Source: VentureBeat | Originally published on December 26, 2015Morgan Stanley. Anthem. GitHub. Ashley Madison. WhatsApp. Experian. Dow Jones.
All of these companies know quite well the impact of what a cyberattack can do for their business since they all were hacked in 2015. There have been so many of these incidents that Dow Jones Chief Executive William Lewis once remarked that “no company is immune” to an attack.
“There are only two types of companies in the world: those that have been breached and know it, and those that don’t,” Schlein said. “There’s not a company around that if a bad guy wants to get in, they won’t. You can try and make a high and mighty argument that ‘you can’t touch me,’ but it won’t happen. You have to change the method and make the breaches irrelevant.”
On Being a Cybersecurity Startup
With more cyberattacks taking place, government officials, companies, and investors are looking to startups for answers. Earlier this year, CB Insights reported that in the past five years, 1,028 investments were made in private cybersecurity startups, totaling $7.3 billion, an amount that didn’t seem to surprise Schlein in the least:
“No one wants to be less secure,” he said. “The innovation of the bad guys is rapid. They have unlimited amounts of time and capital. Our ability to combat is lacking.” Just like the rest of the venture capital world, millions of dollars from investors of all sorts have been sunk into companies looking to be the next big thing in protecting a company’s infrastructure. “It’s where a lot of IT budgets get spent, or it’s one of the areas that doesn’t get cut, and for good reason,” Schlein reasoned, but with a caution: “I don’t think that means more cybersecurity startups will be successful.”
Working in a cybersecurity startup is something Schlein should know a lot about: he was the founding CEO of software security startup Fortify Software before it was acquired by HP, and also helped Symantec launch its anti-virus solution. At KPCB, he’s the person behind the firm’s investment in Mandiant, LifeLock, Internet Security Systems, and others.
With the growth in the number of companies in this field, a lot of them start to sound the same. A challenge Schlein said these startups face is getting the first 10 customers, especially without looking like a “me too” firm. Not only that, but trying to steal relationships from incumbents that already deal with global companies is difficult.
However, this shouldn’t dissuade entrepreneurs from entering the space because incumbents have trouble innovating internally. Instead, companies like Symantec, HP, and Cisco will recognize that young startups are outdoing them in terms of addressing security needs and likely make a move to acquire them. “Some of them will recognize value in these startups and say ‘I got to get me some of that’ and acquire it, and some of them will fight it off and say they want to be the next big incumbent,” Schlein said. “I think these big guys realize that there’s money to be made here. ‘We’re not the greatest at innovating but these young startups are.’”
A New Philosophy on Cyberattacks
But rather than focusing on defending intrusions and being reactive, companies should look at how to target the root cause. “If the existing stuff that’s been deployed isn’t really working as measured by the number of breaches and dollars lost, you have to change the game,” he explained. “You’re moving from a way of prevention to detection. What the real job is is to detect and then remediate as fast as possible.”
It’s not about “snipping at the edges” of the problem, but rather discovering the underlying reason for why an attack was made: see what the bad guys are doing and get at that. Schlein believes that the old model of signature-based methodology (understanding what’s bad and preventing it) is outdated. Instead, companies should be focused on understanding behavior and doing more data analysis.
“The more holistic point is: How do you gather data — network, endpoint, log, event, and all the data you can — aggregate it, correlate it, run it through some models, and be able to say something isn’t right; this endpoint isn’t behaving in the way it normally does…as a way to localize and identify where the problem is,” he remarked. “That’s the big new approach. There’s a lot of people doing this, including Ironnet which is run by General Alexander (former director of the National Security Agency). It’s a large undertaking and a huge approach.”
Most breaches are often the result of someone complying with an email phishing for information. Schlein said that it’s not possible to prevent this from happening so companies often focus on the payload (what gets downloaded behind the scenes). But he thinks another way we should be looking at things is by tackling the delivery mechanism: “Can you get rid of the phishing message and take the defense to the attacker and that way you’re never dealing with the payload?” In his view, this would be a fundamental invention and would raise the stakes for the bad guys.
Perhaps a “good” thing that the frequency of cyberattacks has helped to do is raise more awareness within the corporate space. Schlein told us that security breaches have moved from being a tactical operational issue where it may have been viewed as a nuisance to being a board-level conversation where consequences could include impugning a brand and impact shareholder value. He referenced the firing of Target CEO Gregg Steinhafel after the company’s data breach, calling it a “seminal event in the world of cybersecurity” and that it “forever made cybersecurity a topic of a board room.
The Rise of the Chief Security Officer
Companies can no longer bury cyberattacks and instruct their chief security officer or engineering teams to fix the problem. The impact is far reaching and boards are spending money to be more proactive in protecting their data as best as they can. Schlein believes that the real question companies must ask how exploitable they are versus how secure. The difference is that the former is about providing details to boards about how vulnerable systems are from internal and external forces and how answers are provided. The latter is about what security measures you have in place and not necessarily focused on openings.
Right now, boards are asking CEOs about how secure they are, but they’re not getting the detailed answers needed to protect companies. Schlein said that chief security officers are going to be the “rockstars of the future. You’re going to see CSOs on public boards and will be some of the most highly paid employees in a company, and for good reason.”
The CSOs will be at the forefront of protecting a company’s infrastructure and data, essentially being the watch commander standing at the wall waiting for invaders to try and break into the castle.
Consumers Just Want It to Work
While most of the discussion took place around things companies would do to counter cyberattacks, Schlein also spoke about whether security startups will start to build more tools for consumers. He said that it’s a much harder market to really crack because “consumers want to be secure, but they don’t want to do anything to be secure.” They want the experience to be frictionless without impeding in their ability to do what they’ve come to the app or website to do.
“The reason why the fingerprint sensor works so well on the iPhone is because you have to press the button to power it on,” he said. Startups should enter this market with “great constitution.”
Although Schlein is a venture capitalist, that hasn’t stopped him from thinking about companies he wants to start. It’s part of his philosophy: if he sees a problem and no one is working on a solution for it, he’ll go build it. In fact, one of the things he said he’s working on is this product to provide people with an “unassailable” identity protection service that’s similar to a real passport — if you can have that type of security offline, why can’t you do it online?
“You have to think differently so you don’t burn the consumer,” Schlein explained.
It’s likely that in the future, we’re going to see more of cyberattacks and security breaches at various companies — in fact, just prior to writing this article, the Hello Kitty website and Livestream reported unauthorized access incidents just in the past few days. But there’s also other incidents including with electronic learning product maker VTech. So as Schlein has pointed out, instead of playing defense, companies should execute an offensive strategy and target the root cause of the problem.
Featured Image: An AI-generated image of a person using a keyboard. Credit: Adobe Firefly
Leave a Reply
You must be logged in to post a comment.