Frankly Speaking 7/12/22 - You don't have mail! Email security is changing
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
Thanks for the support in the past few weeks of the reboot of my newsletter. Many people have reached out and given me suggestions on topics, which is awesome. I’m happy to be engaged with everyone again. It has really forced me to think more strategically about various aspects of security.
A shameless plug! I am looking for an engineering manager to work alongside me to help grow dbt’s security engineering organization. If you have someone in mind, definitely send me a note!
LET’S BE FRANK
This week’s newsletter will be available to all subscribers. Email security is a topic that has been getting hot again with a bunch new, highly valued startups like Abnormal Security, Material Security, etc. The industry has gone through a chance with Proofpoint being bought out by private equity. In this post, I’m going to cover the following topics:
How and why email security is changing
What is the future of email security (or lack thereof)
I think everyone agrees that the email security industry is changing, but people don’t really agree on how it’s going to change. For once, I’m not going to state that cloud adoption and migration are the primary motivators, but there is some relationship.
Let’s start by thinking about how email has changed in the last couple of decades. First and foremost, people are sending more emails than they are before, and the current email technologies make it much easier to create new accounts and use those accounts to send emails. I would say that Gmail really pushed this forward in the late 2000s, and changed our relationship with email.
Second, people mostly use centralized email servers, i.e. they are no longer hosting their own email servers but rather using SaaS services. This is a huge shift and honestly, I think it’s more secure and takes a major (and unnecessary) burden off IT. Google and Microsoft have pushed for this, especially with their cloud email service offerings, i.e. GSuite and Office 365. This has been great for those companies and for enterprises in general. Another beneficiary is security. This has led to the rise of secure web gateways, CASBs, and of course, the new generation of email security companies.
Most companies first start moving to SaaS as part of their “digital transformation” or cloud adoption. Usually, email is one of the easiest pieces of software to move first. It’s generally pretty isolated and easy to lift and shift. What else is changing with email?
Although the final verdict is still out on the future of work, I don’t believe that companies will all go back into the office, and I don’t believe all companies will be remote. I do believe we will have some middle ground where there is some remote and some office work. However, COVID has changed the way we communicate in an office. Slack and similar async communication methods have become way more popular, and I think they will continue to be used heavily for internal communication. In my opinion, this is more secure because the user is authenticated into a company-specific Slack. In some way, it creates a pseudo-corporate perimeter. Anyway, much of internal communication will move to Slack, so I think that will reduce email overall. It is also much easier to share files securely, etc.
So, this means overall email usage will decrease and focus primarily on external communications. That is where email security has to focus, but in some way, it is shrinking the market because there are fewer emails overall.
If this trend of reduced emails continues, it definitely opens the door to SaaS security companies, which we are already seeing a rise in adoption. They will be eating into the email security market. I actually think of SaaS security as configuration and data security, i.e. managing SaaS configurations and making sure of data security and integrity.
Similarly, I do think that API-based approaches to email security rather than gateway approaches, i.e. scanning emails after they hit your inbox rather than before, are going to be the future. Whenever I think about security, I trade off user experience and security. Having fast delivery is more important than having the best security.
Now, what does this mean for the email security market? It’s clear that it’s difficult to grow in this segment. Proofpoint is a great example of this. It went public and had slowing growth. It tried to expand into other areas of security, such as helping manage organizational risk. That didn’t work, and they ended up getting taken private by private equity.
I do think email security companies should expand eventually to SaaS security. What made Proofpoint so effective is that they had a ton of data on threats. In some ways, we have seen this type of “threat” data as valuable in other segments, such as endpoint security with Crowdstrike. In many ways, malicious emails look similar to malicious data or messages in Slack and other SaaS tools. The product changes and infrastructure required to go into SaaS security for email security companies don’t feel that different, especially if those companies have an API-based approach.
Another (probably riskier) direction that they can go is toward CASBs and secure web gateways. Unfortunately, there is a huge ramp-up that’s required to operate at scale. However, I can see CASBs and secure web gateways moving into SaaS security and also email security. We are already seeing evidence of this with Cloudflare’s acquisition of Area 1 security. It makes a lot of sense theoretically because all the data and traffic are similar and can be correlated well with each other. It’s just a question of whether organizations want to use the same vendor for these various products. I think so if there is added value, such as better threat detection and lower false positives! Usually, consolidation doesn’t work well because there’s no benefit to being the same platform and/or the products are much worse.
I definitely think we will see email security become part of other products/markets or start creeping into markets. I’m not sure what the end state will be, but email security is a highly profitable business but with little growth. So, they need to invest into capturing other markets!
Ajay Mishra
1 min ago
@Frank Spot on. I do like proofpoint new CEO.
Yes..Slack and Email security via API approach that is EASY to deploy. Plus..for slack, the buying center is no longer security team so solution needs to do more than just security.
…and NOT an overkill solution that sits on the shelf (bought only to pass audit/compliance)
Consolidation will continue