Frankly Speaking 6/8/21 - Why zero-trust security is stupid!

Hope everyone had a good Memorial Day weekend! I took a short break and tried to get some sunshine.

It seems like more in-person meetings are happening, but I’m finding that it’s hard and more inconvenient to schedule those, especially since I don’t know where people are located nowadays. I find myself defaulting to Zoom meetings just because it’s logistically easier. No need to worry about meeting and travel logistics! I am actually restricting my in-person meetings to meals and weekends, and it’s substantially increased my productivity. Of course, everything is best done in moderation.

Do you have any tips to weave in-person meetings into your day? or are you now weaving in Zoom meetings? I would love to hear your thoughts, so send me an email!

LET’S BE FRANK

Ok, we need to have some real talk. There have been too many newcomers into the security industry, and now everything is becoming bastardized. In some way, I’m happy that cybersecurity is finally getting more attention, but as a result, there are way more people not knowing what they are talking about. It’s irritating and frustrating.

I guess that’s why I started this newsletter, partially inspired by Kelly Shortridge’s newsletter talking about the stupidity of certain VC fundings of cybersecurity companies. I blame VCs, especially since most of them don’t understand security and aren’t part of the ecosystem. They are adding fuel to a fire. Anyway, enough of this tangential but relevant rant.

Recently, buzzwords in security have their purpose, but they are commonly misused to trick buyers. It’s unfortunate, and zero-trust is the perfect example.

What is zero-trust? Zero-trust security is a principle that organizations shouldn’t trust anything coming into their systems. They should verify everything going into their systems, e.g. access, traffic, etc. In an ideal world, if you follow zero-trust properly, there is no reason to have a perimeter since you’re not trusting anything in the perimeter anyway, which was the intended purpose.

At the crux, it’s not trusting network traffic a priori. However, there are a bunch of companies, which should go unnamed (*cough* network security companies trying to stay relevant in the public cloud world), who are misusing the term and confusing everyone.

For example, what is zero-trust network access? What does that even mean? I thought we weren’t trusting the network. Can you see how this term is confusing? Companies that use this, you know who you are. Stop it! You’re adding to the confusion.

Another thing is that there isn’t one singular solution that can suddenly provide you with zero-trust security. It’s a principle! It’s like saying there’s a single solution that provides the least privilege access. Or there’s a solution for agile development. Here’s a non-technical example. There’s no singular solution for zero-waste! It’s just a guiding principle, and multiple solutions are required to fit into the organization.

On that note, products that sit between endpoints, e.g. proxy-based products, are just band-aids in the transition to zero-trust. They will become less popular over time because they become a bottleneck and are difficult to scale properly. Ultimately, I believe products that sit on endpoints will be more popular than ones that sit in between. In some ways, this is part of the trend of “shift left” and “shift right,” trying to focus on the ends rather than the middle.

In conclusion, I’m sorry that marketing is hard, but using the zero-trust term is lazy marketing. There’s no other excuse. I think it’s important for security companies to focus on how they are improving an organization’s security posture and reducing risk. Just say what you mean! It’s harder I know, but it’s not THAT hard.

Buzzwords create more problems than they solve. Also, there are plenty of important security products that an organization needs imminently that aren’t related to the zero-trust principle, e.g. cloud security posture management and most cloud-related security products. So… stop talking about zero-trust unless you are really zero-trust!

As always, my email is open for more discussion. If you need help with messaging/marketing, I’m happy to help… and help a lot more when I’m an investor :).

TWEET OF WEEK

Let’s not forget we live in a bubble sometimes…