Security Innovation: Red List 2015

It's that time of the year again when I look to find the most innovative security solutions from early stage companies.  I've updated it with new companies that come out recently as well.  This year the survey is going out to over 40k global security practitioners in the largest one I've done to date.  I can't wait to see the results.  I hope you take time and participate yourself.

https://www.surveymonkey.com/r/RedList

Thanks!

Thoughts on Advisory Roles

From my days as a consultant to today, some of the most rewarding experiences I've had is advising security organizations and companies.  In the past couple of years, security company advisory roles have been a fairly significant focus for me as I've found personal value in having a hand in developing and driving in solutions that I feel could make a sizeable difference.  While these roles can vary I have identified some consistencies and benefits in them.  For those considering or creating a role I thought I would share my thoughts.

An advisory role is designed to be specific to a need that the company has.  In general, the roles have focused on some key areas.  Most notably Product Mangement, Go To Market (GTM) and Fund Raising.  In early stage companies this can vary mostly depending on the stage of the company.  In order to explain I'll use the basic company funding stages as a framework.

There are absolutely advisors in other various capacities at later stages and even for the lifetime of the company.  However, those are strategic and highly specific.  Some examples could be to help drive into other market locations (China, Japan, etc), deal with regulatory issues such as EU's Data Protection, drive executive awareness such as Fortune 500 CEO's and more.

Company Stage and Role Types

Angel / Seed

Corporate Objectives - In this phase a company is looking to create a basic "proof of concept" or Alpha version of their product and get one or two key beta customers.

Fund Raising (0-10% of time) - Very little fund raising is done by the advisor in this stage.  In some cases the advisory might be or become one of the Seed investors, as I have with SourceClear.  Yet, in most this is a financial and networking skill gap that most operational advisors don't have.

Product Management (30-80% of time) - This is the majority of the value at this stage as the company is forced to be agile in creating their product and must constantly prioritize.  Only fousing on the key features and discarding "nice to have's" is a must to manage burn rate and inject the highest value the can.  As a result the conversations with the advisor as a leading customer is key.  As an the representative of the "buy side" is important to prioritize the overall solution and validation of the problem.

GTM (10-20% of time) - Since the product is very very early stages the concept of a GTM is fairly nascient.  Some light market positioning converstations can be done, however, the overall value is just company awareness of competitors, product capabilities, vertical problems and industry product movement.  However, some assistance for the beta program will come in the form of identifying the right vertacles and selecting a handful of key potential beta customers.  This can also drive into the need to provide a "warm" connection.  This is leveraging the advisors network for an introduction to those known key potential beta customer leaders.

A Round

Corporate Objectives - In this phase a company is looking to drive a larger beta of the product, identify a few key customers, fundraise, 

Raise Funding (10-20% of time) - This will be a larger component than before but not dramatic.  An advisor could participate in the process by talking to key venture capital (VC) partners on the product and validating the problem / solution.

Product Management (20-40% of time) - As beta customers participate and feature development validation occurs more roadmaping with the engineering team needs to happen.  Assisting in defining the problem and designing the solution happens in full swing.

GTM (30-50% of time) - A significant increase in the GTM happens at this stage.  This includes assisting in creating the marketing story, identifying the proper vertacles to prioritize selling, conference value, development of core contacts, etc.

B Round and Beyond

Corporate Objectives - In these phases the company has GA's their product, staffing sales, marketing, product management and more.  This is where the real GTM is applied and acelleration of sales is done in conjunction with the product roadmap.  Since this is the main area of the company hiring the right people for the various product and marketing positions the need for an advisor degrades.  As sales builds out a sales strategy and contact lists the need for an advisor to perform that function deminishes.  The same can be said for marketing and product management.

Advisor Cadence and Learned Rules

Time Consumption - One of the most important things an advisor and company need to discuss is the amount of time the advisor will spend.  As a general rule an advisor should consider spending a few hours a month helping the company (4-8).  In reality it varies.  In the earlier part of the relationship the company and advisor will have a bunch of meetings over the first few months to have open discussions on product placement and solution.  Unfortunately, from there it drops off dramatically do to other priorities.  I recommend a candence of at least one hour meeting a month.  This would include product updates, customer challenges, engineering development questions, etc.  In addition to this, it's very common for adhoc emails for questions and help.  I commonly get requests to review ppt decks, architecture designs, etc.  This will account for at least a couple of hours a month.

Advisor Compensation - Compensation for time being spent can vary depending on the size of the company and stage when the advisory role begins.  Yet, it is typically done with cash or stock options.  In order to align priorities and to manage budget, etc it only makes sense to only use stock options as compensation.

Advisory Length - Length of advisory roles is generally between 2 and 4 years.  In my experience the value of the advisory role changes over time as the needs of the company changes.  A general timeframe for a company to go from Seed through A round is about two years.  With that I suggest having a 2 year role and if, at the end of that tenure, there's still a value of the advisor an additional contract can be signed.

What Makes a great advisor?

There are some characteristics of a good advisor that I've uncovered and been told from CEO's in my years.  The advisor must branch many different components of a business in order to put them in context.

Personality - Even more important than the below three components is an advisors personality.  They have to believe in the product, be objective, open minded, curious and more.  Making sure the advisor is a good personality and culture fit with the CEO and others is important as the ability of a CEO to ask hard and open ended questions is critical.

Operational Excellence - The first thing an advisor needs to be is a great operator in their segment.  This could be a CISO, CEO, CIO, etc and it's that domain which is the true core of what a company is looking for advice on.

Business Awareness - The ability to understand the basic components of building a company and  how to apply them to that particular stage is critical.  Understanding product management and the various components of the sales funnel helps give important context to the operational advice around the product or service.  

Industry Network - Getting that first few beta customers and GA customers are so important.  Having an advisor with an extensive operator network is important to be able to acellerate that process.  However, the network need doesn't end there.  It also includes other companies to partner with, VC's to solicit funding from, reporters to drive awareness and more.

What is "Trust"?

We've had many evolutions in the security industry and we will continue for the forceable future.  One such change that’s occurring is how we see ourselves in context to the overall business.  Some organizations are implementing that change, not just in the title, in the very identity of the security organization itself.  The term "Trust” is starting to be used for those more forward thinking organizations as that concept and expectation grows.  As one of those individuals and organizations, I wanted to talk a bit on what it means and why.  Simply put, “Trust" is a goal and destination for how to engage and meet our customers’ expectations.  There are two main aspects to any model one would want to use.  The first is the theoretical definition and the second is the applied nature of that theory.  Two very different aspects that need to be considered and developed.

Defining Trust

There is a building process in the definition of “Trust”.  To start we can look at a simple basic model relative to the customers' expectations.  "Trust is the demonstrable ability to execute on what we say we do consistently over time.”  This is a good model of what Trust is but the application of Trust goes much deeper.  Next we need to look at the parties in question.  With that we need to apply human nature to it which applies the concept of the unspoken contract.  In any relationship there are two “contracts”, the explicitly spoken one and the unspoken psychological one.  The Psychological contract is one where unspoken expectations are there and relative to that party.  In the defining of Trust we should strive to define these unspoken expectations to ensure the overall concept of Trust is aligned with our customers.  This changes the description of “Trust" to be “Trust is the ability to demonstrably achieve our customer's expectations on what we say consistently over time”.  This change forces the conversation on what the unspoken expectations are and make them known to both parties.  Where this definition of “Trust” is very customer specific, the same concept can and should be applied to all other parties such as employees, vendors, suppliers, etc.

To do this we need to establish some Trust expectation “beliefs":

  • Transparent - Providers are an extension of the customer's enterprise and should be open and transparent accordingly
  • Integrated - Providers are a “spoke in the wheel” of our customer’s security tool ecosystem and as a result they are expected to integrate accordingly
  • Proactive & Alignment - Providers are an extension of the customer’s security team’s mission which is the defense against threats.  As a result the Provider must strive to advance the security strategy as opposed to placing the onus on the customer to demand

Applied Trust

To drive an applied Trust capability, the main actors in that model need to be detailed.  This brings up Customer, Partner Ecosystem and the Organization itself.  These main actors drive the overall aspect of our actions in applying the above concepts.

Customer

Probably the most important of the actors is the customer itself.  Since we are talking about Trust it’s the security, privacy and compliance functions of the customer we are targeting.  The spoken and unspoken contract covers some main expectations.  We can detail some of the core expectations out that help guide our applied model.

  1. Embed security into the core of the product and service 
  2. Drive security solutions as opposed to creating new ones
  3. Support and enable an easy integration into the overall security ecosystem
  4. The product or service is functioning and available when expected

This drives certain expectations of the Organization itself.  We can break them into three main areas.

Security Solutions

First, we need to place the concepts of security, compliance and privacy into the forward looking solutioning of the service itself.  This simple expectation dramatically changes the Organizations view on feature and functionality prioritization.  Instead of reactive based on customers’ demands it’s a strategic and proactive drive to the security problems of the customer themselves.  As a result, it drives solutions that customers couldn’t even expect or demand.

Customer Engagement

In addition, it drives a tighter involvement of the security customer themselves to better understand their existing problems, industry viewpoints, security vendor ecosystem usage and more.  This can be facilitated through Trust advisory boards, customer survey’s and more.  The main objective is to have a deeper and more meaningful conversation with the security organizations to better solution them.

Customer Transparency

To meet our customers needs we need to prove to them we are actually meeting them.  This encapsulates the concept of Transparency where we demonstrate the execution.  The manifestation of this is not limited to just producing certifications and audit compliance but to a much deeper level.  The ability of the Organization customers’ to understand deep security issues and incidents and more becomes the discussion.  The ability to be transparent as if the Organization was part of the customer’s organization.  Providing realtime availability stats, customer penetration testing, providing audit reports and more are all examples of this deeper transparency.

Partner Ecosystem

To enable a security program today it’s more than just a single application providing security.  From the customers perspective it’s the protection of all of their content and transactions regardless of where they are.  To this point, the Organization is a spoke in the customers’ security wheel.  With that the Organization needs to integrate with the security solutions of that customer as opposed to not.  In the legacy world the integration of solutions was firmly placed on the customer.  In the new model that integration responsibility is taken off of the customer and placed on the service provider, or Organization.  This drives the Organization to have two things.  The first is a platform centric approach to allow for the integration of other solutions.  Second is a proactive partnership program that monitors and engages the security vendor ecosystem to quickly drive integrations prior to customer demand.

This security partner ecosystem also has another layer to it.  Where the on premise controls are clearly known, implemented and integrated by the customer, only the basic controls are known in the new security model.  This places a new requirement on the Organization where they should not only drive a partnership program but also educate the potential and existing customers as to what the control solutions are.  This drives the Organization into a stronger leadership role to define their control ownership and expertise but also drive the entire security industry’s ecosystem solutions to the customer. 

Organization

Finally, the Provider itself is brought into the discussion.  In addition to enabling and supporting the Customer and Partner Ecosystem as stated above, it’s embodying the core security capabilities of that product or service into the solution itself.  We take, as a base case, the implementation of a security model that drives to ensure customer and corporate data is protected from threats based on a risk appetite.  The real question is "what is done in addition to this?".  To realize the three beliefs stated above we need to migrate the historically back-office functions of security, privacy and compliance and drive them into the front-office.  Simply put, we need to make Trust a competitive differentiator for the business itself.  This is critically important to ensure the prioritization and  culture change is realized at the core of of the Organization itself.

  • Product / Service Differentiation - If the Provider is an extension of the Customer's then the Trust model needs to drive the solution as such.  This starts from the Organization's product / service strategy, which strives to solve customer's security problems, and moves out to customer engagement, etc.
  • Customer Engagement - The ability to have a conversation with customers is much larger than what occurs in a sales cycle.  To drive Trust within a company and to the customer additional mechanisms need to take place.  The establishment of an advisory board, security feature surveys, customer service issue reviews, etc.  All of these mechanisms are driven to understand the customer's security organization's challenges and desires.  With that the application of solutions to the Organization's product / service.

While we have undergone many maturation and evolution phases in the security industry over the past forty years, we will continue to have them as we move forward.  The current maturation of Trust allows the deep prioritization and proactive efforts of Organizations to make back-office functions drivers of the business.  To do this we need to take a wide view of the customer, industry and ourselves to realize the benefit.

​2015 Security Predictions

Just recently I sat down with Marc Goodman, whom I’ve known for many years, and chatted about his new book “Future Crimes”.  (I strongly recommend you take time and read it.  You can find it here http://www.amazon.com/Future-Crimes-Everything-Connected-Vulnerable/dp/0385539002 on Amazon).  It got me thinking about the past five years or so of security prediction articles that have come out.  For the vast majority they result in little more than a listing of more attacks, more data loss and more vulnerabilities.  Not only does this add little value but it squanders a significant opportunity of reflection and insight that all of us should do.  To that end I’ve tried to detail out my predictions for 2015 based on my thoughts on what drives the industry.

In order to predict what will happen we first need to establish the influencers on it and where those influencers are going.  Without this we are leading blindly and without a framework of why.  The security industry is influenced by a few major categories.  Global economics, technology changes, public awareness, vendor economics and threat economics

Influencers of Information Security

Technology Changes

Every major evolution in security has followed a major evolution in IT.  From mainframe shift to client-server to client-server to client-cloud, the security industry has evolved in its wake.  These new technologies drive a need to evolve security, with technical, process and people means, in their use, management and awareness.  We can predict changes in security by seeing the early changes in technology.

Public Media

Over the past 20 years mainstream media never spent much time on Security.  It wasn’t until recently with the story of Snowden that a significant focus was placed on the massive compromises that have occurred.  Media coverage has the capability to drive the consumer and enterprise focus on the issue where without is generally ignored.  The more focus the media has on the issues the more attention customers have to vendors.  The more questions a vendor has the more they drive advancement in the solutions they provide.

Global Economics

“Follow the money” is what my history professor used to say.  The global economy has a huge hand in shifting attention and action on various issues.  This was most notable in the most recent 2008 recession where businesses around the globe drove significant cost cutting measures for self-preservation.  We also see this played out on a State level where the investment in IT infrastructure drives significant growth.  That same investment that enables growth can also become a pathway for malicious use.  This is because malicious individuals need connectivity, education and resources which are all needed for technical growth of a State.

Vendor Economics

The ability for companies and consumers to defend themselves includes the ability for solutions to be available.  The majority of these solutions come from companies researching and developing them.  While a very small amount of solutions are from altruistic individuals, the majority are from “for profit” entities.  The delta between security risk and marketability is the area that security vendors exploit to drive solutions and subsequent profits.  This vendor industry has been around for a very long time but just recently, since 1990’s, exploded with a plethora of growth startups and companies.  This highly competitive and constantly shifting vendor landscape not only drives profits but is critically depended upon by global entities to defend themselves.

Threat Economics

The motivation to commit crimes has always had a strong financial undercurrent.  Since the economic globalization and the fall of the USSR the rise of global criminal syndicates and crime has risen and taken hold.  What followed in 2005 and beyond was the migration of individual criminals to cyber criminal syndicates due to the realization of revenue from cybercrime.  While we are in the very early stages in a great crime migration the impact has been deeply felt.  The influence in the practitioner, vendor and consumer segments has driven significant media, public policy and spend.  Where the threats migrate to significant effort and money will be follow to try and mitigate it.

2015 Predictions

Threat Landscape

·      The tech curve will create new areas of exploitation.  While security evolutions typically follow IT evolutions there is also typically a gap in between.  What results is the ability for that gap to be exploited for political or financial gain.  In the near term is the mass migration of corporate back-office functions to the “cloud”.  We will see a continuation of that gap as cloud providers and companies still work to implement security mechanisms.  On the very early stage of that gap is the Internet of Things (IoT) and other component level Internet connected devices.  The new growth area of TV’s, refrigerators, etc. to distribute SPAM, malware and (D)DOS attacks will see a growth.

·      The threat landscape will begin to evolve.   The ability to make large amounts of money by leveraging cybercrime is just in the beginning stages.  It’s a high growth market that hasn’t begun to realize what the total addressable market is.  We will see an increase in crime, as expected; however, new markets and applicability to legacy physical markets will increase faster.  Specifically, the ability to conduct extortion based cyber-monitoring, illegal sex trade, currency counterfeiting and narcotics.

·      An increase in criminal protection due to consumer service confidentiality. As major consumer Internet services begin to resist subpoena requests and implement solutions where they have no ability to see consumer data, the opportunity for criminals to proceed undetected increases.  Historically, criminal activity, such as child pornography, has been a huge problem on the Internet as consumer services, such as email and file-sharing, enable anonymous access.  When those consumer services increase their ability to not see content and/or respond to subpoena requests without stronger identity identification, the criminal actions will have a stronger ability to not be taken down.  This will drive an increase in the global activity and financial growth of child pornography and other crimes. 

Media and Public Policy

·      Media will decrease in their security stories – The sensationalism of Snowden has worn off towards the end of 2014.  The subsequent breaches in the fall and winter of 2014 also resulted in little media attention counterpart to their predecessors of the summer.  This shifting of the story will continue unless there is a major governmental leak.  This is unlikely as they are fairly rare and as a result media attention will nearly die on the story.  Expect the security conversation to be, not just pushed to a second story, but all the way to the back page.

·      We will not see any significant Privacy, U.S. Intelligence reform or Information Sharing Acts.  With the last two years of the Obama administration and Republicans holding the Senate, there is little chance of any reform or legislation getting through.  It’s even more complicated by the fact that privacy and national security are at odds in anything substantive being agreed on.  As a result, initiatives such as CISPA will be discussed but not materially accomplished.  In addition, NSA reform will be more of a political football as no one is really wants to limit the mission of the intelligence gathering as opposed to make it a 2016 presidential debate issue.

·      International Privacy policies will increase in their restrictiveness.  While the U.S. will continue in light privacy legislation, the increase in Singapore, EU, Canada, Brazil and other countries will increase.  There has always been strong privacy advocacy in many countries but they will increase due to the media attention over the past year on intelligence gathering.  This could complicate technology adoption in those countries and potentially create a Balkanization of cloud services.  If those countries begin to require cloud services in region it more than likely will create a economic competitive hurdle as companies in those countries will be forced to use services that are not competitive.  As a result, foreign companies will have the ability of using more agile and enabling services for their market.

·      Intelligence agencies will change intelligence gathering tactics.  As major capabilities of intelligence agencies’ information gathering begin to be shutdown they will be forced to other methods.  This is most notable with the tapping of datacenter communication, which is now beginning to be encrypted.  This will drive an increase in existing methods and creation of new ones.  As server oriented and server-to-server opportunities become limited the drive to client monitoring will increase.  The migration of information gathering will occur in a few ways. 

o   First, the adoption of malware to infect workstations and monitor user activity.  This is and will continue to be used, however, is limited by the inability to be controlled once it’s in the wild. 

o   Second, the direct attack and compromise of foreign corporation consumer Internet services.  By compromising the consumer services’ servers directly, large amounts of data can be gathered.  This is more than likely detected and will be used by countries lower on the intelligence / technical capability spectrum. 

o   Third, the increase in cryptographic “cracking” capabilities.  The development of increased compute power will increase as intelligence agencies are forced to crack the raw encryption keys being used.  This is more realistic as it can be done offline and without the majority of entities knowing.  This is even more beneficial as most applied encryption is done with poor encryption key rotation or management.  So once they encryption key is found there’s little chance of it being changed to thwart the data gathering effort.

o   Fourth, direct attack on corporate and Internet key management providers.  One of the most difficult things to manage in a corporation is the encryption key service.  By compromising the servers that store the keys directly, the intelligence gathering can be done passively with extreme success.  This means the compromise of consumer corporate networks for the direct intent of key compromise.

Organizational Security

·      Minor improvements in Consumer Security will take hold – The compromises of consumer corporations will drive moderate improvements for consumers.  In addition, the short-lived focused attention will drive a small amount of them to focus on credit reports, password controls and anti-malware solutions.

·      Investments in Security will slow.  The increase in the media’s focus on security resulted in board members and CEO’s to focus on it.  That, in turn, focused financial incentives to the respective security teams.  As the media attention starts to wane it will also drive a regression of focus in the board members and CEO’s minds.  This, in turn, will start the normalization of funds to the security teams placing downward pressure on staff and solutions.  This won’t regress below what we’ve seen in 2012 and before.

·      Increasing corporate applied confidentiality.  The realization that international communications between datacenters, in applications and services has driven consumer cloud providers to implement deeper layers of confidentiality.  Encryption over private telecom lines, keyless endpoint encryption and more have started to be implemented to ensure the consumer providers are removed from having access.  This

Security Vendors

·      A significant security vendor disruption will take hold.  Vendor community will go through significant disruption, as new vendors focusing on the new model will usurp legacy vendors.  This is significant as two major facts hold true.  The first is that new startups focusing on driving legacy controls to the cloud gain traction.  The second is that these new startups are more resistant to acquisition due to the strong growth in the security space.  The result is that larger vendors, who have a very hard time to incubate solutions, will fall behind as their market share is migrated to these new vendors that are driving new solutions.