Frankly Speaking 4/27/21 - Data security might have new life!

It’s been a crazy month, but good news! I’m fully vaccinated. But, I’m going to ease my way back into normal life and not do anything too crazy. I met up with someone in person, and I totally forgot how much time it took to plan a meetup spot and actually travel to meet up with the person… Maybe more Zoom meetings are in my future.

Anyway, I hope spring and summer will bring some normality back and also allow everyone to have a break.

LET’S BE FRANK

Given the buzz around Snowflake and Databricks, data is becoming a hot topic again. With this comes concern around the security and privacy of that data. I’ve been seeing more content being written about this space, but in my opinion, the content has been disappointing because it doesn’t contain the proper context. I don’t blame them though because data security has had a long and complicated history, and I’ve had the “privilege” of seeing various versions of it play out in the last 10+ years.

A couple of threads/articles that have hit my radar are Will Lin’s VC view on Security Week and Renee Shah’s Twitter thread. Both are definitely worth a read, but I wanted to give everyone my take, which will fill in some missing pieces.

If you don’t want to read the articles, here are the tl;drs. Will’s article proposes a data security firewall to merges visibility and control (side comment: are firewalls still cool?). Renee’s Twitter thread discusses the need for 3-5 solutions for different parts of data security, which seems like where the space is heading, but more on that later.

Let’s start with an extremely brief history of data security. First, the biggest part of data security in the past has been data loss prevention (DLP). Symantec and Varonis are two of the major players. These products have been the bane of a CISO’s existence because they are extremely difficult to deploy and use. That’s how DLP became a dirty acronym and has made data security a dirty term. Second, CISOs have been forced to use these tools because of compliance, making data security primarily a compliance issue. This dynamic has made go-to-market extremely complicated. Finally, VCs have shied away from this space because there have been only bad exits. If you know of any good data security exit in the last 10 years, please let me know. I have still yet to come up with one.

Of course, the question is are things different this time around? A few things.

Technology has improved. Specifically, AI/ML advancements have made data discovery and classification more accurate. DLP has historically suffered from high false-positive rates.

There is a more concerted effort to get data security right. I’m not sure if this is positive or negative. If anything it complicates matters, which requires more attention and resources. In the past, data existed within an organization’s perimeter or on endpoints. Now, data travels across the broader internet, is in the cloud within data warehouses, and is in SaaS applications. Data is just in more places. The cloud has changed the game and possibly the responsibility of data security within an organization.

With all problems like this in security, we will need multiple solutions to tackle different parts. Going back to Renee’s Twitter thread, there will be a need for a data security stack. I know security people dream of one platform to solve all problems, but let’s be honest, it’s a dream and has yet to happen, especially in the enterprise. Why? It’s because enterprises always want the best of breed for critical issues, and once a platform is built, it’s hard to have multiple best of breed solutions until the product and technology become more commoditized.

This brings up a few questions:

  • What is the developers’ role in data security? Do successful data security companies need developer love? Maybe it’s more about data science love?

  • Will data warehouse companies start offering or acquiring security solutions similar to DevOps companies?

  • Will data security move from a compliance issue to a security one?

  • Where in the tech stack should data security be managed?

As always, I’m happy to chat more about this. My email is open!

TWEET OF THE WEEK

Go get vaccinated!