Frankly Speaking, 1/14/20 - Security in a DevOps World
A biweekly(-ish) newsletter on random thoughts in tech and research. I am an investor at Dell Technologies Capital and a recovering academic. I am interested in security, blockchain, and cloud.
If you were forwarded this newsletter, you can subscribe here, and view old newsletters here.
Happy New Year everyone! Also, welcome to the new subscribers. You can follow this link to find old newsletters.
Last year was a crazy one, but we ended it strong with Mastercard's acquisition of our portfolio company, RiskRecon*, which is our 5th security exit for 2019 and 8th exit overall.
I don't really believe in New Year's resolutions, but my plan is to spend more time keeping up with academic research in AI/ML. As a result, you will see more content related to that. Of course, I will continue to write about security and devops.
Finally, I do frequently get asked what I read regularly. I don't like subscribing to newsletters and rarely follow blogs except StrictlyVC, Pro Rata, and Term Sheet just to keep up with recent fundings. However, the one newsletter I follow and enjoy is Alex Taussig's Firehose VC. I like the original content and rigorous analytical approach to his opinions.
LET'S BE FRANK
An area I've been thinking a lot about is what the next $1B+ security company will look like. In the past, IT shifts such, as SaaS, the move to the public cloud, and elimination of the perimeter, have created big security companies like Zscaler, Okta, Netskope*, etc. So, what is the shift now? I think it's the rise of the developer and DevOps.
In the past, in the waterfall world, infrastructure was relatively static, and as a result, the security team knew the scope of threats and could buy products accordingly. However, with the move to the agile programming model as well as the shift of operations to developers, infrastructure is constantly changing. We have seen this through the popularity of software-defined products, such as software-defined networks, increased focus on efficient CI/CD pipelines, etc. Of course, this is beneficial to a company as it can create and deploy changes to its applications efficiently. They don't have to buy and maintain new hardware boxes, but with all things in technology, solutions create new sets of problems.
Now, security teams, which are already overloaded with the growing number of threats, have to keep track of infrastructure changes. This is not sustainable by any means. I believe that developers will have to do more security work. No developer has ever said, "I want to write insecure code." However, they don't want security to interfere with their workflow. This will call for a new set of security tools that are developer-friendly or developer-first. What will a big company look like in this space? I'm not exactly sure.
I do think the first wave of products will be focused on detection and prevention similar to the early days of endpoint protection when the corporate perimeter started to disappear. Prevention allows developers to limit the threat surface that security teams have to focus on, and putting in "sensors" in the developer workflow will alert security teams to issues. I also do think the first set of products will be focused on code monitoring because really code is the new infrastructure. These products will be deeply tied into developer workflows like CI/CD, ticketing, etc.
Anyway, I'm starting to see the beginnings of this trend, and learning more every day. If you want to chat more about this, please reach out.