Hello friends,

RSA is next week and vendors are on the mind. Who will win the award for most ridiculous swag (viking helmets, maybe)? Who will throw the best party? Who will have rented out the sides of every bus in San Francisco? I suppose these are the big questions of the year.

In all seriousness, there are some crazy dynamics in our industry that I’ve been able to have a front row seat on and I thought I’d share my reflections with you all today.

Hope you have a fantastic weekend.

Skol,

Brad

Do you own your security tools? Or do they own you?

I’m going to say something that is pretty self-evident to anyone who’s been around our industry for a while. There are too many security technology companies. And the sheer quantity and funding that they have create a reality distortion effect around our entire space.

A few stats:

• >4K cybersecurity technology companies in the world

• >1K financing events in 2022

• $20-30B of financing per year

• $120B of M&A in a typical year

• >200 new companies formed every year

Wildfires can be both destructive and painful, but healthy, setting the foundation for new growth. It seems from a distance that those wildfire conditions might be settling in for the next 12-18 months as security budgets flatline, there’s an increased focus on ROI and rationalization, and VCs pull back on investment (particularly pulling back on portcos that haven’t really found product market fit).

The focus on getting to profitable unit economics (at least) this year is something relatively new. Generally, it’s been growth at all costs and valuations that were purely driven off top line (and top line momentum). That’s a lot of pipeline pressure. That’s a lot of money to spend. That’s a lot of BDRs to hire and a lot of events to run. That’s a lot of CISOs to spam.

Let’s put this in perspective: assume half of those funds being raised go to GTM, and half go to product. That’s ~$12B of GTM investment funding per year. Assume it’s largely targeted to the largest 10K companies in the world (with a massive skew to the US), and that’s $1.2M being spent on sales reps, BDRs, marketing agencies, etc to get the attention of each of those 10,000 companies (and most of that ending up in the inbox of the CISO). And that’s not even counting the sales and marketing efforts of companies that aren’t reliant on funding anymore.

There’s no doubt that there are some incredible companies doing great things to make the world more secure. And astute investors that are backing companies that will change our industry. (I’m fortunate enough to know many of them and be a LP with some of them.)

That being said, security programs are breaking under the tool weight that exists today. It’s common for large companies to have upwards of 80 security tools in their environment. That’s too many.

The sheer supply in the industry, and the combination of investment funding and pressure for top line growth create some very distorted dynamics.

1) The industry is more in search of problems than solutions

An average pitch goes something like this:

“Did YOU KNOW’ that companies today have terribly weak ABC and that threat actors are actively exploiting these and it will cost you money and reputation if you are one of them? Dark/Deep/Sentinel/Overlord/Watch is the ONLY company that provides you with the visibility you need on a single pane of glass via our buzzword, buzzword, buzzword zero trust solution that will stop these threats in their tracks.”

At the end of the day, this marketing is more about trying to bring awareness to the (often niche) problem than it is about really helping customers. And you know some if it is BS, but you aren’t totally sure which parts. So you discard it all, unless someone you trust recommends the solution to you.

2) What becomes individually rational becomes collectively insane.

All of this investment is totally rational at the level of an individual company. The problem is that when multiplied by thousands, the net effect is minimal signal, all noise.

One arms race is between attackers and defenders. The other arms race is for the attention of the defenders (if I could just get 15 minutes of your time!) In this environment, there’s a ton of pressure to take shortcuts by overpromising what your product can do and positioning it in line with the latest industry buzzwords.

All of this erodes trust and sows confusion.

3) It fosters a surreal conventional wisdom that places primacy in technology. 

The surreal conventional wisdom is this:

• Security is complex and you have many potential vulnerabilities and challenges (true)

• You can’t find enough people to take care of all of it (true)

• Buy this tool, flip it on, and we will take care of those problems (false)

Why does this happen, when most people know better?

Because it’s easy. We all want to believe. Security isn’t that hard if we can just buy it.

But that inevitably leads to disappointment and failure because:

• Tools aren’t flexible enough to fit into your existing process OR

• You don’t get around to changing your process to make the tool work well (because changing process, BTW, is really hard) OR

• You don’t have the people bandwidth to get the most out of it OR

• The tool stands alone, unused, because the problem you thought you had, that was pretty convincing in the sales pitch, is really not all that important in light of the other problems you have to solve

And so, this is my friendly reminder to bring it back to basics:

People, process, AND technology. It’s cliché. But it’s true.

And you need all three in equal measure. Tech is necessary. But not sufficient.

Where technology leads, and people and process often don’t follow. Or if they do, it’s about hiring people to manage tools.

This all has knock on effects for the jobs marketplace because you see (a majority) of job postings written as if the end goal of a person’s role is to manage a tool. So you look for people that have a lot of experience with that tool.  And then you don’t find them within budget.

So, a plea to remember the proper flow of things:

1. Understand your environment (tech environment, assets, attack surface, data, regulatory requirements, etc)

2. Identify your risks (probability and magnitude)

3. Define a risk tolerance and be explicit about decisions on acceptable risk, risk to mitigate, and risk to insure

4. Define the gaps in your security program and the steps to close them

5. Build organizational alignment and support of the vision for the program

6. Define the capabilities to build, people investments to make, processes to mature, technologies to invest in

7. Execute

We see a major imbalance between the 1) the criticality of the human element and 2) the amount of innovation, investment, and creative thinking that are paid to this area.

That’s why we do what we do.

For further reading:

• A Security Tools Crash is Coming- Mark Curphey, Crash Override

• Game of Thrones in Cybersecurity- Ross Haleliuk, Venture in Security

• Why skilled security practitioners are the only way to achieve an advantage over the adversary- Ross Haleliuk, Venture in Security

Tools, resources, and useful things from the internet

📺Getting your initial certs in security? This channel, by ‘Professer Messer’ has comprehensive training for the A+, Network+, and Security+ CompTIA exams.

📖Sans has updated their “New to Cyber Field Manual” which is packed with resources and tools for folks that are entering security. They also have a good website. (Sans)

🥳If you are going to RSA next week, just in case your evenings aren’t full (low probability)…party calendar (Conference Parties)

🎧The New CISO podcast provides great insight into the challenges and joys of this difficult role (New CISO Podcast, Exabeam)

News

🦹‍️A leak from a Russian contractor illustrate the Kremlin’s plans for sowing cyberwar (Dark Reading)

🏛️CISA, NSA, FBI, and several governments have collaborated to release guidance for making products secure by default. Jen Easterly has been pushing this topic heavily- will be interesting to see where it goes. (CISA)

🔌The FBI is warning against malware being installed via USB chargers in public places. Watch out, friends! (The Hill)

📖Lineaje published some interesting research on the inherent vulnerabilities of open source software. Including the increasing difficulties that are presented for traditional patching (Business Wire)

💼Going to RSA? Here are Dark Reading’s suggestions on what to attend.

🤭A misconfiguration in Slack led to the public disclosure of 56K customers of the DC health insurance exchange (including members of congress). (AP)

Jobs to check out

This week we are featuring fully remote jobs.

💼Lacework. Cloud Security Engineer.

💼Xerox. Cybersecurity Incident Response Lead.

💼zScaler. Data Security Officer.

💼Microsoft. Principal Security Architect.

💼Dick’s Sporting Goods. Senior Manager of Identity and Access Management.

💼United Airlines. Principal Architect- Identity & Access Management

💼Marriott. Lead Cyber Incident Response Analyst.

💼Hartford. Identity & Access Management Cloud Engineer.

💼Cardinal Health. Identity Engineer, Information Security & Risk.

Events

💼RSA. San Francisco, CA. April 24-27.

💼TechNet Cyber. Baltimore. May 2-4.

💼B Sides New Orleans. May 3.

💼Sans Security Leadership New Orleans. May 8-13

💼B Sides. Knoxville. May 12.

💼Sans West. San Diego. May 15-20.

Crux is building the talent platform for cybersecurity. Check us out.

Thinking about your next move? Join our network.

Want help with your hiring needs? Reply to this email to drop me a line