How security leaders can accelerate innovation in cybersecurity
11 practical ways CISOs can enable innovation in the industry
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
Role of CISOs in enabling innovation within their company
A lot has been said about the role that Chief Information Security Officers (CISOs) have to play in driving innovation inside their companies. After two years of the global pandemic and hundreds of omnipresent reports about the continuing rise of cyber attacks, business leaders have started to realize the importance of cybersecurity and finally started to treat it as a board-level concern.
Cybersecurity is no longer just an “IT issue”, but one of the core components of a company's business strategy. To enable enterprises to push the boundaries of what is possible, security leaders cannot be seen as “the office of no”. They need to be deeply familiar with the business, understand how security aligns with the overarching company strategy, and look for effective ways to safeguard the most valuable crown jewels. The overwhelming majority of security leaders today have understood and accepted this critical responsibility.
Accelerating innovation on the ecosystem level
While the role of CISOs in driving innovation internally has been well-defined and actively discussed, their role in innovating the security industry as a whole has not.
It is hard to not notice the problems apparent in the market such as the lack of transparency when it’s unclear how most products actually work, and buzzword-dominated marketing that makes it hard to make sense of what is being sold. It is unlikely that these problems will just go away on their own, it is equally unlikely that the number of threats will start going down on its own, and it is even less likely that Gartner will have an answer about how to move the industry ahead. We need to innovate - changing our approach to security, changing the way we tackle problems, and supporting entrepreneurs championing the security of tomorrow.
CISOs and CIOs cannot be seen as bystanders in this process. Security leaders have both a great opportunity and a great responsibility to enable innovation in cybersecurity. The part that follows will provide eleven practical ways they can do it.
11 ways for security leaders to accelerate innovation in cybersecurity
Considering security startups as solutions to a company’s problems
The most obvious way to support startups is to become their paying customer. Shahar Geiger Maor, CISO at Compete and Founding Member of Kmehin, has a fantastic article about accomplishing security goals while working strategically with startups. He highlights that while it may be tempting to go with well-known security vendors, the advantages of working with startups well outweigh the risks: they move quickly, are ready to listen and react to customer feedback, offer great support, and come with substantial savings compared to big brands.
Becoming a customer of a cybersecurity startup can help security leaders accomplish their goals and better address security risks in their organizations. For startups, such a partnership can be a game changer even if the revenue is not significant: at an early stage, getting someone to use the product & provide feedback, and gaining a reference customer (a logo coupled with a testimonial or a case study) can make a huge difference.
Setting aside a small budget for security innovation
It is not a secret that security teams are often underresourced and underfunded. Having learned to do with what they have, many organizations have forgotten that to get ahead, they need to continue innovating.
Good security leaders allocate a percentage of their department’s budget to innovation, making it possible for the team to stay on top of the new approaches, new ideas, and new tools that have the potential to change how security is done. Even when there is no immediate need for a certain technology, it’s a good idea to once in a while do a mini-test-drive of innovative products and solutions, expanding the horizons of what’s possible.
Setting up some time to hear pitches and provide feedback
To innovate, startup founders need feedback about their ideas, solutions, and sales pitches. It is hard to get this kind of feedback, and it’s hard to blame security leaders for that: they have work to do, and their often understaffed teams cannot spend hours evaluating cool tools.
A great solution to this problem was implemented by the Chief Information Security Officer at LinkedIn Geoff Belknap who decided to set aside time each month to invite security companies to share their pitch. In his original LinkedIn post, he wrote:
“...there's SO MUCH noise and SO MUCH outreach that sales teams have little hope of getting through to CISOs and other security leaders. Similarly, Security Leaders have little hope of hearing about up-and-coming solutions that might be great for what we need. The only thing that many of my peers and I agree reliably works to break through the noise is warm referrals and/or hearing about something new from a peer.
… I'm going to set aside time each month to invite security companies to share their pitch. I'll provide feedback to the company, write a post with my take on the product / service / pitch so that others can be more informed, and maybe this will help other CISO's and Security Leaders to be more aware of companies they want to reach out to, without having to dig through all the cold email outreach”.
Since then, Geoff has been posting brief reviews of startups he connects with, which look as follows.
I think this is something many more security leaders can do in a structured manner, without having to allocate countless hours to sift through the noise. A brief announcement on social media, a form to receive/book pitches, and 2-4 hours set aside per month can be a fantastic way to help founders while also keeping up with new approaches to security, learning about new products, building relationships with entrepreneurs, and potentially finding new tools to secure their organizations with.
Advising venture capital firms & helping fund promising ideas
Getting involved with VC firms is one of the ways to make an impact in the industry. The venture capital model relies on picking outliers - teams and products with the potential to succeed and yield high returns. As cybersecurity is a deeply nuanced and technical industry, CISOs can add a lot of value by helping investors to evaluate startups from the practitioner’s point of view.
There are different ways to get involved with VCs, ranging from informal advisory relationships to participating in well-defined advisory panels. Many cybersecurity-focused venture funds have formal CISO and industry leader panels, such as Forgepoint Advisory Council, Village by Team8, Venture Advisors by YL Ventures, and NightDragon Advisory Council, to name a few. Generalist (non-cyber-focused) funds that want to invest in cybersecurity, also form relationships with security leaders to get help during due diligence and investment decision-making.
Getting involved with startup incubators & accelerators
Similarly to collaborating with VC firms, getting involved with startup incubators & accelerators can be a great way to work with many startups at once. There are several cyber-focused accelerators and incubators that work with early-stage ventures. Most are looking for mentors, advisors, and industry partners, - roles well suitable to security leaders with industry experience and connections. Each organization has its requirements around commitment but you can normally expect to invest one to eight hours per month. Those looking for a “lighter” commitment, can join as pitch judges or guest speakers - contributions that are equally as valuable to many incubators & accelerators.
Providing product feedback
It is incredible how hard it can be to get any feedback about the product in the industry. As a product person, having worked in several different fields (e-commerce, edtech, and fintech, to name a few), I was surprised at what it takes to get an opportunity to talk to people in security. Not every call with a non-customer is a sales pitch; customer discovery is critical for building great products. If you don’t know what pain points people have, it is hard to design a tool that solves them.
Seeing all vendors as enemies doesn’t help us to move the industry forward. Security leaders can help bridge the gap by being open to providing product feedback - highlighting what it does well, where the gaps are, what issues they run into, and what the teams should consider (and encouraging individual contributors on their security teams to do the same). It takes ten minutes to write a brief email to a vendor CISO decided not to move forward with, and that email might very well help them improve.
Advising startup founders
Becoming an advisor to the startup can be a great way to help founders and earn startup equity while doing it (I don’t see startup equity as an incentive, but rather a nice side effect from doing the right thing).
Startups would often benefit from honest feedback about their product, marketing materials, and go-to-market strategy, as well as from introductions to potential customers, investors, and industry partners. Founders need high-quality sounding boards, and security leaders with solid industry experience are well-positioned to become one.
As with everything else in this article, the CISO would need to make sure there are no conflicts of interest between this engagement and their main employer, but in the vast majority of cases, it’s all fine.
Joining a startup board of directors
For those with experience in board governance and a willingness to contribute at a more strategic level, joining a board of directors can be a perfect opportunity. Most early-stage boards consist of company founders and sometimes - major investors, but at a certain stage companies generally look for independent board members.
The best way to become a board member in a startup is to be genuinely interested in helping a founder, and building relationships over time through advising, angel investing, introducing them to people in your network, helping them to get funding, and other stuff a startup may need. Being a board member is a big responsibility, and you will need to make sure there are no conflicts of interest. It can also be a very rewarding experience to help steer a young venture and support entrepreneurs in their ambitious plans to make security better.
Investing in the next generation of startup leaders
Angel groups, private investment clubs, and individual angels are often the ones who support entrepreneurs at the earliest stage when institutional investors such as VCs are not ready to invest. As I discussed before, for an early-stage cybersecurity startup, getting a capital injection to get a prototype or an early BETA version to the market quickly is important. What is even more important is gaining access to potential customers, getting the right introductions to partners, and feedback from trusted advisors. Arguably, nothing trumps the amount of value that can come from security leaders and experienced professionals turned investors.
There are several investment syndicates composed of CISOs and other security leaders, including Cyber Club London (UK), KMEHIN Ventures (Israel), Silicon Valley CISO Investments (US), and The Security Syndicate (US). While most of them are invite-only and each has its own criteria for joining, if you are a CISO with some capital to invest, you will most likely qualify to join. Note that while each syndicate and each deal will have a minimum investment amount, it can often be as low as $2000-$2,500 making angel investing much more accessible to security leaders than many people realize.
It is also possible for CISOs to become investors (called limited partners or LPs) in venture funds (VCs) discussed before, although the minimum investment amounts are typically considerably higher.
Sharing information in their peer leadership group
Cybersecurity is a new field that only recently has branched out from IT into a separate discipline, and even more recently received the attention it deserves at the executive leadership and the board levels. Gone are the times when security leaders had few people to reach out with questions to; today, CISOs are a part of vibrant communities of professionals who share insights, help each other brainstorm solutions to hard problems, and act as peer support groups. It’s in these mostly informal groups that security leaders often discuss the new tools and approaches they found on the market.
Startups can rarely afford to participate in the industry awards and make it to the top of analysts’ vendor recommendations. Best early-stage companies rely on the word of mouth from their customers and industry leaders open to building bridges and helping with little they can get in return. CISO peer leadership groups and informal chats can become a propeller of growth for great startups without being overbearing for anyone involved if security leaders are willing to talk about new ideas capable of shaping the future of the industry.
Spotlighting startups in conversations with journalists and industry analysts
Journalists and industry analysts are often talking to CISOs about the state of cybersecurity, reducing the threats of cyber disasters, and the changing landscape of the vendor market. While it may be tempting to only talk about problems, what is much more productive is also highlighting small, innovative companies trying to push the industry forward. Startup founders rarely have the time, connections, or resources needed to get in front of the rainmakers analyzing the industry and looking for innovation.
Having security leaders spotlight startups and new approaches to solving problems in conversations with journalists and industry analysts can make a big difference for startups, bringing more market attention and potentially - more growth. Best of all, it is incredibly easy to do as most CISOs have personally met talented entrepreneurs challenging the status quo and pushing innovation forward.
Becoming high-impact players is not charity: practical benefits to CISOs
For security leaders, becoming active players in the cybersecurity startup ecosystem is not just about being charitable; it can greatly benefit them as well. Some of the ways accelerating innovation in cybersecurity can result in positive outcomes for CISOs include:
Being seen as industry leaders can help CISOs build trust with their leadership teams and boards of directors who will start seeing their expertise validated outside of the company
Working with startups to solve their organization’s problems can be a great way to save their budget and allocate money elsewhere (such as on hiring)
Getting involved with VC firms, accelerators and incubators can expose CISOs to the most innovative startups shaping the field allowing them to be first in adopting a lot of the cutting-edge approaches in their organizations
Angel investing, advising startup founders, mentoring, and joining corporate boards can be a great avenue for CISOs to learn what it takes to build a successful venture - an invaluable experience for those with entrepreneurial ambitions
Being an active player in the ecosystem can help CISOs get noticed by CEOs and corporate leaders from other companies, making it easier to find their next job
Investing in cybersecurity ventures can be a great way to diversify the financial portfolio and achieve great returns (note that startups are very risky so this is not investment advice - never invest in startups more than you can afford to lose as your investment can go to zero very quickly)
Closing Thoughts
As an industry, I think we are at a crossroads. CISOs are very vocal about being overwhelmed by demo requests and product pitches from the never-ending stream of vendors, many of which are “that yet another EDR tool”. Startups, on the other hand, often see CISOs as gatekeepers. They think that security leaders are more likely to choose a “safe” vendor deemed to be a “leader” by Gartner, than to place a bet on an innovative and hard-working team, passionate about solving hard problems and often better positioned to deliver on their promise.
I am convinced that the answer about where to go next lies in collaboration and recognizing that as an industry, cybersecurity is undoubtedly changing. Entrepreneurs and security leaders have to work together for the changes to take us to the right place. CISOs can turn from being gatekeepers to becoming innovation enablers shaping the new generation of solutions. Entrepreneurs can stop building “me too” solutions and be braver to tackle one of many unsolved issues instead of building yet another “new-gen zero-trust XDR” platform, or whatever the new buzzword will be going around when you are reading this article.