2015 RedList: Security Startups

The 2015 results of the Red List Security Startup survey is done.  I really like doing this survey.  The ability to identify early stage security vendors that are doing good things is valuable in my mind.  This year the survey went out to over 40,000 security practitioners globally.  Absolutely, the largest group to date.  Thank you for everyone who participated.

Click here for the full report

This year we see a fair amount of the same players as we did in the 2013 report.  While a significant amount of investment has been done into the security space, that lack of new labels is an interesting point.

The top 20 Security Startups

  1. Phishme
  2. OpenDNS
  3. Okta
  4. BlueBox
  5. Agari
  6. Vormetric
  7. Risk I/O
  8. Cylance
  9. AlienVault
  10. LastPass
  11. Ionic
  12. Ciphercloud
  13. HackerOne
  14. Data Theorem
  15. Skyhigh Networks
  16. ProtectWise
  17. Now Secure (viaForensics)
  18. CloudPassage
  19. CrowdStrike
  20. Norse

Key Performance Indicators (KPI)

One of the conversations that I've had with many people is around metrics and KPI's.  I'm a strong believer that we have not gotten to actual KPI's in industry.  To take it a step further, most of us feel that our metrics are pretty bad (See S3 results).  Last week I sat down to put the final touches on our new risk methodology document and came up with some ideas that I'm not batting around.  Nothing earth shattering but I can finally see the last pieces of the puzzle fall into place.

If you remember, I posted a while ago about the equilibrium theory as well as flow management.  Part of the equilibrium is to gather data from leaders in the company to get to an approximation on how much loss they are willing to accept.  Not to be confused with ALE.  To do this, I decided to gather 20'ish questions that focus on the risk categories (Value, Brand and Operations) to put risk into context.  What came out was very interesting.

Not only was I able to gather an understanding on what is acceptable to govern the level of controls we implement, but I also got a metric.  I now have the ability to establish the acceptable level of security performance for the company from the business.  i.e. $2M is allowed in remediation costs, 2 public breaches, etc.  If done right I should have 3-5 metrics for all of Security.

More to come on this later.

S3 Survey Results

Well, it only took me a month from sending out the first email to finishing the report.  Lots of lessons learned in doing this survey and all of them fun.  Have to say it was the best way to get reconnected to all of my peers and everyone else in industry in a long time.  Next time I'll do the survey over drinks in SF.

The results were interesting and refreshing.  Having a survey that focuses, not on the threats, but on how we manage security internaly and hopefully identify some key areas of lessons learned is what I was looking for and got it.  I'm really interested in your thoughts and feelings on this as the second one will be more mature and include all of the feedback that I've gotten so far and will get.

You can find the 2011 S3 results HERE!

The Grace of Risk Managment

I've had the pleasure of reading up on what Grace Cricket has been working on over at University of California regarding her implementation of an Enterprise Risk Management model.  It's fairly rare that there's an interesting and more indepth implementation of ERM than what we typically see.  Now, most of you know my feelings on quantitative vs. qualitative risk and existing models.  Yet, I strongly suggest you take a look and judge for yourself.

Way to go Grace!

Grace's Main Page

UC's ERM Presentations