Opportunities in Privacy & Security Emerging During COVID-19
By: Katharine Tomko and Noah Chaikof
This article, by First Ascent Ventures, is the first in a series that will outline emerging trends across the Privacy and Security space.
It would be an understatement to say that COVID-19 has drastically altered daily life and business dealings across the globe. The Canadian technology space is not immune to this disruption and as a venture fund supporting local innovation, the daily announcement of layoffs across the technology ecosystem has been painful to watch.
At First Ascent Ventures, we have worked very closely with each of our North American portfolio companies to deepen our understanding of not only the challenges but also the numerous opportunities (eternal Canadian optimists!) that exist across various verticals in enterprise software.
One such area that First Ascent Ventures has spent considerable time exploring is the Privacy and Security startup space. In the past year, the fund has added significant privacy industry expertise with Katharine Tomko, the Former Head of Privacy Programs at Facebook, joining as a Venture Partner.
This article will discuss some of the work our fund has undertaken in the Privacy and Security space, and specifically, outline four areas within privacy that have been highlighted as “ripe for startup disruption” since the COVID-19 crisis emerged.
Trends and Opportunities
Connecting Remote Workers With The Systems And Services That They Need To Perform Their Jobs.
Problem — While most companies have the infrastructure for remote employee connectivity (VPN, etc.), very few have the capacity to provide for a fully remote workforce for months at a time. The first weeks of lockdown were a scramble for hardware capacity, circuit upgrades, and hasty network configuration changes with a view of ‘it’s an emergency, we’ll clean this up later’, and the associated security headaches. Employee productivity was often hampered by poor network performance, as over-taxed VPN infrastructure was forced to scale beyond its design.
Opportunity — “Support of large scale remote working” as a highly available, performance service is now a budgetary item for every company that employs knowledge workers. Most forward-thinking companies will iterate beyond the traditional centralized VPN architecture, and move to a ‘zero trust’ architecture, as popularized by Google’s own corporate network with their ‘Beyond Corp’ design. The Zero Trust model assumes that there are hackers both within and outside the network, which effectively prevents any machine from being automatically trusted. Zero Trust ultimately shifts access controls from the perimeter (ie. a VPN gateway) to internally authenticating and verifying individual devices and computers. This allows employees to work securely from any location without the need for a traditional VPN. This will serve as a major technology refresh for most large companies and their ‘traditional’ VPN device vendors will not be able to accommodate this change with their existing holistic solutions. There are no standout ‘incumbent’ players in this massive market, and opportunities exist across all areas of this architecture.
Securing And Tracking Remote Employee Assets.
Problem — There are in essence two problems at work here. First, most large IT infrastructures have been built with the physical office in mind, and remote workers are an afterthought. Existing management systems and security tooling are often subpar for remote devices. Second, the biggest security problem that most companies have is understanding their existing device inventory; solid asset management and inventory are the cornerstones of any good security program — for example, you can’t patch unaccounted-for inventory. The Equifax breach, which happened through a staging server that was ‘forgotten’, is an illustrative example. Remote working further exacerbates this problem as the assets are pushed out beyond the traditional network edge.
Opportunity — A significant amount of security budget dollars have been spent on plugging ’security devices’ into internal networks over the past twenty years (intrusion detection, etc.). As the design of the network changes towards a model where both ‘on network’ and remote workers are treated equally as first class citizens, we can expect a whole new category of security control to emerge. The billions of dollars spent on security hardware will move into software. Similarly, as companies move to a ‘zero trust’ networking architecture, they will be fully reliant on their asset management and inventory systems being up to date to ensure that they are only providing data access to devices that they actively manage and maintain.
Business Continuity Planning & Execution.
Problem — While most companies have some form of a business continuity plan, it’s usually a neglected 45 page document at the bottom of a drawer, with little understanding of its practical use. During COVID-19, boards, investors and key customers were all asking for details on business continuity plans, often requiring a copy of the actual document, and specifics on how it has been tested and updated over time.
Opportunity — Business continuity planning is a fairly specialized practice, with ‘control owners’ spread across all parts of the organization. It’s extremely laborious to create, test, update and attain management approval for these plans, and they are almost always missing some key types of ‘disaster’ — how many companies had ‘pandemic’ as a realistic risk to plan for in 2020? Now that companies have executed their plans (often for the first time), and been forced into transparency with their key stakeholders, we can expect to see renewed focus on building and maintaining a comprehensive disaster recovery/business continuity plan. There are opportunities for software to streamline this process, from guiding the organization through best practices in creating the plan, to managing control ownership across the organization, to ensuring regular testing of the plan and providing board visibility.
Physical Security/Safety of Employees.
Problem — While most travel has been eliminated from company budgeted expenses for the second and third quarter of 2020, many foresee a steady return to normal business travel later this year and into early 2021. Companies are responsible for the safety of their employees while they are on business travel or working in remote offices, and employee health (exposure to outbreaks, etc.), and safety (civil unrest, quarantine rules, etc.), will be a top priority. It has been some time since the average employee contemplated their safety while traveling for business. If business travel is really necessary for a job function, expect employees to hold their employer to a higher standard when it comes to safeguarding their health.
Opportunity — The largest and most forward-thinking companies already track and provide support to their employees while on business travel. As both employer and employee fully internalize who really owns the risks of business travel, expect these types of ‘global security operations centers’ to become more commonplace at large organizations, and to trickle down into smaller companies. Opportunities exist for software to support these functions, with integrations into corporate travel systems and automated integrations with government travel advisories.
Conclusion
We would encourage both startups and larger organizations to reflect on these four emerging trends in the privacy and security space and examine their own capabilities to address these concerns. First Ascent Ventures is confident that while these issues arose because of the massive work from home movement caused by COVID-19, enterprises will continue to keep privacy and security top of mind even after the world returns to normalcy (i.e. back to the office).
First Ascent Ventures is dedicated to working with companies and/or investors addressing these gaps in enterprise privacy. We hope to contribute and ensure that the next-generation of enterprise security is one that actively prepares companies for the future privacy challenges that lie ahead, rather than reacting after it is too late.
Please reach out to Noah@firstascent.vc to collaborate with us.
First Ascent Ventures — Who We Are And Behind the Name
First Ascent Ventures was founded in 2015 and is a Toronto based VC fund that invests in emerging Canadian and U.S.-based technology companies that are building the next generation of disruptive, enterprise B2B software. www.firstascent.vc
In mountaineering, a first ascent is the first successful, documented summit of a mountain by an unclimbed route. First ascents are notable because they entail genuine exploration, with greater risks, challenges and recognition than climbing a route pioneered by others. This is not dissimilar to the challenges and risks involved in building a start-up technology company.