Whether an organization is a commercial or a government entity, security threats are an ongoing issue. While the cloud statistically has better data security than legacy solutions, it’s a continual battle to detect adversary movement across clouds. And now this “digital geography” is extending into artificial intelligence and the internet of things.

Even as the security breaches increase in number and sophistication, organizations must have a proven plan in place to anticipate and mitigate data loss, according to Brad Medairy (pictured), vice president at Booz Allen Hamilton Inc.

Medairy spoke with Jeff Frick (@JeffFrick), host of theCUBE, SiliconANGLE Media’s mobile livestreaming studio, during the RSA Conference in San Francisco. They discussed why even the great tools aren’t perfect solutions, as well as why compliance measures aren’t a good way to gauge security. (* Disclosure below.)

[Editor’s note: The following answers have been condensed for clarity.]

[Organizations] come into an environment like [the RSA Conference] and are overwhelmed by so many options. How do you help clients navigate this crazy landscape?

Medairy: As you can see on the showroom floor behind us, [there are] thousands of product companies, and, frankly, our clients are confused. There’s a lot of tools, a lot of technologies. There’s no silver bullet, and our clients are asking a couple of fundamental questions. One, ‘How effective am I?’ and then, ‘Once I’m effective, how can I be more efficient with my cybersecurity spend?’

How are [clients] measuring ‘effective,’ because that’s a changing, amorphous thing to target?

Medairy: That’s the key question in cybersecurity: How effective am I? There’s lots of tools and technologies. In general, when looking at past breaches, it’s not a tool problem. In most cases, everyone has the best of the best in tools and technologies. But either they’re drowning in data and/or the tools aren’t configured properly. So we’re spending a lot of our time helping our clients baseline their current environment, help[ing] them look at their tool configurations, help[ing] them look at their security operations center, helping them figure out can they detect the most recent threats and how quickly can they respond.

Another big change in the landscape is IoT. So how are you seeing the adoption of that?

Medairy: Yeah, we view [operational technology] as one of the most pressing cybersecurity challenges that our clients face today. It’s funny, when we first started engaging in the OT space, there was a big vocabulary mismatch. You had the [chief information security organizations] that were talking threat actors and attack factors, and then you had head of manufacturing that were talking uptime availability and reliability, and they were talking past each other.

I think now we’re at a turning point where both communities are coming together to recognize that this is a real, imminent threat to the survival of their organization and that they’ve got to protect their OT environment.

One of the things you talked about the last time we had you on was continuous diagnostic and mitigation. I think it’s a really interesting take … that it’s not ‘buy something, put it in, and go on vacation.’ This is a constant and ongoing process that you have to be really committed to.

Medairy: Our clients, both federally and commercially, are moving beyond compliance, and if you rewind the clock [to] many years ago, everyone was looking at compliance scores and saying good to go. In reality, if you’re compliant, you’re looking in the review mirror. It’s about putting in programs that’s continually assessing risk, continuing to take a continuous look at your environment so that you can better understand what are the risks, what are the threats.

Watch the complete video interview below, and be sure to check out more of SiliconANGLE’s and theCUBE’s coverage of the RSA Conference. (* Disclosure: Forescout Technologies Inc. sponsors theCUBE’s coverage of the RSA Conference. Neither Forescout nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE