Two weeks ago, I attended our annual dinner at the Black Hat Conference in partnership with Crosslink Capital and the Alpha Group. Each year, about 15–20 security executives from both big and small enterprises attend the dinner, sharing their opinions on an array of topics in a no-holds barred fashion. Since Costanoa has such a heavy concentration of security investments, these dinners offer a rare opportunity to shine a light on the issues concerning today’s security executive. While keeping the attendee names and topic details private, I’d like to share some of their observations.
Security teams still don’t get enough respect, but it’s improving.
Security teams are still struggling to secure their importance to the C-Suite. They’re often viewed as technical people tasked with the reactive job of combatting breaches and securing compliance, rather than as proactive strategic components of a company’s business planning. CISOs discussed what to present at board meetings and how to educate CEOs and Board members on security readiness and best practices. We see these trends as well, which led to our investment in Kenna Security. Kenna’s solution helps companies proactively identify and measure threats, which can be used to educate board members on progress (or failures) in a company’s vulnerabilities and risks.
Security training has moved beyond compliance.
CISOs have always been responsible for compliance training, but there’s increasing pressure to build training programs that educate employees on company-wide security best practices. One example discussed was DevSecOps teams and their efforts to combine security and engineering groups so products are not only functional — but also have security built. Ownership increasingly falls under the CISO, who is tasked with building the curriculum and measurements to re-enforce best practices. (Side note: CISOs universally want to hand training delivery off to another team as it’s not an expertise for them). This trend, as well as prior investments in training platforms, led us to invest in Elevate. Elevate is a unique platform that combines training content with behavioral science and measurement in order to both educate and measure employees security best practices.
Prioritizing risks, possible outcomes and resources is a balancing act.
Probably the most heated discussion involved how best to prioritize known risks and vulnerabilities against the realities of running a business. The good news: companies are more transparent about disclosing breaches and vulnerabilities. The bad news: CISOs need to balance the overwhelming number of vulnerabilities, and their severity, with the limited resources they are given — while still ensuring business runs as usual. Alternative approaches to security is what led us to invest in Bugcrowd, which developed a platform for “hacker crowds” to perform bug bounties on behalf of enterprise companies looking for new ways to uncover vulnerabilities.
The rapid deployment of IoT devices increases the possibilities for breaches.
Everyone agreed that innovation of security tools needs to keep pace with the proverbial “bad guys” looking to do harm. The explosion of IoT devices has made it easier than ever to gain access to sensitive data. At Costanoa we’ve seen this trend as well, which led us to invest in Cyberhaven. Cyberhaven has developed a unique approach to get insight into data leakage and data flows that help companies better deal with privacy issues like GDPR across a huge landscape of devices.
Diversity and lack of qualified candidates continues to be everyone’s concern.
Like the prior year, much of our conversation turned to filling teams with the best people in an Industry that is growing fast. No one was satisfied with the lingering gender gaps in security (shout out to the women in attendance and their perspectives on the topic). Most of the participants agreed that the talent supply imbalance is going to continue as there simply aren’t enough people choosing — or converting to — careers in security to keep pace with demand. A few participants explained that the creativity and “puzzle solving” aspects of security are what attracted them to the job. Surprisingly, most in the room chose careers in security after trying other professions. We see this trend as well, and even invested in a company, Springboard, that retrains people shifting to IT careers. Their most popular courses? Big Data and Security.
I’m always appreciative of Industry executives who take time to attend events like this. Thanks to their insights, I take away a bit of learning at each event. Blackhat was packed once again, the Bugcrowd Developer Party was massive as usual, and I look forward to more events like these in the future.
What are other observations from folks that attended Blackhat?