Cyber security continues to infiltrate our daily news feeds and make headlines on a regular basis. It’s touched our most iconic companies such as Apple and it has risen to the forefront of our government’s attention on several occasions. One thing is clear amid all these developments: companies see the need to protect themselves an utmost priority and yet, the way to accomplish that remains complex and confusing to many.
As part of our Kleiner Perkins Caufield & Byers (KPCB) Leadership Salon series, I hosted a panel of cybersecurity entrepreneurs who have spent years working for the government before starting their own companies. They all have a perspective on these trends affecting both the private sector and the public sector. The panelists included Oren Falkowitz, CEO and founder of Area 1 Security; Nathaniel Fick, CEO and founder of Endgame; Jay Kaplan, CEO and founder of Synack. They offered their thoughts on how customers should think about their own security, the talent war and the challenges of fighting nation states which are looking to do harm. Above are some excerpts of our discussion in the most recent Ventured Podcast.
The Talent Gap in Cyber
There are simply not enough information security professionals to defend the number of companies trying to defend themselves, which was part of the reason Jay Kaplan created Synack.
Even with the growing number of security products, companies need people in their organizations who understand both the data and the vulnerabilities, and ultimately know how to fix them. The talent gap won’t be solved until a new workforce is educated or the current information security workforce is better educated.
However, it’s important not to make cyber too “vocational” because companies need to attract a wide variety of professional skillsets to the security field. Both Oren Falkowitz and Nate Fick agree that diversity breeds innovation and that solving something as complex as cybersecurity only will benefit from people with different perspectives and backgrounds working on the problem.
Complexity is the Enemy of Security
Security nowadays is ever changing and complicated. It is omnipresent in the news – from the FBI attempt to force Apple to create a “backdoor” for the iPhone to the Hollywood Presbyterian Hospital payment to regain computer system control from hackers. It’s hard for customers to keep up with all the latest developments. And, customers are experiencing real vendor fatigue: a corporation or agency might use up to 300 products. That type of complexity creates an obstacle to effective security, said Nate Fick, as he believes the industry will ultimately require better integration or consolidation of products and solutions.
Good Defense Requires Thinking like the Adversary
Unlike other industries, competition in the security industry is not comprised of just businesses competing with each other. Security companies compete with living, breathing human beings on the other side of the connection who are trying to do harm to those companies or their customers. Many of these nation states have nearly unlimited computing power and human resources. So customers and security companies need to think like the adversary and take a proactive posture. More and more, we need to be taking the fight to the attackers. Oren Falkowitz says, “The way to be preventative is to find the attackers where they are and not wait for them to attack.” Nate Fick added, “We can do as much damage to the adversary with good defense as good offense.”
The M&M analogy
Like the M&M candy, an old way of thinking in security was to focus on just the perimeter– have an enterprise network that was hard on the outside but soft on the inside. However, given today’s demands of customers who want their data anywhere, anytime on any device, it’s impossible to ensure a protective bubble around your network. Attackers have a huge advantage: it just takes one vulnerability– such as an employee who responds to a phishing email — to penetrate the inside of an entire enterprise network. “Everything about these [cyber] attacks are generic, but our response is more hyperbolic,” said Oren Falkowitz.
The Cloud: Advantage or disadvantage to security practitioners?
Cloud computing can be a huge benefit to cyber security. By entrusting their overarching infrastructure or computing to a cloud-based company, customers are putting the onus on an organization that is “so much more capable and has so many more security resources than you do as a small company or even a large enterprise,” Jay Kaplan said. In addition, there’s a “neighborhood watch effect” as cloud migration helps make it easier to share threat data and move quickly when it comes to cybersecurity matters, Nate Fick pointed out.
Encryption backdoor: As good an idea as jean shorts
The idea of creating an encryption backdoor is as good an idea as jean shorts, says Oren Falkowitz, which is to say “not a good idea.”
Jay Kaplan and Oren Falkowitz agree that technically speaking, creating a back door for the government creates another vulnerability for attackers to also take advantage of. “As soon as you open up one hole, it’s game over at some point and you might not even know that that someone found out about it or figured it out,” Jay Kaplan said.
Ultimately whatever rights and protections are afforded the government need to be given to individuals as well. “All of us [in the private and public sectors should] benefit from secure and private communications,” Oren Falkowitz said.