Frankly Speaking - Cybersecurity maturity: 3 types of companies and what this means for the industry
Guest post by Ross Haleliuk, Head of Product at LimaCharlie
Hope everyone had a great RSA week. At least for myself, I spent a good amount of time this week recovering, but I learned a lot. It’s always good to meet up with old friends and meet some new ones.
Anyway, this week we have a special treat! Ross Haleliuk offered to write a guest post about various types of cybersecurity companies. He also has his own Substack called Venture in Security which has a ton of great content, so I encourage you to check it out!
For anyone interested in understanding the state of cyber defense, it is hard not to notice that the industry is not on the same page when it comes to cyber maturity. Some organizations are talking about advanced persistent threats (APTs), building custom security tools and tailored coverage in-house, while others are outright denying that security is something they need to worry about. After observing the trends in the security space, I realized that there are three distinct cohorts of organizations, with few to no overlaps between them.
Loud minority: mature security organizations
When attending Black Hat, Defcon, or ShmooCon, one will inevitably immerse themselves in the world of hands-on-the-keyboard security. People at these events know that security is a process, not a feature, and possess impressive technical depth. Attendees discuss learnings from their areas of specialization (e.i., detection engineering, penetration testing, etc.), concepts (i.e., defense in depth), and technologies (i.e., exploiting vulnerabilities and integrating open source tools together to build a home lab).
People in these circles tend to work in organizations with a mature understanding of security: Silicon Valley startups, cloud-native enterprises, some security vendors, select boutique consultancies and managed detection and response (MDR) providers, and large financial institutions, to name a few. Companies that fall into this category include Amazon, Netflix, Uber, Chainalysis, Google, Recon Infosec, Microsoft, CrowdStrike, Soteria, Dropbox, Snowflake, and the like. They understand the importance of adopting an engineering mindset to security, leveraging the advances of DevSecOps and integrating security with CI/CD pipelines, crafting custom detection coverage, doing proactive threat hunting, and even building their own security tooling when needed. Security practitioners from these companies often go on to launch their startups, and have little issue raising capital when they do; security leaders working there tend to have a strong background in engineering, incident response, or a mix of both.
While this category unites the most advanced enterprises, it is also the smallest of the three. The vast majority of the organizations do not have the same mindset, and most definitely do not have access to the same caliber of technical talent as these well-funded, highly visible businesses.
Companies that "do not need to worry" about security
On the other side of the spectrum are the companies that do not think they should worry about security at all, typically because "they are a small fish, so there is no reason anybody would be looking to hack them". Granted, with the rising number of cyber breaches, stricter insurance requirements, tightening government regulations, and the demands from vendors and suppliers, the number of companies that fall under this category is rapidly shrinking.
Organizations that think security is not something they should care about are typically mom-and-pop shops and some other SMB types. Naturally, they do not hire CISOs or security teams; in the best case, there is a contract with an external service provider in charge of IT, and in the worst case - nobody takes care of technology (and security) at all.
Quiet majority: compliance- and product-focused security teams
When it comes to security, most companies fall under the third category. Organizations in this cohort think of security as a set of compliance checkboxes they need to tick to show the auditors that all the required controls are in place. In other words, being secure is seen as synonymous with being SOC2, ISO 27001, PCI DSS, or HIPAA certified.
Some organizations do not have dedicated security teams; instead, they choose to only hire compliance professionals whose job is to craft policies and ensure that everyone in the organization adheres to them. Those companies that do hire security professionals, commonly have them buy, install, and monitor security tools. To "solve" the endpoint security problem, they deploy an endpoint security product; to secure the data, they buy a data loss prevention (DLP) tool, and so on. To most of these organizations, security is at best a product problem - "what product do I need to buy to safeguard myself". Unfortunately, this approach lacks context - as each environment is unique, security tools alone cannot solve all problems, especially if deployed out of the box, without any custom configurations.
It is worth noting that organizations end up with compliance- and product-focused security teams for different reasons. Some do not have the funding or access to the market to hire best-in-class security practitioners; others are understaffed and see their security teams under a lot of pressure to do their best with limited resources. Most commonly, however, it's a problem of not having the right mindset, which leads to the absence of the executive buy-in, and subsequently - all the other challenges.
Companies rarely leapfrog from no security to having a mature security organization
For us to build a more secure future, we need to ensure that companies of all sizes and across all industries are approaching security the right way. It is not realistic to expect that a small coffee shop in Nebraska can (and should) hire the same level of security talent as, say, Google. However, it is entirely reasonable that they can buy services from a security service provider with a mature, well-rounded, engineering-centered, technical security team. The problem is that this does not typically happen for two reasons:
SMBs and organizations that do not have a deep proficiency in security are not capable of evaluating the options available to them to improve their security posture, and
there are many players on the market that package compliance checkboxes as "security solutions" for non-suspecting SMBs
Because of that, companies rarely leapfrog from having no security to building a mature security organization or accessing hands-on security services from a third-party provider. Instead, they tend to go from having no security to compliance- and product-centered setup, or working with MSSPs that see their role as reselling tools, and only after being burned and learning the hard way, do they start looking for alternatives.
It's important to note that many times those SMBs with no real security or the ones with compliance-based tools are the small vendors of larger companies with mature security that make their partners vulnerable. I think we are heading to a future where larger companies will force security measures that will either exclude smaller businesses from the market or force them to expedite their maturity.
For obvious reasons, this is an oversimplified picture of the security landscape, and the full story is much more nuanced and complex. Having said that, I can't stop thinking that we would be much better off if we as an industry pushed back on anyone who puts the sign equal between compliance to security.