Frankly Speaking 9/8/20 - Developers don't care about security
A biweekly(-ish) newsletter on random thoughts in tech and research. I am an investor at Dell Technologies Capital and a recovering academic. I am interested in security, AI/ML, and cloud.
If you were forwarded this newsletter, you can subscribe here. For more regular updates,
Hope everyone had a great Labor Day! This newsletter is coming late because I decided to spend some time offline. Zoom and computer fatigue are real! It reminds me of my PhD days where I would spend hours in front of my computer either coding or writing. In fact, VC has improved my vision because of the in-person meetings, but those gains are slowly going away like the stock market (too soon?).
LET’S BE FRANK
In the past few months, I’ve written about how the cloud is fundamentally changing security and how security teams are struggling to adapt to this new world. The main phenomenon is around DevOps and speed of deployment. The elasticity of the cloud is allowing for more rapid feature and application deployment, which is a security nightmare. Because of this, security has lost control and is actually seen as an impediment. Ever since I embarked on my journey to better understand cloud security, I’ve talked to many CISOs and security practitioners. They’ve said that I’ve identified a problem, but what is the solution?
In my mind, it’s simple. We need a new way of selling and consuming security products that’s amenable to the paradigms that the cloud enable. (I know this is easy to state but hard to execute.)
First, who are the stakeholders in this new world? DevOps and security. But really, it’s DevOps because security needs help from DevOps. So why is security hard? Because developers don’t care about security! A developer expects to work on product. I doubt that a developer is going to find cool security tools and evangelize them unless of course, they are a security engineer. They are more likely to find tools that make them more efficient and deliver product faster, which seems reasonable.
So, how does a company do security when the main stakeholder doesn’t care? First, we need a tool that can meet the requirements of security and that DevOps also likes to use. Each party still does their job, but the end user is not just security.
What does this mean practically? Security cannot buy traditional enterprise security tools with long sales and deployment cycles. No developer wants to engage in a 9-12 deployment cycle with a sales engineer, solution architect, and an account executive. (I mean who really does?) If we look at popular DevOps companies/tools like Hashicorp, LaunchDarkly, DataDog, etc., they all have easy-to-deploy, “slick” tools. Most traditional security tools are not like that. Most of them are clunky and sometimes require lots of services to be operational. If an organization can get Palo Alto Networks and Cyberark to work within a day, that company should win the Turing award.
How does this change the way security products are sold? Gone are the days of long sales cycles and steak dinners. I no longer believe in selling to the CISO, but rather there will be CISO-facilitated sales.
What is a CISO-facilitated sale? The CISO has the budget and the responsibility for a cloud security issue. However, they aren’t the sole decision maker. Their job and the job of security is to ensure the tool meets security/compliance requirements. Then, they ask DevOps if they are willing to deploy, use, and maintain it.
The advantage is that unlike typical DevOps tools, security has a clear budget. The ease of deployment will improve time to value and reduce sales cycles. However, the disadvantage is that more stakeholders lead to more difficult sales, i.e. you have to make both security and DevOps happy. The contract sizes will be smaller because ease of deployment typically correlates to less features and higher possibility of churn.
Right now, companies like Snyk, Capsule8, and Signal Sciences validate my thinking. DevOps companies getting into security, such as Hashicorp and Datadog, also further my thesis. I believe this is just beginning of the shift in security, and COVID has accelerated this by forcing a digital transformation, especially in e-commerce and remote work tools.
Some open questions:
What cloud security problems require DevOps assistance?
How will DevOps change security priorities? What security priorities will go away and what will be elevated?
How will enterprise security companies change their GTM motions? Will we see DevOps and security company mergers? or will DevOps companies eat security’s lunch by introducing security features?
Perhaps, I am over-exaggerating this issue, but what’s clear to me is that companies are moving to the cloud faster than ever, and with security falling behind, there will be serious gaps. And we can’t solve these gaps in the same way that we solved security gaps in the datacenter.
TWEET OF THE WEEK
Too real…
