Marktkommentar #24: Careers of CISOs as CIO, CTO and maybe CEO?

Marktkommentar /

Hello everyone

Phil Venable (former CISO Goldman Sachs, CISO Google Cloud, now full-time at a VC) is certainly known to most, possibly from his highly recommended blog.

Below are a few points and concrete case studies from a recent interview with him:

  • Trend of CISOs taking over the CIO and CTO roles
    • Also as a result of years of discussion à la “You have to improve the security in the IT infrastructure!” => “OK, then show how that’s supposed to work!”
    • Probably the natural way of things. After all, we don’t have any Chief Work Safety Officers in companies, despite about 400 fatal accidents at work per year in the DACH region. Security alone has too small an economic lever on the success of a company (security providers aside)
    • By the way, any kind of regulation such as CRA, DORA or NIS2 leads to security becomingless differentiating than a competitive advantage. A bank can’t score points with customers by adhering to legal requirements – that’s the admission ticket and is rightly assumed
    • A positive side effect: We may see CEOs who started their careers in information security and then become CEOs at some point via the CTO position. According to my small+short research, there is currently no Fortune 500 company that has a CEO who has worked in the field of infosec (counterexamples are welcome, of course)
  • Challenges of Security @ Scale in Complex Brown Field Environments: Updating the encryption algorithm from 3DES to AES in AD took ~18 months. Why? Dependencies between directory controller, authentication method in applications, file system and database system => Which then again led to changes in applications. In the end, almost all systems in the company had to be adapted
  • Lagging indicators such as the number of open vulnerabilities or the number of compromises are also measured at Google – as KPIs that represent the effectiveness of the security program.
    • However, preliminary key figures such as “proportion of software that can be created reproducibly” are used for control.
    • What I haven’t gotten through yet, however, is how can this be measured with sufficient precision over longer periods of time to actually detect improvement or deterioration in trends? I imagine an initial survey to be simple, but continuous measurement with a comparable history? If you have any practical tips, please contact us.
    • Better to understand: Proportion of “cold start capability” of infrastructure = > example: Test the recovery of entire networks, not just individual files or applications. This is the only way to detect chicken-and-egg problems (“circular dependencies”), e.g. between DNS server and identity provider or authentication server – if one of them does not work, the other cannot be made to work again
  • Secure by default works: 99.5% of all customers have not changed the default configuration after a software update, even if it worsened the user experience
  • Real productivity improvement in the security team achieved through AI :
    • Malware sample reverse engineering by AI, followed by automated creation of a detection rule and update of the rule set in the SIEM
    • Automated extraction of new attack techniques from videos (e.g. the latest “Bypass EDR” YouTube highlights) instead of analysts having to watch the videos/transcripts
    • AI-generated fuzzing harnesses (programs and tests to dynamically test code that is not directly accessible via input) currently lead to ~30% higher test coverage
    • Incident Reports: Better Written Than Those Written by Human Analysts
    • Configuration of own infrastructure: The combination of a RAG, fed with its own documentation and infrastructure-as-code, has led to a “massive reduction” in time spent while improving compliance

Forrester has compared the common SIEM solutions (but as usual without technical tests and without prices), currently the report is still freely accessible. Splunk, Microsoft, and Elastic are the leaders. Behind them are Google, Palo Alto and Crowdstrike . This also coincides with the current inquiries with us, esp. for larger organizations looking for “platform solutions” instead of best-of-breed. Strangely enough, Fortinet or SentinelOne are not mentioned at all, but Sumo Logic, which has been unknown in this country as SIEM, among others.

The AWS European Sovereign Cloud is coming – This is not only another digitally independent alternative to Ionos, Telekom, OVH and StackIT, but possibly also a blueprint for American security providers such as SentinelOne, Crowdstrike or PAN:

  • Own holding company, subject only to German legislation
  • Management exclusively by EU citizens
  • Operation (infrastructure and personnel) exclusively in the EU
  • Completely self-sufficient operation possible without dependencies on components from other EU countries
  • BSI C5 tested
  • Investment planning ~EUR 8 billion over the next 15 years
  • To be available from 2026
  • Seems to be even more consistently decoupled than the Google Sovereign Cloud, which has at least made it to the use of the Bundeswehr. Other assessments, of course, are welcome.

And here are 2 point victories of Team Skynet against the office worker class:

  • XBOW currently leads the HackerOne Bug Bounty Leaderboard – with a fully automated web app PenTest tool, similar to AttackIQ, Pentera, Horizon3, Hadrian, Cymulate, etc.
    • Each discovered vulnerability is validated by the AI tool to reduce the number of false positives. For example, XSS vulnerabilities are only reported if the actual execution of a Javascript payload has been checked via an AI agent with a (headless) browser.
    • Is this a “Kasparov vs. Deep Blue” moment for the pen test community?
    • In any case, there was 75 million USD funding for the further development of the US startup (~50 employees)
  • The CEO of Klarna (Buy Now, Pay Later payment service provider from Sweden) has announced that he has successfully reduced the number of employees from 5000 to 3000 (= 40% staff reduction) through AI, with double-digit sales growth. Let’s see if this is confirmed. The “Service and Processing Costs” are actually rising more slowly than the revenue over the year, but the delta has not been impressive so far – the variable costs may have an impact when using AI.

M&A news, long list this time:

  • Snyk acquires Invariant Labs, a Swiss provider for the protection of AI agents and MCP servers
  • Rubrik acquires Predibase – they specialize in the development and efficient training of customer-specific small language models = > customers should be offered (in my opinion) to be able to use their own data protected by Rubrik cost-effectively in AI workflows
  • Bitdefender buys Mesh (Email Security from Ireland)
  • Securonix (SIEM/SOAR, approx. 1000 corporate customers, PE financed) buys ThreatQuotient (Threat Intelligence)
  • Kiteworks (secure data exchange) buys Zivver (email security from the Netherlands)
  • LevelBlue (Managed Security Services from the USA, part of AT&T, approx. 1000 employees) buys the cybersecurity consulting division incl. incident response service from AON (largest insurance broker in the world)
    • Some customers are probably familiar with the CyQu Assessment as preparation for taking out cyber insurance – but this part of the advice or risk dialogues remain with AON
    • The brokerage of insurance is a much more lucrative business than most security services or solutions: mandated by the management, high lock-in effect (who wants to rummage through the small print of policy contracts), recurring revenues, automatic inflation adjustment.
  • Cyera (Data Security) has another ~500 millionUSD at a valuation of 6 billion. Respect. That’s about 150 times the estimated turnover.

Notes from Vendor Briefings:

Wraithwatch:

  • US startup, attack path simulation based on digital twins from the USA, similarities with XM Cyber
  • But real innovation, as far as I can tell: Simulates both Red and Blue Team using “AI Swarms”, each of which reacts to the actions of the simulated opposing side and adapts attacks.
  • In addition to configuration changes, the possible actions of the Blue Team AI also include host isolation, process kills or the like, which can be achieved using AV/EDR. Other security controls such as segmentation are on the roadmap
  • Does not use exploits – so probably a high number of false positives despite all the AI
  • Applications cannot be simulated (but users who have access rights to certain applications can)
  • In addition to the graphical representation of attack paths (like in the planetarium), of course also recommendations for action to eliminate vulnerabilities
  • The founders were the CISOs at Anduril and SpaceX, Palantir also appears in the CVs => Serious folk
  • ~10 customers, including defense and government, but none yet in the EU
  • Once again sensational naming (it’s clear that MaierMüller Computersicherheit GmbH, on the other hand, is fighting a losing battle)

Tamnoon:

  • Managed Cloud Remediation: Focused managed service from the USA that comes with a self-developed solution for workflows, but already requires a CNAPP (Wiz, Orca, Prisma, Sweet, Crowdstrike or similar) from the customer
  • Prioritizes issues and can either create step-by-step instructions for remediation and load/track them in pipelines, or fix them yourself in e.g. Terraform if you have the appropriate permission
  • No customers in the EU yet

SilentPush:

  • Very special solution: Discovery & Mapping of Attacker Infrastructure (ICANN registrations, websites, DNS, certificates): “Indicators of Future Attacks”
  • Based on 100% own scans + engineering, a lot of manual testing for false positives. This allowed attack vectors to be identified earlier (from days to months before)
  • Customers so far only US and UK, including Walmart, Target, JP Morgan, Marks&Spencers, Haleon, Banking and of course MSSPs+IR Teams
  • In the demo, a URL registered by Lazarus (APT) was tested at VirusTotal => 0/90 malicious verdicts
  • In addition, brand protection: monitoring of fake domains (impersonation), DNS misconfigurations, effectiveness of takedowns
  • We are still looking for resellers in this country (distributor in the EU isAqaio)

Artifact Security:

  • The CTO of SE Labs has founded his own company to test (AI) security solutions, primarily on behalf of manufacturers. Headquarters UK
  • Test environment with ~40 endpoints, 20 users and emulated network traffic, all on AWS
  • So if you want to order a laboratory test for marketing purposes, for example, you have a new alternative here

Nudge Security:

  • SaaS Security (CASB + SSPM) from the USA, approx. 100 customers
  • Similar approach to Grip: scanning mailboxes to discover + inventory all SaaS applications, accounts, and users, as well as OAuth integrations
  • Automation of workflows such as on-/offboarding, rights management and configuration including MFA, but also for the forwarding of security events to a SIEM/SOC
  • Automatic alerting when SaaS providers used have been hacked
  • In addition, license optimization

As always: Questions, suggestions, comments, experience reports, topic requests and also opposing opinions or corrections are welcome by email. Ditto for unsubscribing from the mailing list.

For the people who have received the market commentary for the first time: Here you can register if you are interested or rearrange the archive.

 

Regards

Jannis Stemmann

Ready to make your cybersecurity more affordable?

CyberCompare is your independent partner to make IT, OT and IoT security easier, clearer and more affordable.

With our established cybersecurity ecosystem, you achieve cybersecurity excellence and increase your resilience: With us you save time and money but never lose focus.

Get in Touch

Get in Touch

Associations and industry collaborations

Scroll to Top