Let’s have an honest conversation about the state of cybersecurity
Several years ago, I discussed the importance of security engineering for the future of security operations. Then, Rami McCarthy in his contributed article explained that security engineering is not the future, it is the present, but not equally distributed. I very much agree with his take, and in this piece, I want to go deeper down that road.
Over the past several years, as I’ve evolved my thinking about security, I have come to realize that the industry works differently than many people think. Many of these learnings were reflected in my book, ‘Cyber for Builders,’ but there are some that I haven’t distilled into a single article before. Now that I have finally found some time to reflect on the state of cybersecurity, it is time to close the loop and share my latest thinking.
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
This issue is brought to you by… Vanta.
Webinar: How to Choose Your Next Compliance Framework
As your organization scales, so does the complexity of your compliance program. How do you choose your next framework to support growth — without overburdening your team?
Join Vanta and Insight Assurance for a discussion to delve into considerations for scaling your compliance program. The live event will cover:
How to evaluate the maturity of your current compliance program and identify when it’s time to adopt additional frameworks
Tools and processes to streamline compliance workflows and support sustainable growth
Aligning compliance needs with your organization’s regions, industries, and customer base as well as long-term goals
What compels businesses to invest in cybersecurity
Before we go deeper into this week’s topic, let’s first cover the basics, namely what compels businesses to invest in cybersecurity.
Security practitioners often say that cybersecurity must become a priority for companies, but I think as an industry we have been largely unsuccessful at articulating why that is. And, it’s not for the lack of trying. Every week there we see hundreds of new articles, webinars, panel discussions, and tens of thousands of social media posts repeating the same message of security’s importance. I think the reason we haven’t been successful in getting CEOs, CFOs, and other execs to buy into this belief is that for most businesses security is sadly not as important as we'd like it to be. Before you get angry, let me explain.
Businesses are created to generate value for shareholders or to put it simply, to make money. There are many ways to achieve it but at the very basic level, business is about finding ways to generate as much revenue as possible (top line) while also avoiding as many expenditures as possible (bottom line).
Compliance as an enabler for revenue generation
For any company out there, revenue generation is the top priority. Anything that enables, expedites, improves, or otherwise contributes to revenue generation will always get funding. The good news is that security compliance is a critical part of revenue generation. The bad news is that the extent to which this is true varies for different types of organizations.
For some companies, compliance is an enabler for their peaceful existence
Let’s state the obvious: for some companies, compliance is an enabler for their peaceful existence. This is especially true for organizations operating in regulated industries and public companies.
Regulated industries, primarily banking, insurance, and to a certain degree healthcare, are the primary buyers of security solutions. This is not a coincidence: they are subject to a variety of compliance requirements, and security is one of them. In order for companies in these areas to continue making money, they have to check some boxes and convince auditors and regulators that they are doing their best.
The same is true for publicly traded corporations. Over the past several years, the SEC has been pushing public companies to start taking security seriously, and so executives in these organizations are now forced to invest in security. While not every public or regulated organization has a dedicated Chief Information Security Officer (CISO), all of them have an individual designated to be in charge of compliance and security. And, all of them have strong incentives to do what it takes to check the boxes that need to be checked.
For technology vendors, compliance is a critical sales enablement instrument
It won’t surprise anyone to learn that tech companies, most of which are venture-backed, engineering-centered startups, have strong incentives to invest more in cybersecurity than others. Contrary to popular belief, the reason for that isn’t that they can afford it. After all, tech companies are rarely profitable, and they burn a lot of capital in order to scale so they simply don’t have leftover money to allocate to areas not required to achieve growth.
The reason technology vendors have strong incentives to invest in security is two-fold.
First and foremost, tech companies need to make sure customers are comfortable sharing their data or embedding the companies’ software into their organizations. When a customer is ordering a new coffee machine, a sofa, or a container of coal, it has no real reason to care about the security posture of the supplier (as long as they can contractually guarantee the delivery of the products, that is). However, when a customer starts to use file storage, it is essentially saying “I trust that the storage provider will keep my data secure”. When a customer is looking to build on AWS, it is essentially saying “I trust that AWS won’t go down and won’t expose my data to bad actors”. The same is true for any software as a service (SaaS), infrastructure as a service (IaaS), platform as a service (PaaS), or any other kind of tech vendor. When a customer is buying something from a tech company, it has to share with it some data or give either some form of access and in both cases, it wants to be sure that that is safe to do.
For technology vendors, cybersecurity is a core attribute of the product they are selling. Without SOC 2 attestation, multi-factor authentication, and a variety of other attributes, a technology company literally can’t sell to the most lucrative types of customers (large enterprises). Unlike their counterparts in other industries, CISOs of tech companies focus on customer trust and play a critical role in the company sales process. This gives them an opportunity to be true business enablers.
Security as a tool to reduce losses
When people in the industry say that security must be a business enabler, what’s often missed is that for most companies, it is compliance that enables revenue generation. Where compliance isn’t mandatory, security is seen as optional. Aside from revenue enablement, the only other reason for businesses to invest in security is loss avoidance. There are two aspects of loss avoidance:
Avoid losing revenue (customers), and
Avoid losing business value (productivity, equipment, data, etc.)
Revenue loss avoidance is the number of priority but it is once again mostly relevant to tech companies. Okta, for example, must be very worried following the breaches it went through. Some factories producing aluminum, on the other hand, don't have to worry about customer loss following an accident to the same degree as tech comapnies.
The second type of loss avoidance is about business continuity. The degree to which this factor actually motivates companies to put their money where their mouth is depends on their understanding of the value at risk, and executive leadership’s personal attitude towards risk management. Unsurprisingly, these aspects are connected to the risks common in the business a company is in:
For technology vendors, a security breach means disruptions to their products, loss of customer trust (potentially, customer churn), and a variety of other problems.
For banks and insurance companies, a security breach can lead to significant financial losses. Customer trust isn’t as important despite what many would assume because most individuals wouldn’t switch an organization they have a relationship with as long as the breach doesn’t impact them personally.
For companies in regulated industries more broadly, a breach could lead to issues with regulators, and therefore lead to penalties and threaten the job security of security leaders.
For other companies, value at risk usually varies. Manufacturing, education, services, shipping and logistics, and other industries don’t generally have a good understanding of their value at risk, and therefore they tend to greatly underinvest in security.
The problem is that most people are pretty bad at understanding risks and assessing probabilities, so unless there are obvious compliance drivers, they won’t see investing in security as a priority. Moreover, a lot of organizations decide to gamble with their destiny and instead of investing in security, just wait and see hoping that magically, nothing bad will happen. This can work for a long time until one day it finally doesn’t. Since nobody can predict when a breach will happen, it can be too easy for organizations to treat security as tomorrow’s problem and instead invest their limited resources in revenue generation. After all, businesses aren’t created to be secure but to generate returns for their shareholders.
The only thing vendors can do to generate demand for security, other than lobbying for more compliance, is fear-mongering. In other words, generating demand for security has become about scaring people, and then removing that fear with a product the company is selling. The perceived value of the product is directly correlated with the amount of residual fear - the lower the residual fear the more valuable the product. If the company that generated fear can actually address the underlying risk then their product is seen as even more valuable. However, if a company actually addresses a problem without creating fear then it risks being seen as some weird technical solution that nobody in security cares about.
The great cybersecurity echo chamber
The reality I am discussing is painful to internalize, but that doesn't make it less real. Why isn’t this a discourse we as an industry are having more often? A simple answer is that we all live in what I can only describe as the great cybersecurity echo chamber. Ask yourselves a few questions:
Who is active on social media?
Who writes blogs (such as this one)?
Who records security podcasts?
Who gives talks at security events?
Who launches security startups?
Who are security vendors most excited to talk to?
Who do VCs want to spend time with?
The answer to all these questions is the same - it is either people who work at organizations where security is a revenue enabler (tech companies, large banks, etc.), people who build or work at security startups, aspiring founders, or investors. There are surely a handful of outliers, but by and large, it is all the same people.
I am calling it an echo chamber in the kindest possible way (after all, I am very much a part of that echo chamber whether I like it or not). The fact that most perspectives people read online seem to only be relevant to a small percentage of the engineering-centered companies isn’t a problem. The problem is in thinking that these perspectives represent the industry as a whole. The reality is that they don’t, and that a lot of what we are discussing simply isn’t relevant to a large percentage of the security teams out there.
Security is maturing but not in a way many think
The good news is that cybersecurity is maturing. This is clear when we see a growing number of security practitioners, security conferences, security companies, security-focused investors, and so on. This is clear when we see that more and more organizations are discussing security at board meetings and hiring dedicated CISOs. As I have discussed before, there are plenty of reasons to be optimistic about the future of our industry. While security is indeed maturing, it happens in a way that’s different from what many think.
For most companies maturity means relying on services
While tech companies have been hiring security engineers and security architects, and embracing an engineering mindset to security operations, the rest of the world works differently. The industry is maturing, but the definition of this "maturity" is much more nuanced. For tech companies, large banks, and the like, maturity may indeed mean hiring technical security practitioners (security engineers, architects, detection engineers, etc.), building customized tools to solve problems unique to their organizations, and so on.
However, they represent at best 1-5% of the market. For the other 95%+ of the market, maturity means admitting that they don't have the expertise to take care of their security needs, that they will most likely never afford that expertise, and that they have no idea where to even get started. For them, the outcome of maturity will be continued delegation of security to third-party providers, which includes security products but much, much more so - security services. Huntress, Arctic Wolf, and others have realized that many years ago. I am bullish about the next generation of security providers that are going to come in the next decade, and if there is one area where in my opinion AI has the potential to make a true difference it would be the delivery of services.
The fact that the government has been going after CISOs will only accelerate the move towards outsourcing security. When security leaders are being held liable for doing their jobs, it only makes sense that more and more of them will prefer to work with third parties to delegate more of security and thus to protect themselves from personal liability.
For most companies, compliance does mean security
We like to say that compliance is not the same as security (I also have written articles about that). While that is true, it is also true that for most companies, compliance does mean security. I don’t see this changing anytime soon. As more and more industries become regulated, there will most certainly be more demand for compliance (and subsequently security), but on their own companies won’t start investing in these areas unless they fall into one of the categories discussed at the beginning.
A good illustration of this reality is the state of the privacy market. For a long time, many in the industry have hoped that privacy as a market will explode. Years later we see most privacy-focused startups struggling to expand beyond a few early adopters. While Carnegie Mellon has been educating privacy engineers, you won’t see many people with such a title working outside of Google, Meta, and a handful of other big tech players. I think a single company that has been successful in the privacy market is OneTrust, unsurprisingly focused on privacy compliance. In this context, I define success as nearing an IPO.
Three obvious facts worth reminding ourselves about
Sometimes we get too excited about the future of security and start fantasizing about what things could look like in just a few years. There is nothing wrong with that, and if anyone is guilty of being too optimistic and too forward-thinking, it would be me. That said, it’s worth having something to bring us back to Earth, something to ground ourselves in reality. For me, it is thinking about the three simple truths.
Most security practitioners are just doing their jobs
I personally know plenty of security practitioners and security leaders who have made personal sacrifices to safeguard their organizations and to move the industry forward. The sense of mission, sense of purpose, and sense of duty we see in security is truly unlike that in most other industries. There are many reasons to recognize and celebrate the tireless work of those who keep our digital (and physical) world secure. There are also reasons to be worried about the tendency for companies to exploit people’s genuine desire to be helpful but that’s a topic for another day.
It is, however, also important to remember that most security practitioners are simply doing their jobs. Most people aren’t going out of their way to stay up to date about the industry news, don’t read security books or newsletters (unfortunately for me, that’s just how it is), don’t volunteer with their local security community, don’t speak or attend their local BSides and so on. Let me be very clear - the fact that they don’t do these things doesn’t make them lesser in any way. All it means is that they have other things in life they put before security, such as friends, families, kids, loved ones, hobbies, personal goals, and life in general. Some are in a fortunate position where they can do both, and others have to decide where their focus will be and pick one.
Security vendors have been very successful at celebrating every practitioner as a hero. That’s great (and we need more of that!) but it’s worth keeping our reality in check and remembering that security isn’t all about a sense of mission, and that most people in our (and any other!) industry are logging into their [ Windows, and not macOS or Linux] computers at 9 am and logging out at 5 pm. Most security practitioners aren’t active on LinkedIn, Twitter, Mastodon, or any of your favorite media, most CISOs have never been to (and will never attend) Black Hat or RSAC, etc. And most security people certainly don’t follow funding and product release announcements from the 5,000+ security startups, and don’t know what new categories are “hot”.
All this is as designed.
Most companies are not tech companies
Nothing makes the fact that most companies are not tech companies more obvious than looking at the stats outlining the United States gross domestic product (GDP) categories.
Image Source: Visual Capitalist
Information technology (IT) is far from being the main source of GDP. Sure, there are plenty of tech-enabled companies in all other segments but the fact remains that most companies which ought to be buying security solutions aren’t based in the Bay Area or even New York.
If you live outside of the United States, I’d encourage you to go through the same exercise for your country. I am quite confident you will arrive at the same conclusion regardless of where you reside.
Most people outside of security don’t care (and won’t care) about security
Although we hope that we can make individuals “cyber aware” and they’ll start living their lives more securely, that is sadly far from reality. I believe that there are many other critical habits, behaviors, and problems people should take care of before they think about security. People need to eat well, have good quality sleep, exercise daily, and read, and this list can go on and on. It has taken us centuries to get to the level of awareness about these things, but guess what - few people actually do it. My question is simple: if people know that not exercising and not eating well can shorten their lives by many years, but choose to take no action, why do we assume that learning about the possibility of losing personal data in a security breach is going to achieve a different result? As someone wise once said, “If awareness was enough, nobody would be smoking”.
Embracing reality and deciding to do the best we can with what we’ve got
If it sounds like I am being negative about the state of security, - that is not at all my intent. On the contrary, I am hopeful and optimistic about the future. I do, however, think it’s important that we establish a realistic baseline about the present. In other words, to achieve lasting change we need to first embrace reality and understand where we stand.
After we do this, the next step is to identify opportunities for improvement. The good news is that there are plenty of them, and we are most certainly moving in the right direction. We need to continue evangelizing the importance of security, championing new standards and regulations, and ensuring that security leaders can do their jobs without fear for their careers and freedom.
Furthermore, I think we need to recognize that we as an industry have been quite successful at advancing the state of the art of security and building pretty powerful capabilities for defense. The main task that remains is to advance the state of practice. In other words, we need to take these advanced capabilities and make them accessible and easy to consume by the rest of the industry, by the 95-99% of companies that will never hire security engineers, security architects, detection engineers, and other types of amazing engineering-centric security practitioners. We need to hear from people at security conferences who work on security teams at companies that don’t have large security budgets. We need to hear from people who are doing their best with the little they have because that is where 95-99% of the world is today (and probably will continue to be).
Understanding the reality of the industry is also critical for those looking to build security startups. We have seen that companies targeting exclusively SaaS-only, tech-forward companies have a limited market, and that it’s important to design solutions equally applicable to analyst-centric and engineering-centric security teams.
There is a lot we can and should be doing, but it all starts with a single step - embracing reality and deciding to do the best we can with what we’ve got. And for that, it is useful to have an honest conversation about the state of cybersecurity.
Earlier this week, my book 'Cyber for Builders' was recognized as Book of the Year at the SANS Difference Makers Awards, the most prestigious recognition available to cybersecurity authors globally.
'Cyber for Builders' is most definitely on the list of things I am most proud of. However, it is not because of all the accolades, rankings, publicity, and recognition. While writing a book takes work, it is not hard. It is everything that comes before it that takes the most work.
For me, this book is personal. When a decade ago I immigrated to Canada, I didn't speak a word of English. It has been a fascinating and believe me, not an easy journey learning the language at an age when most people in North America finish their colleges. Building a life in a new country, starting a new career, immigrating for the second time & moving to the US has been a wild ride. I've done well, largely because of the support of many, many people, but for years I have been conscious about my ability to communicate thoughts, ideas, and perspectives on what is my third language. The SANS recognition, the outpouring of support on social media, the glowing Amazon reviews for 'Cyber for Builders', and millions of readers of Venture in Security make it clear that all that was worth it. That is what makes me feel proud. 'Cyber for Builders' is a great example of overnight success ten years in the making.
Thank you for all the support, friends. And, if you haven't read 'Cyber for Builders' yet, go get that copy. With Amazon Prime, it can arrive before the holidays, and some folks say a book about building security startups makes a perfect gift.
One of the things I'm grateful for is regular access to the kinds of problems enterprises are trying to solve. As IANS faculty, I regularly talk to small and midsize companies, but also talk to large multinational pharmas and financial firms. This window into the kinds of security problems companies are currently trying to solve is eye opening.
I regularly talk to companies just running their first ever vulnerability scan. Companies that have just enabled MFA for the first time, and are proud to have rolled it out to 60% of their workforce. Companies that have zero experience with containers and very little with cloud. Companies that are just considering rolling out their first VDP or bug bounty.
Over the past 4 years, I've worked with 235 unique enterprises through IANS, and I generally find that:
1. everyone is dealing with the same issues
2. those issues are VERY basic and fundamental
3. almost none of them have engineering (i.e. 'builder') talent on staff
The vast majority of practitioners out there need help doing the basics, and help ensuring they've done the basics correctly. That's my experience (admittedly, with an anecdotal and small sample size)
"Most people outside of security don't care about security." - Very apt.
The Pragmatic Path Forward for Cybersecurity:
Instead of hoping for a utopia where everyone suddenly starts caring about online security, let’s accept reality and adapt. The key lies in designing systems where security is baked in, not bolted on:
Defaults and Automation: Think seamless. Updates that happen in the background, password managers that do the heavy lifting, and multi-factor authentication as standard—because asking people to remember 'complex123!' never ends well.
Minimizing Human Reliance: Humans are predictably unpredictable. Biometric authentication and zero-trust architectures cut out the middleman (or middle click). Less guessing, more securing.
Targeted Awareness: Focus training where it matters most. Spear phishing simulations for executives, not generic 'Don’t click shady links' posters for everyone else.
The future of security isn’t about nagging people into compliance; it’s about removing barriers and building tech that assumes humans will do what they do best—take shortcuts.