leaders. But if you studied that market, you’ll find that the average CISO is in place for slightly under three years and procuring a lot of technology (whenever they start a new role). Organizations have an awful lot of technical debt on the books.

So we’re in the middle of that thematic shift, but it’s with these two underlying conditions — the CISO on average is moving around and bringing a new strategy, a new lens, but also dealing with technical debt and installed capabilities. So it’s not an overnight shift, by any means.

VentureBeat: It’s pretty amazing that 75 is the low end for the number of security tools in use in the enterprise, though?

Lynch: Yes, that’s the low end. Do I think that that will consolidate over time? Yes, I do. I also believe that the long-term prognosis of the industry was, we would see consolidation of the provider side into more of a platform play.
Candidly, for every logo that goes away these days, we start to see one to two emerge. We haven’t really seen that consolidation. I do think you start to see best-of-platform, as opposed to best-of-breed in our environment today. I think these are long-run secular trends, versus one to three years.

In that old world order, we would love to look at a client that had 100+ tools. From a reseller perspective, that’s a great cycle the be in. And to be expressly clear, we still do (reselling). But we’ve built a very different business on top of that.

Today, we think of ourselves as a cyber advisory and solutions leader, which means we have to have the widest array of capability possible to serve a client in their unique needs — meet them on their journey of security and resilience and serve them bespoke at scale.

And so Optiv today certainly has that value-added reseller component — we bring to market 400+ of the best technology partners in the world. That’s a combination of the large-scale providers that are the true and trusted and brands you know and also a very dedicated effort to be constantly scanning the environment, the ecosystem, for truly unique new assets that are being brought to market. They might not be material to us economically, but they’re material to our clients in terms of capability. We span both sides of this market. We could have as many as 5,000 partners, if we wanted to, in security. It’s a very vast landscape out there. We try and focus on just the very best in every category and the leading edge in every category. And we’re also not focused on doing things outside of security. We’re security-centric and focused.

VentureBeat: What’s your answer to the issue of customers having so many tools? How are you helping customers to deal with that complexity?

Lynch: We do enter this market tool-agnostic, because of that partner set. We’re not here to try to push a technology to a client and say, “This is the greatest thing in the world. You must buy it and all your problems will be solved.” We’re more focused on what they are trying to accomplish from a business outcome basis. And then, how do we actually help them to deliver on that? And where do we see the technical and development roadmap for that suite of capabilities? If we’re looking at an identity solution, we might be helping them to think through their needs within their technical architecture and bring in two or three options to bear in helping them to evaluate those options. I think we’re trying to influence that multiple toolset. But then through things like our advanced fusion center, trying to help influence and manipulate that tool set, to help them better utilize and help them connect different tools together in a better way. And then ultimately, if the tool set number changed, that’s great. But we don’t see that as our core objective. For us, if a client is going to carry 130 tools, if all are being used to great effect, that’s not a bad thing. For us, it’s more around optimal use of technology.

VentureBeat: The second stat — the 30% that aren’t deploying the tools at all or are deploying them incorrectly — that’s really the bigger problem?

Lynch: That’s the bigger problem, for sure. And if you sit in a security operations center and watch for a given day what transpires. And you look at it from the console, from an analyst chair and you start to see all the different tools that are in play in that SOC. And even with all of that, you start to see the limited amount of log data that’s being utilized and scraped into that environment. And then you see the fact that there are still incidents. And even within those incidents, you start to see that most were actually in the log data. So that’s a manifestation of where, candidly, it wasn’t about a perfect technology architecture. It was around the intersection of that data, the feeds, the insights and the technology itself.

VentureBeat: In terms of the solutions and services that you’re bringing, all of that is aimed at this more-optimal use of the tools that people have?

Lynch: That is 100% our focus. So if the future world order had clients that, on average, went from 110 tools to 50, we don’t see that as a bad thing. If they did that and they reduced their security posture and were more open to breach, we see that as a horrible thing. But if they optimize the use of their technology and the connectivity, whether through APIs or other means, we think that’s really ultimately the objective — to strengthen the security and resilience posture.

VentureBeat: For your managed XDR, is that potentially a big solution for this issue, since it’s tying data together from different tools?

Lynch: It’s a very big thing for us. We’re convening our intellectual property and theirs. We’re not intending to be, nor will we ever be, in the software business. But we’ve got a lot of market knowledge, we’ve got a lot of practical application knowledge. We’ve got capabilities in terms of people and services that we wrap in. That’s our IP. We have great connectivity IP as well around APIs. That partner for us might have a phenomenal sensing engine, or they might be sitting on a data set that’s the largest installation of breach data, as an example. So we’re thinking about how we both put our IP together and harvest something unique out of it. The objective is, raise the posture on security and resilience and reduce the complexity wherever we possibly can.

Zero trust

VentureBeat: How are you viewing zero trust? What are you seeing there in terms of innovation and customer demand for zero trust?

Lynch: Zero trust is getting a lot of attention these days. It’s become a core market theme. Some themes start with real substance — i.e., there’s a product [behind the] theme and then all of a sudden, the world wakes up and says, “That’s great.” There are other cases where it’s a lot of pop, buzz and sizzle, long before we get to the substance.

My sense is that we’re still in the buzzword side of zero trust, rather than in the mainstream of the market. A lot of our clients are talking about it. They’re thinking about it. But when I think about the efforts to be taken, to really deliver on a zero trust architecture, I would tell you, we’ve done less of what I think is required in that, than remains ahead. So we’re still in the early innings of that game. I do think we’re seeing a lot of our clients come to us and ask for zero trust assessments. And then those are spinning into what I’ll call classical program architecture — help build a three-year program around zero trust.

Those always have a really robust element of, what do I own today that could be leveraged in this — rather than I have the view that I’m going to wholesale change out all the infrastructure in my organization to deliver on this new theme called zero trust. So it’s what can I use on the rack today and what will I have to evolve and add over time. But I think it’s very, very early innings. I think it is a very powerful concept — especially when you think about what’s happening more broadly.

VentureBeat: What is driving demand for zero trust, in your mind?

Lynch: With COVID-19, we went from a normalized position of campus and branch, to branches everywhere, in everyone’s home. That’s a massive shift. And with cloud, we’re effectively increasing the complexity of our network — i.e., we’ve gone away from a perimeter construct. All of those create a very different condition, where you have to think about zero trust.

Zero trust as its basic principle says that no device, no interaction, no endpoint, is trusted until otherwise verified. Think about the exponential growth in all those computing transactions and you’ve got to approach them all with a zero trust basis. Yet, you cannot allow that to be so cumbersome that you slow the clock speed down in the organization. It’s critically important work.

You see two modalities of thought on this within our clients — and it’s early innings, so this is early thinking. But some are looking for things that are very simple — “I don’t want to move away from some of the legacy computing assets I have.” Those may or may not be on-prem, but let’s say they’re on-prem. Then they’ve got a hybrid cloud environment on top of that. They’ve got a degree of public [cloud], a degree of private [cloud]. They now have a distributed workforce. But this whole notion of re-imagining their network seems very burdensome and costly. And they want to get to that, but they want to get to that three to five years out. They want to prove out that this model is here to stay, versus something episodic.

And then at the same time, I would tell you there’s phenomenal technology in play and in development that’s going to allow people to really rethink the network notion — and almost explode the idea of campus versus branch and think about one ubiquitous network that is all- encompassing. That’s a more-expensive approach in the short run. But in the longer run, probably far more efficient. I think you have two modes around trying to solve this problem. But I do think that we’re going to continue to see expenditures and a drive toward zero trust. We’ve gotten away from a perimeter construct.

VentureBeat: But you think the technology and innovation has come a long way in zero trust?

Lynch: There are very good technologies in play in zero trust. When it comes to that notion of an exchange in the center to deal with this, there’s great technology out there today that can assist and aid and accelerate that — with the right services to configure, build policy and rule sets because it’s really going to come down to that.

I feel like what I’m hearing is that there are some very good zero trust technologies already, but customers are trying to figure out how to do it — because they’ve already got VPNs and infrastructure that they’ve invested in. So, is that more the issue — it’s not that the technology isn’t ready, but there’s an issue of how to get that technology onto the existing systems that customers have?

There are multiple dimensions here. I would say first and foremost, there’s an underlying desire to use what they have, versus net new. That will work in certain cases — that won’t work in all cases. There’s a second underlying condition, which is more around connecting the assets to work in concert — versus looking for one single platform to do it all. Really, to deliver on a zero trust architecture, you’re going to have strong threat hunting, strong endpoint protection, strong identity capability. Whether that’s identity at the core or identity governance, or privileged data access — you will have strong assets there. But just those three elements, getting those to work in concert with one another, is a great illustration of how it’s beyond just a single tool and technology. It’s around how we bring those together to work together, with the right telemetry and connectivity that’s also secure in and of itself.

AI/ML

VentureBeat: When it comes to AI and ML, are you seeing meaningful innovation there for security, that’s being used to help your customers?

Lynch: I do. The simple answer is, yes. But one of the common challenges in our world is speed. And speed, in the context of security, will always be important. Organizations cannot go slow and deliver value if they have to wait for security. They cannot wait to do security for app dev on the backend of the development cycle. And in the SOC, you cannot wait for a human response, in certain cases, to determine that something is malicious and then act on it. Whenever you look for speed in a security environment, you’re obviously looking for something that’s going to work at machine speed versus human speed. Because we’re now in a capability set that allows the machine, with the right human input, to operate faster. Even if there is an instance of a breach, going faster allows us to stop propagation. I think there’s been some phenomenal work done. And you see great AI and ML in the security environment, around reacting to breaches. I’d say yes, is the simple answer.

VentureBeat: Where do you see AI/ML for security going next?

Lynch: I do still believe that we are in an era where we’re still looking at too limited of data into that SOC environment. We’re still looking at too limited of data from a threat hunting basis. I think we’re still seeing too limited of data because we’re we’re solving for things in an enterprise, versus multiple enterprises or multi-tenant. I do think we’re still in an era where we’re not conjoining telemetry from multiple assets together and therefore in SOCs, the log data is measured in a pretty finite way.

And ironically, most of the breaches were in the log data, even if they weren’t caught by the human or the AI early on. I think there’s still a whole wave ahead of us, where there’s more to be done here — to inform algorithms and become smarter, so we can ingest greater data and raise the efficacy in the SOC. Does it take the analyst out of the loop? I don’t think so. But does it reduce some of the early triage work of the analyst — and does it bring multiple data together, so they’re not looking at six panels trying to determine the degree of malicious activity and what to do about it? Yes, I do.

I think, whether it’s this year or 2023 or 2024, I think there’s going to be a fairly sizable SOC modernization market that emerges. You’re going to see AI/ML in that, in a big way. But I wouldn’t want to say that and have someone take away that we’ve done nothing. Because I think there’s been some phenomenal technology built and deployed, that’s doing great things in that SOC, not to take the person out of the loop, but into a secondary position.