Innovation and security go hand-in-hand, and no one knows that better than RSA’s Chief Strategy Officer Niloofar Razi Howe. As the RSA Conference team gets ready for the big event, and the Innovation Sandbox competition, in San Francisco this year, we sat down with Ms. Howe to talk about innovation, security and the unique role startups will play in helping drive the future of the InfoSec industry.
RSAC: In your new role with RSA, you're responsible for corporate strategy. In what ways are you hoping to help RSA innovate as it looks to the future?
Howe: The RSA team has deep security expertise and an entrepreneurial mindset that has long embraced innovation as the path to becoming and remaining a market leader. When the disruption of the traditional perimeter-based security paradigm began in earnest in the last decade, RSA took steps to reinvent itself to address the emerging security challenges resulting from a rapidly expanding attack surface and increasingly sophisticated, well-resourced adversaries. Today, RSA is uniquely positioned to lead the next-generation security market with a compelling and comprehensive set of capabilities addressing advanced threats and the new security paradigms focused on faster and better detection and response to advanced threats.
My role is designed to be collaborative and cross-functional, working closely with the leadership team, and especially with the product and engineering teams, to ensure that we have the right resources, the right talent, the right partners, and the right overall corporate roadmap to maintain our leadership position in what is an incredibly dynamic market. At the core of this, especially as it relates to innovation, is making decisions about whether to buy, build or partner, and thinking through the tradeoffs for each of those paths.
RSAC: RSA President Amit Yoran has said that "the security industry's approach to address the threats that organizations face today have failed spectacularly.” Do you agree? What role do you see startups having in helping develop a new approach?
Howe: Amit’s statement is correct—the security industry has failed spectacularly. Imagine if your city's crime rate was over 90 percent. How would that not be deemed a spectacular failure? That’s where our industry is and the way out is to fundamentally rethink our approach to security, which will require both transformation and innovation. That’s exactly what RSA has been focused on under Amit’s leadership, and what we as an industry need innovators focused on.
The role for which startups are uniquely qualified is to challenge our industry’s thinking—they have no sunk costs, no market share to protect, no legacy products. Entrepreneurs can continue to rethink and reshape the market landscape, just as they have always done—from the early days focused on perimeter defense with AV/Firewalls (McAfee, Checkpoint), to point solutions focused on specific problems (FireEye, Damballa), to network analytics and SIEM (Arcsight, Splunk), and finally to visibility and analytics solutions (RSA). At each stage of market evolution there was a startup (or group of startups) that redefined what the new paradigm for security had to be to address the emerging threats.
RSAC: What challenges to startups face when trying to bring innovative products to market? What are their biggest obstacles?
Howe: The security industry is a challenging market for all companies to serve today. Our customers face a rapidly expanding attack surface as their data and digital assets are increasingly accessed by individuals they don’t employ, by devices they don’t control, on networks they don’t own. In addition, we face sentient adversaries using ever more sophisticated techniques actively and persistently working against us. Complicating that situation is that we have an asymmetry problem—$1 of offense beats $1 of defense every time.
With this as context, there are a few unique problems that startups face in the security space. The market is extremely “frothy” and it is increasingly difficult to stand out in a crowded market to unsophisticated customers. To overcome this hurdle, startups need to focus on two things—solving real problems, the problems addressed by the new security paradigm (enabling faster and better detection of the unknown unknowns such as malicious activity that has no signature) and doing it in a way that works seamlessly with an IT landscape that is complex and spans across legacy, cloud, and mobile. Oh, and you need to be technically better than all of the competing solutions and have a great user interface. Easy, right?
Of course there are issues that apply more broadly to startups: convincing early adopters that it’s worth investing in your solution by deploying it (early adopters are investors, without question) and the ability to execute in what is a dynamic and crowded space with incumbents who will outspend and out market you at every turn. Note that I don’t mention fundraising as an issue—the right team, the right approach, the right market—there will be funding.
RSAC: Do you think diversity plays a role in innovation? What can different perspectives bring to the table when it comes to information security innovation?
Howe: Research published in Harvard Business Review indicates that companies with highly diverse leadership teams are nearly 50 percent more likely to report market share growth year-over-year and 70 percent more likely to report success in new markets than those that lack diversity. McKinsey Research indicates that companies in the top quartile of executive-board diversity enjoy 50 percent higher returns on equity and EBIT margins that are almost 15 percent higher on average than those in the bottom quartile. Simply put, it is in a company’s financial interest to have strong, diverse teams at every level. And it makes sense—diversity (gender, race, ethnicity, experience, education) brings different perspectives, different approaches, and different thought processes to a discussion, which logically leads to a better outcome than being in an echo chamber with clones of yourself (as appealing as that may sometimes sound). This is true whether it’s the Board of Directors, the executive team, or product, engineering, marketing, sales, services, operations, finance, research, or strategy teams.
RSAC: What do you think can be done to help entrepreneurs and security professionals think more creatively when developing their own security strategies?
Howe: Don’t just think about your customer’s current needs— anticipate their future needs. Do this by thinking like their adversaries. Who are their adversaries today and how will that evolve in the coming years? What are those adversaries’ targets, motives, and goals? How are those adversaries attacking today and how will their tactics evolve in the coming years? For too long, we have approached the evolution of security in a fairly logical, linear manner. Our adversaries are not evolving in a linear manner— it’s more fractal, meaning that the evolution is connected but it is not always predictable.
RSAC: If a security startup were pitching you, what one thing would you want to know?
Howe: There are no silver bullets when it comes to innovation—there are usually a hundred lead bullets; hopefully enough to hit the mark at least once. First, what customer problem are you solving better than anyone else in the world? In other words, what is the unique technical insight that addresses a large and growing customer/market problem? Second, what are the market dynamics? How big? Is it growing? How fast? And third, does the team have a history of executing against market opportunities, from a technical and business perspective? The right team, a big market, and great technical insight—that is a very interesting combination.
Interested in pitching your startup at the Innovation Sandbox at RSA Conference 2016? Click here to submit your company now. Submission deadline has been extended to January 13 at 11:59 PM PT.