I live in San Francisco, but as a founder serving large enterprises, I now travel quite a bit. When you get outside of the Bay Area, the first thing you notice is that there are no billboards screaming about AI, and no buses advertising agents for SDR, customer success, or finance. Three weeks ago, I was in DC, a week and a half ago I was in Boston, and this week I am in Houston, and neither of these cities is talking about AI, even though there are plenty of innovators living in each.

San Francisco is amazing because it brings together some of the most innovative minds, driven to use technology to do something that could never have been done before. The culture, the mindset, the people are incredible. But I will be the first to admit that it’s also an echo chamber. I say this with kindness because I love this place, but when you love something, you gotta still maintain some degree of objectivity.

Cybersecurity is just like that. I love our industry, I love people shaping the industry, but we gotta admit that security is, too, one big echo chamber.

This issue is brought to you by... Tines.

The $50K per hour network downtime dilemma

Networking and network security stakes are high. Like really high. Infrastructure downtime costs teams at minimum $50,000 per hour.

On July 15th, join Netskope and Tines for a live session on how you can move from reactive networking and network security operations to proactive response.

Register to learn:

• The hidden cost of manual network operations (and why faster tools haven’t eliminated slow response and coordination gaps)

• What “great” actually looks like in secure network operations

• A 5 step roadmap to build a more secure network operations strategy

Register Now

Cybersecurity has our own echo chamber

In security, we have developed an amazing ecosystem. We have our own conferences. Our own podcasts. Our own blogs. Our own social circles. With all these amazing shared experiences, we sometimes forget how small a slice of the industry those communities actually represent.

Many of the best security leaders I’ve met aren’t on LinkedIn. They may have a page, but they really don’t visit the platform, and not at all because of the sales outreach, they just don’t have the need for it. All the jobs they are getting are through friends, people who know their work, and people who respect them after some shared experiences. Most of the best security leaders I’ve met have never been on a podcast. I met plenty that haven’t even attended RSAC and Black Hat in a decade (and for some, it is more than that).

They are running large teams, managing incidents, navigating audits, dealing with executive stakeholders, and trying to keep hundreds of business initiatives moving forward. When they finally get a free evening, many of them have very little interest in spending it scrolling through cybersecurity debates on social media. They want to spend time with their families, coach their kids’ sports teams, travel, volunteer in their communities, remodel their kitchens, fix cars, and whatever else you can imagine.

These people are great at their craft, security is their calling, but it may not be everything they do. That’s a healthy thing, but it has a number of important implications for the industry. The biggest of them is that security has its own echo chamber. Like with SF, I am saying it kindly because I love our industry, and I think that’s exactly why we should talk about it.

The people we hear from the most are not always representative

The people who are easiest to hear from are often the people who are most visible, not necessarily the people who are most representative of the industry.

If you spend enough time on LinkedIn, you can start believing that everyone is talking about the same topics - the newest AI startups, new categories, new conference controversies, or latest industry trends. But when you walk into a Fortune 500, Fortune 1000, or Global 2000 security organization, you’ll often find teams focused on completely different problems. They’re worried about things like identity sprawl, asset inventories, third-party risk, change management, compliance requirements, and dealing with complexity at a large scale. In other words, they are worried about boring problems.

When you then talk to the smaller and medium-sized enterprises, especially those outside of major hubs like San Francisco or New York, you’ll realize that their worries are even more different. They are most likely thinking about MFA more than they are thinking about the problem of agentic identities, and chances are they have never even heard what an AISPM even is.

The problems people get excited about on social media and the problems consuming the time of the actual security teams are not always the same.

This influences what founders build

Nearly a year ago, I wrote an article about how “the great cybersecurity echo chamber” influences people looking to build security startups. What was relevant then is still very much relevant today. Here’s just a short snippet.

“Because these 98-99% of CISOs are pretty hard to reach, founders naturally gravitate towards the 1-2% who are visible in the community - as social media influencers, startup and VC advisors, angel investors, frequent podcast guests, conference organizers, and so on. In other words, founders reach out to VCs who are “plugged in” into the cyber ecosystem because they are, well, a part of the same community. This precisely is the dilemma. There are many reasons why talking to CISOs who are exposed to the startup community is a great thing. First, they see a lot of startups, so they are pretty attuned to the market, what innovations are being built, etc. Second, as innovators and startup enthusiasts, they are the most open to trying new ideas, becoming design partners to startups, and helping companies shape their go-to-market efforts. They usually have a great perspective to offer, and founders looking to validate their ideas should most definitely be reaching out to them.

At the same time, it’s too easy to forget that 1% of something is still just 1%. When everyone is asking the same people the same questions, they get the same answers, and they all end up building the same products. When you see that this is what’s happening in cyber, you can’t unsee it.” - Source: The real dilemmas of cybersecurity startup ideation, discovery, and validation.

When the same three hundred people are talking to the same three hundred founders, eventually everyone starts hearing the same opinions, chasing the same opportunities, and building the same products. Meanwhile, thousands of security practitioners who never post online are dealing with entirely different challenges, and they don’t have as many founders running to solve their problems.

For what it’s worth, some of the best product insights I’ve received have come from people who have never written a LinkedIn post about security and never will.

This defines what we talk about as an industry

The echo chamber effect doesn’t just impact startups. In fact, I think startups are among the least affected because founders learn what matters and what doesn’t pretty quickly. The real dilemma is that this echo chamber situation really impacts what problems we as an industry pay attention to, what gets discussed, and what we collectively are spending time on.

It’s a bit of a catch-22: people speaking at conferences, hosting panels, writing newsletters (thanks for reading mine), and otherwise being active in the media space naturally respond to feedback from the audience they can see. The problem is that the audience we can see is often a small fraction of the people actually doing security work. Because of this mismatch, entire categories of problems can become underrepresented. Not because they aren’t important, but because the people dealing with them are too busy solving them to talk about them publicly. It’s kind of ironic, but that’s how we think. We have to filter out the noise to figure out what to focus on, but we end up going towards the noise and (let’s admit), adding to it instead.

Getting outside of the echo chamber

When founders only listen to people who bought into their vision, they miss what their customers can’t see. That makes them build products that over-optimize for one use case or customer segment and miss the broader picture. When security professionals only talk to people who work at the same kinds of companies like they do, they get a very small slice of the bigger picture. That’s totally fine, but one can spend 20 years working in security, going from one company to the other, and never realize that other companies see security differently. I always smile when I hear my Bay Area friends say that every security team is deploying agents, when a week before that, I spent time talking to someone who just recently got the budget to buy a CSPM, and who is still trying to figure out which one to buy.

The only way out of the echo chamber thinking is to accept that security is broad, and that other ways of doing things aren’t “dumb” or “outdated”. There are many realities that co-exist in the same industry. Some companies are deploying agents at scale while others are planning a 3-year-long SASE initiative. Some security teams are building their own SIEM platforms, and others are trying to get enough budget to hire a single analyst. There is so so so much variety that not acknowledging it and embracing it as a norm is just not smart.

I have previously talked about the fact that our view of cybersecurity is defined by our backgrounds, and that perspective is usually very limiting (check out Blind Men and the Elephant: the story of cybersecurity for more). I sometimes feel like there are still plenty of people who assume that “their way” of doing security is the right way when that also isn’t the case.

Instead, we have to admit that security isn’t one market, but a collection of hundreds of different markets. What ecommerce companies need is not all the same as what law firms need, which is different from the security needs of banks, and different from the needs of colleges and universities. Financial services, retail, tech companies, governments - each of them care more about some problem compared to the others. To understand the security market, and the security needs of the market, we have to understand what each of the prospective customers needs. Not every security team works at a tech company.

I am surely not going to claim that I am somehow immune to the problems I am talking about (to my credit, I did start the post by confessing that I am a part of an echo chamber). I am, however, trying. Step one, I think, is to remember that many of the best security leaders aren’t on LinkedIn (and that they have never been on a podcast).

If you like my blog, please subscribe & share it with your friends. I do this in my free time, so seeing the readership grow helps me to stay motivated and write more. I don’t send anything except my writing and don’t sell your data to anyone as I have better stuff to do.

If you are a builder - current or aspiring startup founder, security practitioner, marketing or sales leader, product manager, investor, software developer, industry analyst, or someone else who is building the future of cybersecurity, check out my best selling book, Cyber for Builders.

If your company is interested in sponsoring Venture in Security, check out Sponsorships.

Lastly, check out the Inside the Network podcast where we bring you the best founders, operators, and investors building the future of cybersecurity.