There are different types of security organizations, and that's ok
However, executives need to understand that this means risks are managed different
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
I recently saw a LinkedIn post from Ross Haleliuk, who writes the Venture In Security Substack. He talks about how most security tools don’t actually solve problems but actually care more. He typically has some good points (and this is one of them), but what’s most interesting about this post is the additional discussion it spurred.
In the response, Abhishek Agrawal, the CEO of Material Security, claims that tools are causing the cybersecurity talent shortage. I respect Abhishek a lot, and he’s built one of the best email security products on the market. However, his conclusion is a bit of a stretch. Despite that, it reinforces Ross’s original point — there are too many bad tools, and they are causing problems, especially around cybersecurity talent.
This isn’t an amazing or shocking conclusion. It’s a well-known fact in cybersecurity, but the number of tools isn’t decreasing. Although VC funding seems to be decreasing, the absolute number is quite large. There are some areas where there’s more funding than market size! The problem is that as an industry, we continue not to address the fact that we have too many tools. Every year I go to RSA or Blackhat or another conference, every security leader talks about wanting to have fewer tools or wanting to consolidate on a platform. However, it never ends up happening. At the same time, the cybersecurity community has a general feeling that despite all these tools, the number of breaches is still increasing, i.e. things aren’t getting any better. So, is all this money put into security tools solving problems? Sure, you could argue that this would be worse without tools, but we can never prove the counterfactual. However, these tools are clearly not effective enough.
Sadly, I’ve discussed this in the past. I believe security is turning from a problem-solving role into one that’s just managing tools and triaging their outputs without any additional critical thinking.
Although my thinking has evolved, I still believe security is a bad business. Yet, VCs still want to invest. Companies have large budgets for security (rightfully so), and these budgets tend to be consistent. However, budget growth seems to be slowing down with some budgets decreasing.
Tools aren’t the only or even main way to solve security problems, so my conclusion, which may be similar to Abhishek’s above, is that spending money on tools prevents us from spending money on talent. We should invest in talent to solve problems rather than spend money on tools and people to maintain them.
Anyway, I’ve digressed enough from the main point of this newsletter. We’ve established that most tools are bad, and we’re wasting money on them. But, why is this?
My theory is that security tools aren’t taking into account that security needs and organizations are diverse. Of course, they have to consider some of this to build any sort of reasonable product, but they are generalizing more than what’s in reality. An alternative theory is that most security organizations don’t know what problems to solve and are blindly buying tools only to realize they are wasting money and resources without any realistic goal. Although that might be partially true, that’s not an interesting theory to discuss because it shows that we don’t quite understand how to manage security risk, which is a hard problem to solve (and not one I fully believe in).
Only a few problems affect all companies
Let’s look at the large markets for security or the large market cap security companies. What they have in common is that they all solve problems that every company has, i.e. the total addressable market is all customers.
It’s no surprise that the big public and private companies cybersecurity companies are in these categories.
Network security: Cloudflare and Zscaler
Endpoint security: Crowdstrike and SentinelOne
Email security: Proofpoint, Material Security, and Abnormal Security
Identity: Okta and Cyberark
Cloud Security: Palo Alto Networks, Wiz, and Fortinet
SIEM: Splunk/Cisco and IBM
Although these are large markets, they are also competitive markets where the incumbents have a large advantage. In order to do well in these categories, you have to spend a lot on research and development to have feature parity. Another way is to be Wiz and be the best product in an up-and-coming large market.
What about the other security categories not included above? Most notably, application security is missing here. Actually, most companies don’t have a lot of developers or applications because they aren’t a core part of the business. As a result, application security is less of a risk. Probably a mixture of open-source and a couple of people might be sufficient. In other words, most companies don’t need application security engineers or sophisticated application security tools that technology companies invest in because that’s not a large risk area. In fact, I think most companies can get away with just operational security teams. It comes down to the types of risks that the company wants to manage.
For example, I advocate for more engineering in security because it’s more efficient at reducing risk. There’s some nuance to this — it’s relatively more efficient at reducing and managing risk for engineering-focused/technology companies than other companies. One area that I haven’t been too explicit about is that most of my security experience has focused on addressing technical risks, but hopefully, that’s something people have inferred from my blog.
Another, maybe more extreme, example is that most companies outside of the Fortune 100 don’t have to worry about nation-state attacks. It’s likely not a good use of resources to defend against this type of attack for most companies, especially startups. Their resources are better spent on the 6 categories above. As a result, tools to defend against nation-state attacks have small markets. Cybereason started with this, and their product was great. However, they saturated the market quickly and realized they needed to expand their addressable market.
Cybersecurity organizations look different at different companies
Different companies should have different types of security organizations because they have different risks. For example, the risks that a bank faces are different than that of an infrastructure technology company. Sure, there is some overlap because both might use similar types of technology and infrastructure. However, an infrastructure technology company doesn’t have to deal with fraud as much as a bank. Similarly, an infrastructure company has to handle more technical users, so it has to expose more types of access to its technical infrastructure than a bank, presenting a different type of risk. In other words, technology companies have a larger ratio of technical risks compared to banks.
That’s why we see CISOs tend to stay within an industry, and usually when they venture outside of that industry, there tends to be a high learning curve. It’s interesting because companies tend to hire executives in the same industry for other positions, such as the CTO, CFO, etc., but this is less common for CISOs who tend to go to different industries.
One reason for this is that as humans, we’re inherently bad at understanding and measuring risk. Security is also hard because it’s hard to prove the counterfactual — if we didn’t do a certain security control, what would have happened? This also makes finding the right CISO hard. How do you find the right fit for someone to manage risks when you don’t quite know the risks? How to find the right CISO is likely the discussion of another newsletter, but it’s important to find CISOs with the security skills that help address the risks of your organization. For example, it doesn’t make sense to find a non-technical, operational CISO if technical risks are the most important cybersecurity risk you want to address.
How does this all relate back to my initial rant about tools? Well… most tools don’t take into account that security that different organizations care about risks differently. For example, not all security organizations need sophisticated application security tools, especially if they don’t have many developers. However, many security companies spend marketing dollars convincing security organizations they need the tool.
The best products are the ones that can navigate these variances. They have something for everyone. They have basic and premium features based on what risks an organization wants to address. With that said, it’s not just the product but the market they operate in. So, what’s the lesson learned here?
Other than the six markets above, most security markets aren’t as big as security companies say they are. Different security organizations have different risk profiles, and they might not get value out of certain tools. So, even if they might initially buy the tool, it won’t be sticky.
Security companies and organizations can’t continue to use the FUD playbook. Security companies need to be honest about the size of the market their product is addressing rather than believing that marketing will help expand that market — marketing-created risks will likely be transient. On the other side, security companies should waste marketing dollars trying to capture markets where their product isn’t needed. This is especially important for startups where focus is important. It’s not worth the time or the money.
Security is already hard enough. As a community, we don’t need more distractions and noise from security tools. I get why it’s happening, but it’s bad for companies trying to secure their organizations and for companies trying to build meaningful products that solve security problems. Hopefully, companies will slowly realize that security is just like other organizations they have — different companies have different security risks and needs.