Frankly Speaking 8/4/20 - Why data security is hard and what it means for the cloud
A biweekly(-ish) newsletter on random thoughts in tech and research. I am an investor at Dell Technologies Capital and a recovering academic. I am interested in security, AI/ML, and cloud.
If you were forwarded this newsletter, you can subscribe here. For more regular updates,
As some of you know, I’ve been working on an emerging cybersecurity index as an analog to the Bessemer cloud index. It’s almost done! Hopefully, I can share more soon. The motivation was that cybersecurity companies seem to be performing well during COVID, but I wanted to quantify how well and compare it against other benchmarks.
My partner, Tyler Jewell, released a Pitchbook brief on developer-led enterprise software. He discusses what’s driving the increased DevOps activity and promising investment activities. You can find it here.
Also, I’ve been trying to get a Clubhouse invite forever. If anyone can hook me up, that would be great!
LET’S BE FRANK
Since I didn’t have to build IKEA furniture, I had more time to write about a complicated topic — data security. Many security VCs and industry experts have strong opinions on this topic. It’s probably the most debated topic without a clear resolution. It could be that we’ve become too close to it.
But from a VC perspective, data doesn’t lie. There have only been bad data security exits in the last decade, but it’s still a problem that has yet to be solved. If anyone can name one good exit, that would be awesome! Check out this Twitter thread by Anton Chuvakin to see how what the internet has come up with.
He and I had a long discussion on this topic because I’ve been seeing more data security startups emerge in recent history, such as OpenRaven and Cyral, just to name a few. If there are others, please send them my way. I would love to learn about them and meet them.
In my opinion, data security startups have historically failed because the go-to-market is extraordinarily hard and complex. The practical implication is that startups run out of money before they can figure out GTM. Honestly, CISOs out there, please email me if you had a successful DLP project. To incentivize, if you used a good product for your DLP project, I’ll open a tab for you at the next Blackhat.
However, this makes sense as I talk to various CISOs. The underlying issue is there’s usually not a clear and singular owner of data security in a typical organization. The owners are usually some permutation of legal, risk, security, privacy, and data. As we know, the more business units that want/give input, the more complex and longer the sales process, especially since many of these business units aren’t technical. In fact, some organizations are set up assuming paper records as data and haven’t adapted to the digital world! The one company I’ve seen get past this complexity is BigID. They managed to capture a greenfield opportunity and ride the GTM wave for GDPR, i.e. the urgency around regulation helped them bypass the traditional GTM complexity.
With all that said, I’ve written many articles on how the cloud has changed the way we do security like SecOps and incident response. So, the potentially billion-dollar question. Why is data security a more popular topic again? Does the cloud change the way we have to do data security? If so, how? Of course, with all things confusing in life, I asked Twitter. Here’s the thread:
There are arguments around an increased focus on data because of AI/ML, more sophisticated data infrastructure, elimination of security perimeter, etc. I think all are reasonable arguments, but honestly, I don’t find any of them especially compelling.
Unlike my other newsletter posts, I don’t have an opinion or understand how cloud fundamentally changes data security. I’ve thought about it for a long time and talked to industry experts, but I don’t see it. To be clear, I agree there are differences, but I’m not convinced these are fundamental differences that change the way we deal with data security. It could be my bias against data security or that I’ve seen too many things go wrong.
Data security would be no fun if there weren’t more nuances! I’ve been discussing in the context of general data security solutions. However, I do believe there are opportunities for specific data security use cases in the cloud world. These companies might be more successful because they have positioned themselves as helping navigate cloud security rather than bucket themselves into data security.
One example is SaaS security companies, such as AppOmni, Altitude Networks, and Obsidian Security. Under the hood, these companies are managing data permission configurations to prevent data leakage. This makes sense because really what is a company’s greatest security concern regarding SaaS — the application data. The area is still new, so let’s see if this new marketing strategy works.
I’m not done yet with the qualifications! There’s also identity governance and administration (IGA), which has strong ties to data governance. I do think we need a cloud-based solution for IGA that competes against Sailpoint, which is primarily on-premise. That’s a topic for another day/newsletter.
Really the open question here is: what will cause a data security revolution? Will it be more regulation? Will it be more DevOps involvement? Or is the best strategy to forget about data security and align yourself with a cloud security trend where the underlying problem is data security-related?
I’m always open to thoughts/opinions on this topic and also be proven wrong about my opinions in data security, so reach and chat with me!
TWEET OF THE WEEK
I get why Microsoft wants to buy TikTok now!
