Thoughts on Building a Cybersecurity Program
4–22–2024 (Monday)
Hello and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for growth stage companies, investors, and management teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, April 22, 2024, and this is the video where I find out who is actually watching and wants to comment on my mustache. We’ll see!
Thoughts on Building a “Cybersecurity Program”
From a cybersecurity perspective, there’s been a real push of urgent needs in the last couple of months, whether these be zero day vulnerabilities in products from Ivanti and Palo Alto, vulnerable repositories on GitHub getting brought into widely used software libraries, vendor and supply chain incidents requiring work on our part, or incidents at security tooling companies like Cisco / Duo, LastPass, or Delinia / Thycotic.
What a run! But here’s the thing - cybersecurity and IT teams can’t run like this forever. You’ll quickly find out that your team is over-taxed, over-burdened, and burned out when these difficult stretches happen and they’re asked to respond to every single fire in addition to all of the day-to-day things they’re responsible for.
Indeed, this is one of the hardest parts about cybersecurity, which is managing the workload for your teams such that they remain a sustainable resource but that your organization doesn’t face undue risk due to the incident of the day.
Let’s be clear - there are definitely times where you need to suck it up and put in the hours. But if that’s the only way your team works, they won’t be your team for long.
Building a cybersecurity program should be done in such a way that there is some resilience efforts that reduce this sense of urgency (though things like Defense in Depth and Diversity of Defense), and also establish collaboration and cooperation across the business well before these high-impact events take place.
This might take the form of introducing some “paved roads” initiatives that make it easier for other parts of the business to do their thing securely (and have the side benefits of reducing or eliminating things like Shadow IT or Shadow AI services, etc.). Netflix is famous for doing this, and I highly recommend reading their write-up on scaling these security efforts.
While it might feel like cybersecurity is an effort unto itself, we need to shift our mindset, and that of our colleagues, to understand that cybersecurity is part of the business (just as risk is part of the market).
It might also helps bring us back to the basics of understanding the business need, the people, systems, and data involved in that process, and the requirements or deal breakers for the engagement.
It’s easy - and tempting! - to over-complicate cybersecurity or make threat actors seem unstoppable. In reality, however, the basics go a tremendously long way towards building a resilient program.
There’s an ongoing argument about the value (or risk) in cybersecurity platforms, with some arguing that there is no such thing as a cybersecurity platform and others pushing the notion that “platformization is definitely happening.” I don’t plan on settling that argument here, but would note instead that there are good points on both sides, and it ultimately doesn’t matter what the analysts or vendors say.
What does matter is what you and your team are doing, on a daily basis, to build resilience and relationships with your stakeholders. These investments will get you through the difficult times, and not having them will make difficult times that much harder.
While we’re not dealing with the house burning down this week, let’s take a breath, pop our heads up, a take a heading check on where our program is, where it’s going, and if we need a course correction.
Fundraising
From a fundraising perspective, a very light week, with just over $3B in newly committed capital. Seems like maybe everybody is catching their breach after a very big couple of weeks, and that’s probably okay.
You can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.
Links
https://netflixtechblog.com/the-show-must-go-on-securing-netflix-studios-at-scale-19b801c86479
https://developer.squareup.com/blog/connecting-block-business-units-with-aws-api-gateway/
https://kellyshortridge.com/blog/posts/cybersecurity-isnt-special/
https://lcisec.com/posts/2024/03/security-principles-stand-the-test-of-time
https://stiennon.substack.com/p/there-is-no-such-thing-as-a-cybersecurity