Resilient Cyber Newsletter #12
Median Valuation & Round Size, Founder vs. Manager Mode, Enterprises Getting Compromised Despite Investments & Every Single AI Talk from BSidesLV, DEF CON and Blackhat
Welcome!
Tons of great resources this week, ranging from the Startup and VC community to the evolving AI Security and AppSec Space, so enjoy!
Curious how Wiz helps secure AI? Take a peek behind the curtain to see what insights you’ll gain from Wiz AI Security Posture Management (AI-SPM).
In this Sample Assessment you’ll get a view inside the product and see:
· How to discover AI services and technologies
· Which AI risks can be detected
· A review of assessment findings on the Wiz Security Graph
Discover how to enforce AI security best practices to hone your risk strategy and focus only on what’s critical.
→ Get the Report! ←
Interested in sponsoring an issue of Resilient Cyber?
This includes reaching over 6,000 subscribers, ranging from Developers, Engineers, Architects, CISO’s/Security Leaders and Business Executives
Reach out below!
Cybersecurity Leadership & Market Dynamics
Median Valuation and Round Size for 900 Series A Rounds
Carta put out this excellent insight into the median valuation and round size for 900~ Series A Rounds from July 2023-June 2024.
What is cool is it shows industries broken out, and as we can see, Cybersecurity (and AI) are far up and to the right in both the Median Round Size and Median Pre-Money Valuation. This is a great testament to the strong venture and innovative ecosystem we have in cybersecurity, and its overall pressing need across society.
That said, as others such as Mike Privette with Return on Security have highlighted, Cyber is having a bit of a rough stretch when it comes to venture and M&A compared to previous years as well.
Cyber actually just wrapped up its quietest week by transaction volume and dollar amount for all of 2024.
This highlights two points. The first being that while cyber may be in a bit of a lull in terms of venture, M&A and so on, we are still doing strong compared to many other industry verticals.
C-Suite Involvement in Cyber is Little More Than Lip Service
Saying the quiet part out loud, Co-Founder and Chief Scientist of ExtraHop Raja Mukerji published a piece on DarkReading where it calls out C-Suite virtue signaling when it comes to cybersecurity.
We’ve seen countless leaders and organizations claim cybersecurity is a priority, is being taken seriously and that customer privacy, security and more matter.
The reality of course is much different.
This comes at a time when nearly every organization is vulnerable to cyber threats, and most organizations are reliant on software in some capacity. A report from ExtraHop highlighted the gap, showing 4/10 organizations look to their executive leadership to help assess and weigh in on cyber-risk posture, but only 1/5 actually feel there is a high level of involvement and commitment from the C-Suite.
He points out this raises the question:
“Are industrywide claims of cybersecurity as a board-level discussion little more than lip service to stakeholders?”
As it turns out, the answer seems to be yes.
The article goes on to discuss how many IT decision-makers claim they are confident (88%) in their security readiness, but most seem ill-prepared as they have a lack of direction and attention from the C-Suite and board. Despite pushes from SEC and others to make cyber a boardroom priority and notable high profile cases and litigation for failing to properly implement cyber practices.
The article has several other insights, such as most claiming they need a 26-50% increase in budget to effectively mitigate threats, but we know cyber budgets are finite and despite more spending, most are still getting wrecked (see the next article I share below).
Half of Enterprises Suffer Breaches Despite Heavy Security Investments
In a timely follow up to the above piece, a article from Help Net Security discusses how despite heavy investments, many are still falling victim to breaches and malicious cyber activity.
They cite metrics such as:
The average cost of a breach jumping to $4.88M, a 10% annual increase (IBM Cost of a Data Breach Report)
47% of corporate data stored in the cloud is sensitive
83% of organizations have suffered a “material” security breach recently, with 50%+ in the last year alone.
Only 13% of organizations are “cyber mature”
1/3 breaches go undetected internally, with 31% of organizations finding out from an extortion inquiry from attackers
Ransomware continues to crush - with 94% of organizations experience downtime and 40% facing work stoppages
It is discussed how 93% of organizations who admitted a breach experienced impacts such as unplanned downtime, data exposure and financial loss and that is despite have 53 or more security solutions in use across the organizations.
We have a cybersecurity tool sprawl problem.
We’re tool rich and implementation and effectiveness poor.
Why Identity Teams Need to Start Reporting to the CISO
Interesting article on DarkReading, where an industry CISO posits that Identity Management should be owned by the CISO, not the CIO or IT team, since it is so centric to the modern attack landscape.
The author discusses how security has struggled to influence and drive organizational initiatives, including those fundamental to risk, such as identity and that with the recent push by the SEC and others to hold CISO’s accountable for organizational risk, they must be in a position to control critical activities like organizational identity management.
There is of course no denying some points, such as identity being critical to most modern attacks. We know that credential compromise reigns supreme among reports such as the Verizon DBIR when it comes to attack vectors, and factors such as Non-Human Identities are exacerbating the issue, often outnumbering human identities by a factor of 10x or more.
The discussion continues, discussing how the CISO is often CINO (chief in name only) and unable to influence widespread organizational change and risk management. This of course is a problem that expands far beyond just identity management though. We are even now seeing some CISO’s ascend into the CIO role, as cybersecurity becomes more critical, as well as CISO’s reporting directly to CEO’s, and some forward leaning organizations having security expertise among the boardroom.
Founder Mode vs. Manager Mode
This past week, Paul Graham of Y Combinator fame penned an essay discussing a recent event and discussions they have had about Founder Mode vs. Manager Mode.
The overarching theme of the essay is that many Founders are attesting to the bad advice they got from VC’s and others on how to run their startups as they began to scale, which included traditional management techniques, hiring “smart” people and letting them do their job and more, versus operating as a hands-on and deeply involved founder.
The essay went viral, being shared widely across X, Forbes and the broader startup and VC community, with 24 million views in less than 24 hours.
It has sparked heated debates, from startups and founders agreeing, and others claiming it is a push for oppressive and abusive founders to be tyrants among their workforce.
Elon Musk also allegedly proof read the essay.
The essay discusses how there are countless books on management, but not many or any on “Founder Mode”. There of course many books from successful founders, but what makes this challenging is every situation is unique. There isn’t necessarily a formulaic way to operate in Founder mode, achieving unicorn scale without the involvement of many factors, including timing, leadership and luck.
AI
Every AI Talk from BSidesLV, Black Hat and DEFCON
In an absolute powerhouse of an effort, Clint Gibler of tl;dr sec consolidated EVERY AI talk from BSides Las Vegas, Black Hat and DEF CON in 2024.
He covers short summaries, talk categories, and longer summaries. He also consolidated the titles, abstracts and more including video recordings, slides, papers and tools.
I can’t stress enough how amazing of a resource this is for the community. I have many of these now queued up to read and/or listen to so I can continue to build competence in AI as it is quickly moving space that is already showing signs of disrupting now just cyber, and software but potentially large aspects of society.
Clint also gave an amazing talk himself where he broke down a TON of recent cybersecurity publications, talks and research in terms of the viability and results of AI in different areas of cybersecurity, which I strongly recommend watching as well.
Hundreds of LLM Servers Expose Sensitive Data
This article on DarkReading demonstrates how a researcher discovered an authentication bypass vulnerability in a widely popular OSS low-code tool known as Flowise, which has tens of thousands of stars on GitHub.
They were able to use it to crack 438 publicly exposed Flowise servers exposing GitHub Access Tokens, API Keys, and more. This again demonstrates both the lack of governance and security as organizations rush to use GenAI tooling, and also the pervasive risk of access tokens, API keys and more, often called “non-human identities”, or “NHI’s”.
Securing The Explosing Adoption of GenAI and LLM’s
In this episode we sit down with GenAI and Security Leader Steve Wilson to discuss securing the explosive adoption of GenAI and LLM's. Steve is the leader of the OWASP Top 10 for LLM's and the upcoming book The Developer's Playbook for LLM Security: Building Secure AI Applications
AppSec, Software Supply Chain Security and Vulnerability Management
Gartner 2024-2028 Top Cyber Predictions
Co-Founder and CEO Ankita Gupta shared some interesting “top predictions” from industry analyst firm Gartner.
Ankita shared some specific takeaways, which I’m sure are from a paid Gartner report, but I wanted to highlight a couple of them. Her post is quoted below:
1. CISO Legal Exposure: By 2027, 2/3rds of global 100 organizations will extend Directors and Officers (D&O) insurance to cybersecurity leaders due to increased personal legal exposure.
2. Battling Malinformation: By 2028, enterprise spending to combat malinformation will surpass $500 billion, consuming 50% of marketing and cybersecurity budgets.
3. GenAI and Skills Gap: By 2028, the adoption of Generative AI (GenAI) will eliminate the need for specialized education in 50% of entry-level cybersecurity positions.
4. Zero Trust Exclusion: Through 2026, 75% of organizations will exclude unmanaged, legacy, and cyber-physical systems from their Zero Trust models.
5. IAM Breach Response: By 2026, 40% IAM leaders will take primary responsibility for detecting and responding to IAM-related breaches.
6. Data Loss Prevention: By 2027, 70% of organizations will integrate Data Loss Prevention (DLP) with insider risk management disciplines, leveraging IAM context to more effectively identify suspicious behavior.
7. Application Security: By 2027, 30% of cybersecurity functions will redesign application security to be consumed by non-cyber experts and owned by application owners.
Modern Appsec trend is the most interesting to me as it talks about creating a new high-value role called "Application security product manager".
I particularly wanted to call out the ride of the AppSec Product Manager. I’ve been saying for some time now that Product Security is consuming AppSec, with AppSec being a sub-practice within broader Product Security, as more and more products become digitally-defined.
I also think the idea that GenAI will negate the need for specialized cybersecurity knowledge among entry-level cyber is interesting. On one hand it would certainly open the field up to new entrants, but it is hard to imagine how people with no domain knowledge, even at a basic level, can be functional in the career field.
Lastly, the claim that unmanaged, legacy and cyber-physical systems will be excluded from organizations ZT efforts seems outright illogical. There are countless unmanaged devices being used in the remote-first, distributed, BYoD and mobile workforce, not to mention massive amounts of legacy tech that is still running many critical systems and functions.
The idea that those systems, as well as cyber-physical systems (which increasingly includes large swaths of critical infrastructure) will be excluded from zero trust efforts seem more of an effort to avoid hard environments to secure with modern methodologies, than it does as something that will lead to more secure outcomes.
FedRAMP Launches Digital Authorization Pilot Program
FedRAMP recently launched their “digital authorization package pilot”. It involves continuing to facilitate the innovation and shift towards digital machine-readable artifacts to streamline GRC processes.
This involves the use of the Open Security Control Authorization Language (OSCAL). Compliance long ago missed the bus on DevOps. In a world of as-Code, GRC largely still lives in excel, word and PDF. Legacy antiquated processes that are inefficient, cumbersome and fail to keep pace with the modern velocity of software as well as the threat landscape.
Really awesome to see the Federal sector continue to drive innovation in the compliance space.
I’ve given several talks, such as one earlier this year at my company Aquia’s Cloud Compliance Summit where I discussed this topic among others, in terms of problems plauging the FedRAMP program, a program I once supported while in a Federal role myself, as a Technical Representative (TR) on the Join Authorization Board (JAB) - which helped oversee the process to authorize CSP’s for Federal use.