Weekly Video: August 15, 2022
Hello and welcome to another edition of Cyber Risk at Deal Speed, your weekly video rundown of cybersecurity news and strategy for investors, deal teams, and the management teams of portfolio companies.
I’m your host, Shay Colson, Managing Partner for Cyber Diligence at Coastal Cyber Risk Advisors, and you can find us online at coastalcyber.io
This week marked a return to “hacker summer camp” for much of the information security community - the Las Vegas conference pair known as BlackHat and DefCon, so things have been oddly quiet in the security channels.
That said, we’ve still got relevant news to cover - and we’re going to do it in 5 minutes or less
Krebs at BlackHat
Microsoft Expands Threat Intelligence, Attack Surface
PE fundraising on pace for record year
Krebs at BlackHat
Our first headline comes from one of the keynote addresses at BlackHat, from Chris Krebs, former director of CISA (famously dismissed), now a consultant at his own firm, Krebs Stamos (where Stamos is Alex Stamos, former Facebook CISO).
Coverage of Kreb’s talk included this great headline, about how we need to: “Make Security Valuable and Attacks Costly.”
The theme of his talk walked the line between pessimism and optimism, noting that “We're not where we need to be," when talking about the current organizational structure and state of cybersecurity at the Federal level. "We're falling behind and America is suffering as a result."
He noted that “a CEO that sees cyber risk as business risk is rare,” and that cyber risk has gotten “increasingly complex too, to the point where even experts struggle to understand […] “the unthinkable complexity” of cyberspace”
When it comes to the challenge of cybersecurity, "things are going to get worse before they get better." “There needs to be a front door that is clearly visible,” he said. “And as I see it, that’s CISA.”
Beyond just the front door, it needs a desk to land on, a place where the buck stops. The core of Krebs’ message, to me, is that when security is everybody’s problem, it’s nobody’s problem. And that’s what gets us into the situation that we’re in today.
This isn’t a new concept. Eugene Spafford, founder of Purdue University’s CERIAS Program (Center for Education and Research in Information Assurance and Security) has been singing this song for years.
Nearly a decade ago, he shared his frustrations with the industry in a post calling out his frustrations with "a mix of short-sighted and ultimately stupid solutions […] being undertaken [with] large-scale efforts to address pressing problems that largely ignore fundamental, systemic weaknesses.”
“We have a marketplace where we continue to buy poorly-constructed products then pay huge amounts for add-on security and managing response”
We need desperately to shift our view here to a larger, longer one and tackle the challenges that look more like treating the cause than the system. Hard to do, but - as Krebs, Spafford, and others continue to argue - critical to our ability to continue with the economy, military, and collective national experience as we know it. Worth considering in your own spheres of influence.
Open Cybersecurity Schema Framework
Also announced at BlackHat this week was a partnership amongst many of the biggest players in the cloud and security space for an “Open Cybersecurity Schema Framework.” Participants include Amazon AWS, Splunk, Symantec, Cloudflare, CrowdStrike, DTEX, IBM Security, IronNet, JupiterOne, Okta, Palo Alto Networks, Rapid7, Salesforce, Securonix, Sumo Logic, Tanium, Trend Micro, and ZScaler.
Notably missing? The other two cloud providers (Microsoft and Google) and some of the other larger endpoint detection and response players (Sentinel One, VMWare Carbon Black, Microsoft Defender, etc.).
The schema itself is a highly technical way of reconciling the ways in which the various vendor tools and platforms view and record information about particular events - mostly in activity logs.
There are some laudable goals here, and it’s an impressive array of vendors in the sense that it can impact lots of organizations, even without some of the other big players.
But I do wonder if it’s falling prey to the same fallacies that we covered from Krebs and Spafford. Are we just treating the symptom here, and not the underlying cause?
This is kind of an operational challenge for companies who have large tech infrastructures and Security Operations Center analysts who are struggling to reconcile all the data feeds into actionable information.
And you know what? That represents a diminishingly small number of organizations in comparison to the overall ecosystem of businesses in the world. I worry that this effort will fizzle in short order, because coordination across so many stakeholders and in an open-source type of approach is difficult to sustain.
It also strikes me as being an engineer-led response, rather than a strategic investment.
I love the idea of standardizing, and the implicit recognition that our tools need to be more interoperable in general, but I’m skeptical. Most companies have got other cyber challenges we need to be working on as operators to get to the point where this is the problem that deserves the most attention.
Don’t get distracted, get the basics in place, and work towards being more mature and resilient and eventually, you too can have the problem this framework is looking to solve.
PE fundraising on pace for record year
New data from Pitchbook this week indicates that we’re still chugging along from a fundraising prospective here in the PE world.
“Firms raised $176 billion across 191 funds in the first six months of 2022, setting a pace that, if sustained, could surpass last year's total fund value of nearly $340 billion across 577 funds.”
“Through the first half of this year, mega-funds accounted for the smallest share of total fund count, but made up a majority of total fundraising value, raising $102.8 billion.”
“Seven mega-funds have so far closed this year, right on pace with 2021's total of 14. Mega-fund value could reach a new record this year. Through Q2, that value has already made up nearly 70% of 2021's total of nearly $150 billion.”
While megafunds continue to get a lot of attention, it’s worth remembering that if we do a little math, that leaves $73B across 184 funds to be allocated - likely into middle market and lower middle market plays, where risk ticks up but so does opportunity for return.
“Further, many firms are pushing the final close on funds from late 2022 to early 2023, allowing GPs to tap into next year's allocated dollars, as many have already committed their total PE investment budget for this year.”
We’ll continue to see big deals - Avalara taken private this week at more than $8B - but we’ll also continue to see PE deals move downmarket and into new verticals.
Fundraising
Specifically for last week, congratulations to the more than $10.5B in newly committed capital last week.
Like the PitchBook data tells us, there is a solid supply of dry powder and investment activity will see the benefits of that, even if the summer has been a touch slow.
Best of luck to all the funds with new capital to deploy.
You can find all the links to the stories we covered in the section below, find back issues of these videos and the written transcripts at cyberriskatdealspeed.com, and we’ll see you next week with another edition of Cyber Risk at Deal Speed.
LINKS:
https://www.cerias.purdue.edu/site/blog/post/on_competitions_and_competence/
https://pitchbook.com/news/articles/private-equity-fundraising-value-record-year-2022