Why security products should be more actionable for users
As an active angel investor in companies that want to bring new security technology into the market, Azi Cohen is most likely to be persuaded to invest by three things: an endorsement from an external CISO, a clear go-to-market plan, and a team that knows how to sell security solutions.
He also believes that all security companies – whether they are just starting or are already entrenched – should strive to make their products more actionable for the users.
“It is not enough to receive alerts. Developers and security teams are overloaded with them and simply don’t know where to start when it comes to keeping their organizations protected,” he told Help Net Security.
“I believe that the industry needs to do a better job at helping customers understand what are the real threats to their security, using tools that can analyze the threats and helping them prioritize their defensive operations to handle the challenges more effectively.”
Getting CISOs interested
Cyber defenders are at a definite disadvantage: they only have to lose once for a significant attack to hurt their organization, its reputation, brand and customer loyalty.
The good news is that these likely repercussions have made security a topic that is discussed at the Board of Directors level and enterprise security spending increases with every passing year.
“Analysts are predicting that annual worldwide spending on security will reach more than $90 billion in 2018 and $120.7 billion in 2021. As applications become the new frontier for attacks, the amount spent on application security will continue to grow at more than double that rate,” Cohen noted.
To get a slice of that huge pie, vendors have to know how to get CISOs interested.
As the co-founder and North American GM of open source security outfit WhiteSource and a serial entrepreneur and executive that lead many tech-based startups and established companies in the last 25 years, he can provide some pointers on how to do that.
“CISOs today are constantly being bombarded by an endless number of vendors, and each vendor swears they’ve created the solution for a new but extremely important form of attack that can’t be ignored,” he noted.
But CISOs know that they can’t protect against 100% of all attacks. They are used to living with a certain amount of risk, and do their best to spread their limited budget across a reasonable set of security controls that are relevant to their organization.
“How do they decide what’s considered a reasonable solution? They simply look to measurable metrics. As a way to help the company’s CISO throughout the process of building a business case that justifies a purchase, new/innovative security solutions should come with built-in means that can identify and measure risks to the company,” he advised.
“Also, when starting your first cybersecurity company, make sure to meet with as many CISOs as you can, ask them how they feel about your solution, and whether it can help solve their top 3, 5 or 10 priorities. Trying to push a solution that is not at the top of their priorities will not work.”
Cyber security innovation
When it comes to cybersecurity innovation, Israel is considered to be a world leader and in Cohen’s opinion, the main reason for this is that for Israel, developing security defence techniques is a necessity.
“The constant need for protection has forced the Israelis to develop more advanced defensive measures, placing them at the forefront of the cyber security vendor landscape. It is also worth noting that many members of Israel’s elite cyber forces have significant experience in the offensive space, and know how to think like an attacker,” he pointed out.
“This ‘red team’ experience and perspective gives them an upper hand in thinking about what are the next level of attacks that may be facing the industry. When young Israelis come out of the military, they already have the experience and know how of how to think about and run innovative projects on a shoestring budget. They are able to translate this knowledge into a lean startup model that can compete, and often win, against the less agile corporate offerings in places like Silicon Valley.”