Innovation Trends In Security Investing

Cyber and mobile security are board-level and investment topics for organizations across all industries today. With the rise of well-financed, increasingly evasive and targeted attacks, enterprises and governments have been forced to reevaluate their risk posture. More capital is being invested to fight cyber crime; a recent survey by Bloomberg suggests that more than 150 U.S. based critical infrastructure organizations spend on average a combined $5.3 billion on cybersecurity annually. However, these corporations estimated they would have to spend $46.6 billion over the next 12 to 18 months to adequately address today’s attacks.

This concern is compounded by security implications associated with the major technology trends of the day. One such example is the daunting task of securing sensitive data as it moves about in this new world of the enterprise. Data is being stored on-premise and in the cloud, accessed via secured and unsecured WiFi, on devices known and unknown to the enterprise.  BYOD (bring your own device) has become more than just a buzzword – one recent study claimed nearly 70% of enterprise workers accessing corporate data on their personal devices.

As a result, even large enterprises are becoming more receptive than ever before to working with innovative security startups, even at the expense of uprooting long-standing incumbent vendors. In fact, we believe we’re witnessing the perfect storm for IT security investment.

Given this environment, we brought together twenty forward-thinking IT security entrepreneurs along with chief information security officers from several publicly traded companies to network and debate security innovation at a recent dinner meeting to discuss innovation trends.  Three key trends emerged:

1. Targeting the Persistence of APTs

Given the sophistication of today’s threats and the resources behind them, the discussion is no longer about whether enterprise networks are infected, but rather to what degree they are compromised, what intelligence can be gathered about the source and purpose of the attacks, and how machine learning can help to best mitigate further damage.

Mandiant’s Vice President of Business Development Jeff Scheel advocated for “the need to understand the threat actors and their tools, tactics, and procedures if we’re going to become effective at countering these attacks.”

While some CISOs have debated the importance of threat attribution in the past, we’ve reached a point where we must understand our adversaries, determine their motives, and use this data as input into our defense and detection mechanisms, and into larger business decisions.

Compounding matters, enterprises in highly regulated industries, such as financial services, have to worry not only about their own security infrastructure, but those of business partners with whom they transact. Regulations such as KYC and Dodd Frank are requiring financial institutions to compile and share an increasing amount of data on their customers and partners, but they must of course do so securely and keep the data fresh. Historically, the process of auditing a partner’s network security has been highly manual, costly, and static. However, BitSight Technologies, a Menlo portfolio company, is a great example of how innovative startups are utilizing big data and the cloud to enable enterprises to quickly gain real-time insight into the status of not only their own networks, but their partners’ as well.

2. Enterprise Mobile Security is in Very Early Innings

Another takeaway was the near unanimous feeling that while the MDM race has been run, mobile security is still an area ripe for innovation. Early approaches in enterprise mobile security have been device-focused in an attempt to control, often through containerization, what applications could run on a device, and to provide the capability to track, control, and wipe the device should it become lost or compromised. These capabilities, which have now become commoditized, served as a patch for enterprises in the early days of enterprise mobility, generally for enterprise-issued devices or in specially permitted cases, approved and secured employee devices.  However, today’s workforce is increasingly demanding the ability to work from any device, whether it’s the corporate-issued laptop, a personal Android phone, or an individual’s iPad. IT cannot afford to secure every device that touches corporate data, nor do users want their employers to have the ability to control their devices.  A truly BYOD world demands a new set of security solutions – those that or more data- and application-centric rather than device-centric.

As Suresh Balasubramanian, CEO at Armor5, put it, “MDM is about control, not security. And the security concern is all about the data and applications. Where we really need to get to is defining the next generation of mobile security beyond MDM.”

Everyone agreed that designing an effective mobile device protection solution will require technologies that focus on securing the data and specializing in mobile-specific targeted malware.

3. The CISO Role Must Evolve

Evaluating the CISO role was the most heated discussion that night because there was a sense that CISOs are often times insufficiently empowered to effect change.  Issues raised about their jobs spanned from the need to have better metrics and benchmarks for assessing progress and success to the simple fact that all too often CISOs become the scapegoat for more systemic IT problems that can inevitably lead to breaches.

“One of the key challenges for CISOs is to foster a culture of security in an organization,” said Niall Browne, CSO at Workday. “It is from this foundation that real security change can emerge. To be effective, this security culture must align with the business goals of the organization and include all stakeholders.”

Niall is a 16-year veteran in building and managing enterprise security programs, and is clearly one who understands cyber security. He is also currently the Chair of the Steering committee, as well as the Cloud & Mobile committee for the BITS Shared Assessments Program.

Izak Mutlu, CISO at Salesforce.com, is a major proponent of collaboration among his fellow security peers.  Mutlu, who was at the Menlo dinner, leads a local group of CISOs who exchange information about the type of incidents their respective companies are tracking.

“While there are limits to the extent of what we share, it helps us all to get an assessment of what tactics our adversaries are using at that time,” says Mutlu. “We’ve found several cases where different companies are seeing the same types of attacks during the same timeframe.”

We at Menlo believe this current era presents a unique opportunity to better integrate security into the fabric of broader technologies and architectures. Menlo intends to play an integral role in supporting the entrepreneurs at this forefront, through both collaboration and investments.

Permalink in peHUB here.