by Yoav Leitersdorf

5 ways to tick off a CISO

Mar 16, 2020
CIOCSO and CISOSecurity

As a venture capitalist that invests solely in seed stage cybersecurity entrepreneurs, I often ask myself what keeps CISOs up at night to inform which gaps the next round of enterprise security products needs to address.

Credit: Thinkstock

YL Ventures Managing Partner Yoav Leitersdorf sat down with cybersecurity powerhouses Pete Bodine, Managing Director at AllegisCyber Capital, Mickey Boodaei, CEO & Founder at Transmit Security, Dino Boukouris, Founding Director at Momentum Cyber, Dawn-Marie Hutchinson, CISO at GSK, Jay Leek, Managing Director at ClearSky, Richard Rushing, CISO at Motorola Mobility, and Oren Yunger, VP at GGV Capital to discuss why security vendors keep CISOs up at night. However, a lot of the answers now seem to lie in mending the risks and occasional damage rendered by existing vendors and products.

“The term ‘minimal viable product’ does not work well in security,” counsels Motorola Mobility CISO and YL Ventures Advisor Richard Rushing. This warning was one of many stark revelations expressed in my latest sit-down with leading cybersecurity executives and industry experts. Convened to discover where CISOs would like to see enterprise software go next, the conversation took a decided turn on where it is currently and where existing solutions still leave them wanting.

1. Building ambitious, multi-feature products that only partially deliver

Rushing’s point is specifically aimed at one of the biggest contributors to CISO fatigue in today’s market. In a growing market trend, cybersecurity entrepreneurs are angling towards building larger and larger companies by offering ambitious, multi-feature products as early as possible. While commendable, this ambition has led to the significant market overcrowding by “half-baked” platforms. According to this narrative, many startups—up to 95% says ClearSky Managing Director Jay Leek—truly specialize in just a fraction of the features their platforms offer. Faced by resource and time constraints, their high quantity of solutions cannot help but come at the expense of the quality of at least a few.

This poses risks that cyber executives cannot afford to assume. As GSK CISO Dawn-Marie Hutchinson explains, “In my job, I don’t get to be wrong. I don’t get a swing and a miss. If you sell me a product, and it has two good features, and three moderately good—or crappy—features that you just bolted on, you have failed me. It’s not enough to just focus on three out of five. All five have to be spot on because I can’t miss, which means you can’t miss”. Rushing agrees, revealing that even “name brand” cybersecurity solutions are guilty of this approach.

With no margin of error permitted to CISOs, one strike can be all it takes for a vendor to make it into their bad books. “If it’s failed once, maximum twice, I just can’t trust it. And if I don’t trust it, why is it there? I have no interest in keeping it on my network,” cautions Rushing. Hutchinson concurs “You bet five for five, I’m expecting you to get all five right. Four out of five, I’m questioning the other four times that you got it right. And if you let me down twice, you might as well have let me down five times, because I have no faith anymore.”

Some in the industry have caught on, with Clearsky’s Leek offering the following warning to his investor peers: “As a venture backer, I’m telling you right now that a growth-backed company can’t fight more than three to five battles. So, when you hear that someone is fighting more than that, run like hell, I know I do. Because they’re doing too much stuff.” Along those lines, GGV Capital VP Oren Yunger advises cybersecurity entrepreneurs to be introspect and certain that they can actually live up to all of their deterministic value statements: “You cannot be everything to everybody. Because otherwise, you’re going to be nothing for nobody. So, make a decision. What are you going to focus on? And do it right.”

2. Treating your customers as design partners without their knowledge

Transparency around less-developed features is key. Incredibly, many CISOs today struggle with vendors surreptitiously QAing less-developed features in their environments. Entrepreneurs must take note that this is a surefire way to be shown the door. “Your customer’s production environment is not your glorified QA environment,” censures Leek, “so however many QA resources you have right now, no matter what that number is, double it. Because you cannot afford to anger your customer by doing that—especially at scale.” One would think that this goes without saying. Yet, the majority of the experts I consulted acknowledge that this type of shady behavior occurs surprisingly often.

Vendors must be upfront if they are looking for a design partner, especially since many CISOs are happy to oblige when the offer is relevant. “We were engineers once and now we double click for a living. We’re genuinely nerd curious about what you do. We got to where we are because of our insatiable curiosity. There are a lot of times that we’re willing to take that risk with you,” says Hutchinson, “However,” she cautions, “vendors need to remember to eat that elephant one bite at a time.”

3. Failing to scale in your customers’ environment

Transparency and realistic expectation-setting around platform scalability pose additional challenges to CISOs. According to Mickey Boodaei, CEO & Founder at Transmit Security, this is the next hurdle companies face once they successfully manage to offer fully manifested platforms. “Once you move beyond consolidating solutions, the next biggest problem is applying those solutions at scale,” he says, adding that the products that manage to succeed in today’s market are the ones that do this best.

This point is reaching criticality, as the scale of attacks themselves is increasing rapidly, according to Dino Boukouris, Momentum Cyber’s Founding Director. “We’re seeing the offensive side employ the same buzzwords guiding our defensive capabilities,” he warns, “and they’re using that to launch higher scale attacks that are more flexible and nimble, more dynamic, and even more challenging.” Given that many of these attacks are backed by well-funded criminal organizations and nation-states, the pressure is not set to let up anytime soon. “Weaponization is incredibly fast today,” adds Rushing, “you can patch things on Patch Tuesday, when things are actually released, but guess what? You only have six hours before the rest of the world is already reverse-engineering the patch and is attacking the infrastructure that’s actually there.”

4. Offering solutions that impede productivity or slow security teams down

Many CISOs are feeling the heat, and it is made worse by another significant challenge created by vendors. In many cases, far from offering more dynamic and nimble solutions to counter these intensifying attacks, a good number of vendors are actually slowing security teams down. “This is often due to a workflow issue, issues with extracting data out of the tool in a meaningful way or what the tool is actually reporting on,” explains Rushing. He asserts that this is critical in light of the stress caused by the human talent shortage: “the most precious thing that I have is my team’s time because it’s really hard to multiply that. So even if your solution is really good, if you’re slowing my people down, you will be out the door on that.”

Pete Bodine, Managing Director at AllegisCyber Capital, stresses just how important productivity is and shares that the market is looking for solutions that can get even 0.5 to 0.6 more percentage of productivity out of existing security teams and stacks: “CISOs can’t acquire those resources fast enough,” he says, “so the things they’re going to pay the most for are the ones that leverage the resources and personnel that are already there.”

It is on this final point around productivity that Bodine reveals the secret sauce to a guaranteed investment for entrepreneurs. “I cannot stress how much of a difference productivity makes to the CISOs we consult with. So, as an investor, our attention is immediately piqued when we learn that a POC took fewer resources than a regular POC, because it often means that they developed their process early enough with a customer satisfaction person. We really don’t see that very often, but when we have, we’ve written a check almost right on the spot, just because they take so much sand out of the gears and make it so much easier for a yes decision to occur.”

5. Failing to integrate your privacy tools into their environment

The privacy market is another area that should especially take note of this, as many CISOs are taking ownership of their organizations’ privacy offices as well. According to our experts, they have quite a long way to go. “The integrations of privacy into security tools just aren’t there yet,” asserts Hutchinson, “they’re really just kind of glorified Excel spreadsheets with a pretty cover on them. There almost isn’t anything technical or innovative behind most of today’s privacy solutions. All they’re really doing right now is creating more work for me.”

As an entrepreneur, it can be very tempting to approach “the next big thing” in cybersecurity from a blue ocean or green field perspective. However, these conversations confirm that the true key to a CISO’s heart is transparency, specialization, simplicity and optimizing what they already have. CISOs are tired and have grown wary of sweeping promises.

Their message is loud and clear, and as a seed-stage investor, I encourage entrepreneurs to heed their warning. The uphill battle towards true cybersecurity enterprise growth has gotten steeper than ever. To make it, entrepreneurs must collaborate extensively to ensure that their product actually translates into a killer multi-feature platform.

The question now is how they can get their foot in the door. In this changing landscape, the real key to success is to make the right alliances. To this end, entrepreneurs should be strategic in the type of investor they approach, ensuring that they partner with well-connected firms that can help source those critical design partners on their behalf.