For the past five years, I’ve been writing openly about all kinds of things in our industry - what I am seeing, what works, what doesn’t, what’s not being talked about, what we are missing, and so on. I’ve intentionally tried to stay away from a lot of nonsense that dominates security conversations, but that doesn’t mean that everything I say will resonate with everyone all the time. That’s perfectly fine and expected. Over the years, I’ve shared plenty of perspectives that ruffled feathers, like the idea that we need more venture capital and startups in security, that there is no such thing as “gatekeeping” in cybersecurity, that most of the security teams’ work has nothing to do with chasing advanced adversaries, or that VCs only really care about 6 cybersecurity markets among many, many others.

I am always super excited to hear from my readers, be it through messages or comments on social media, direct replies, or anywhere else. It doesn’t mean that I am great at responding (founder life), but I love a good debate about security. Disagreements are healthy because they mean people are thinking.

At the same time, there are two questions I get asked over and over again that, frankly, after all these years, still frustrate me every single time. Whenever I see them, I can’t help but wonder: How are we still asking these questions? What do we think they add to the conversation?

In this week’s issue, I want to talk about these two questions and why I think people asking them are completely missing the bigger picture.

“... do we really need this many point solutions?”

Every time I talk about the market, celebrate the growth of security startups, or simply mention the fact that Google’s biggest ever acquisition is a security company, someone will always jump in with some variation of the same comment: “Should we really be celebrating that? Why do we need so many point solutions? We need fewer products so that security teams can more easily make sense of the market”.

To be clear, I totally get where that frustration comes from. The market is 100% crowded, security teams are overwhelmed, stretched thin, and constantly bombarded by endless sales outreach. That fatigue is real, but the question if we need more point solutions completely misses the point.

Saying that “we don’t need this many point solutions” ignores a basic understanding of what a market economy is and how it works. People want to have choices, and the market delivers. Nowhere is it easier to see than here in the U.S. Walk into a Walmart and ask whether we need this many brands of toilet paper, ketchup, sausages, or candy. The answer is obviously no (not just because many of these options are legitimately harmful, but also because nobody can tell the difference between 30+ brands of toilet paper by looking at the package). And yet, that answer is completely irrelevant: people want the ability to choose, everyone has slightly different preferences, and we end up where we are.

Here’s an analogy for you. Imagine someone walking into a massive grocery store (Walmart, Target, Costco, or pick your favorite one). The whole experience is not for the faint of heart: there are endless aisles, several hundred different sauces, seventy kinds of pasta, and all kinds of ads playing on large screens. Some of the brands look familiar, often from TV and online ads, but the majority are completely new. The person starts grabbing things that look great - some fancy chicken wing sauce, five pounds of frozen shrimp because it’s on sale, a few protein bars they saw on YouTube, a bag of kiwi because the packaging looks nice, and so on. Some hours later, the person gets home and puts all the stuff on the counter only to realize that they have spent a few hundred bucks, bought a ton of crap, but don’t have anything that adds up to a meal.

Now let’s ask the obvious question: Is the grocery store broken? Should the store carry fewer products? Should it remove half the shelves to make the whole shopping experience feel much simpler? Maybe just have one brand for every product? Wouldn’t just a section with salt and pepper be enough, instead of a whole aisle with spices most people have no idea how to even spell? I don’t know about you, but I don’t think so. The store did exactly what it’s supposed to do: offer choice. The real problem here is that the person went to the store without a shopping list and without a clear plan of what it is they would like to cook for dinner, so instead of buying the ingredients they needed, they bought a ton of crap that doesn’t add up to a meal.

I often feel like this is kind of what we have in security. Way too many people simply can’t find the time to sit down and think strategically about what they need (some also continue to believe that security is a shopping problem), so they end up just reactively buying tools. Obviously, vendors absolutely love that, so they amplify these messages - “just buy X, and we’ll solve all your problems”. The amount of noise is absolutely insane, so it’s not surprising that security teams are overwhelmed. At the same time, the reality is that starting with the market and all the available options is always going to be overwhelming, whether you are shopping for a pack of toilet paper or an EDR. Nobody should be expected to know every tool and what it does, similar to how neither of us truly knows the difference between every kitchenware brand.

Starting with clarity about the problems the company is trying to solve and the criteria it truly cares about makes the whole experience of choosing the right partner much easier. When the security team gets enough resources and space to think strategically about what it is trying to do, many problems go away. This makes me think that the real issue in the industry is not that there are “too many point solutions”, it’s that most security teams are so overwhelmed that they can’t even find time to think about strategy, or what tools would best support that strategy.

Until we solve this problem, there is one shortcut that I think can help. I think that the easiest way for security teams to figure out if they should talk to a vendor is to ask themselves - Can this vendor help us with essentials? Can it help us improve the basics? The hard truth is that most companies get breached not because of some zero-day, nation-states, blockchain, or AI-powered attacks; they get breached because of the basics. It’s always some unpatched server that wasn’t on the inventory list, some orphaned account access that didn’t get revoked, some hardcoded credential, some network access exception that didn’t get removed, and other pretty mundane problems. Focusing on what matters alone will filter out 80%+ of the vendors, and do wonders for the organization’s security.

“...but are we getting more secure?”

I love this one. It usually goes like this: I will say something to the effect that “Over the past decade, we have started to see enterprises invest more into their security” or “I see more and more companies using AI to solve security problems that previously were impossible to solve”, and someone will inevitably show up to ask “...but are we getting more secure?”.

First and foremost, let me answer this once and for all: YES, WE ARE. I think this is the first time I have used all caps in my blog, so that should tell you what I think about this question.

Every year, companies continue to improve their security defenses. Say what you want, but this is happening. There are more companies with an EDR today than there were a year ago. There are more companies using MFA than there were a year ago. There are more companies patching vulnerabilities than there were a year ago. Overall, more organizations have better tooling, better frameworks, more experienced engineers, and far more institutional knowledge than they did 10, 20, or 30 years ago. This list can go on and on.

The question you might be asking is, “So why do we see more and more breaches?” Well, the answer is pretty simple: it’s because the attack surface we have to defend expands faster than anything anyone on the planet can contain.

Over the past several decades, we have seen the attack surface multiply every single year:

• Every year, we are shipping more and more code (this was true before AI, and it is even more true today)

• Every year, IT environments are becoming more and more sprawled, fragmented, and complex (this is true regardless of what you look at - identity, cloud networks, etc.)

• Every year, there are more and more connected devices of all kinds.

The bottom line is that what used to be a handful of on-prem systems is now a constantly shifting mix of cloud infrastructure, SaaS, APIs, identities, remote users, vendors, containers, and ephemeral workloads. Every new layer adds flexibility and speed, but also complexity and exposure.

Let me draw what ends up happening because having a visual in front of us will make explaining this much easier. Here is a picture that captures what’s happening in security, where maturity is going up, and the attack surface is expanding.

Those of you who are very observant will look at this image and say, “How can we be getting more secure if the gap continues to increase?” You are right - the gap between our security capabilities and the attack surface is now the largest it has ever been. This gap is the main reason security teams experience so much pain and suffering, why they feel overwhelmed, and why buying “just one more product” rarely fixes the underlying problems. It is also because of this gap that we keep seeing more and more breaches.

All that said, the world still hasn’t collapsed under the weight of all the breaches despite what some predicted. A lot of the credit for that goes to people working tirelessly to keep us safe, but we cannot ignore the simple fact that defenses have improved dramatically. Security maturity continues to increase, security controls continue to get better, defaults are getting safer, detection is becoming faster, and misses, while still painful, are far more contained than they used to be.

Let’s continue our thought experiment and think about what things could look like if the defenses weren’t in fact improving. The attack surface would continue to expand regardless, and so the gap between the state of security & attacks would be enormous.

All this is to say that if we weren’t in fact getting more secure, things would have been as bad as some people imagine. This, however, isn’t at all what’s happening.

Every year, we continue to mature our defenses, and we cannot forget that security vendors play a critical role in educating the market about different ways of solving problems and providing customers with solutions. If some early adopters didn’t bet on a startup called CrowdStrike in 2011, we would still be using McAfee to secure the endpoints. If nobody worked with a startup called SafeChannel when it started in 2007, there would be no Zscaler (in 2008, SafeChannel changed its name to Zscaler). This list can go on and on. It would be misguided to say that CrowdStrike, Zscaler, Duo, and many other startups didn’t make us more secure because they did.

Here is what it comes down to: attackers are innovating all the time, but 99.999999% of security and IT teams are barely equipped and staffed to keep the lights on, let alone to build their own tools. This is why we do need more startups and more venture capital to go into security.

You are probably still skeptical, thinking, “Sure, we need startups, but we don’t need that many of them!” It would indeed be amazing if we could just get a single company solving a single problem, and they would do it well, but sadly, that is not how innovation works. There is often a cohort of first entrants who work to educate the market about a new threat or a new way of doing things, and then someone else shows up and wins the market that has already been created. Case in point is CSPMs: there was already a decade-long history of attempts at solving the cloud security problem, and a lot of learning about what worked and what didn’t before Wiz was even founded. I will go on the record and say that without the first 10-15 point solutions trying to secure the cloud, Wiz would have never happened.

All this is to say that the answer to both of these questions is a resounding Yes. Yes, we do really need this many companies, and yes, we are getting more secure. That is where I stand and that is what I continue to both see and believe.

If you like my blog, please subscribe & share it with your friends. I do this in my free time, so seeing the readership grow helps me to stay motivated and write more. I don’t send anything except my writing and don’t sell your data to anyone as I have better stuff to do.

If you are a builder - current or aspiring startup founder, security practitioner, marketing or sales leader, product manager, investor, software developer, industry analyst, or someone else who is building the future of cybersecurity, check out my best selling book, Cyber for Builders.

If your company is interested in sponsoring Venture in Security, check out Sponsorships.

Lastly, check out the Inside the Network podcast where we bring you the best founders, operators, and investors building the future of cybersecurity.

Share

Share Venture in Security