by Jamie Lewis, Venture Partner

Few business leaders would argue against the value of making data-driven decisions. Today, data analytics give businesses insights in — or near — real-time, allowing them to respond to changing markets and customer needs. These benefits have driven a rapid evolution of the decades-old concept of the data warehouse. “Big data” and platforms such as Hadoop emerged, followed by “data as a service” and data lakes. …


by Chenxi Wang, Ph.D. General Partner

As an investor and a technology enthusiast, I get excited when I encounter a novel viewpoint, a new way of solving a problem, or simply a new treatment to a challenge. But I have to say that it is a rare occurrence when someone solves a compelling problem, but at the same time brings fundamental innovation via its underlying technology.

JupiterOne is one such case.

I got to know Erkang Zheng, the founder of JupiterOne quite some time ago, when both of us were working in a completely different capacity.

Image for post
Image for post

Erkang was the CISO of LifeOmic, a data service cloud that provides many categories of health data that is central to patient care. Naturally, with these kinds of services, security, privacy, and compliance are of utmost importance. …


by Jamie Lewis, Venture Partner

In part one of my conversation with Malcolm Harkins, we discussed the CISO’s role as a “choice architect.” In part two, we discuss how CISOs misperceive risk and the innovation necessary to move security “to the left,” enabling security and privacy by design. (With Harkins’s approval, I’ve edited the questions and answers for brevity and clarity.)

The Misperception of Risk

Jamie Lewis (JL): [In part one of this conversation], we discussed the need for CISOs to expand their scope. As the security scope broadens, what’s the biggest risk CISOs face?

Malcolm Harkins (ML): The most significant vulnerability we face is the misperception of risk, which is driven by economics and psychology. The economic side is my P&L, my budget, all those things that drive a level of bias toward the goals I have, and how my performance is measured. Like when Ford shipped the Pinto, it had a patent on a part for a safer gas tank that would have cost $11. But they were facing competition from Volkswagen in the low-end car market, so they brought the Pinto to the market faster than any other car they had built. They didn’t want to lose the opportunity, so the economics were creating a strong bias. And we all know the results of that. The other aspect of this is psychology, and it can manifest in different ways. One is the “shiny bauble” syndrome. When people perceive a benefit in something or an opportunity in it, or they get enamored with it, they psychologically discount the risks. …


Malcolm Harkins is well-known in information security circles. Early in his career at Intel, Harkins held positions in finance and procurement before moving into information security roles. After serving as Intel’s chief information security officer (CISO) for seven years, he became the company’s first Vice President and Chief Security and Privacy Officer (CSPO), responsible for managing the risk, controls, privacy, security, and compliance activities for all of Intel’s information assets, products, and services. Harkins left Intel in 2015, taking the chief security and trust officer position at Cylance. He’s currently the chief security and trust officer for Cymatic, a board member and advisor to other companies, and an executive coach to CISOs and others in information risk roles. The second edition of his book “Managing Risk and Information Security: Protect to Enable” was published in 2016. …


Image for post
Image for post

by Jamie Lewis, Venture Partner

A complex interaction of threats, attack vectors, and enterprise security architecture is behind every breach. But an examination of common security failures reveals a fundamental disconnect between the technological and human aspects of security architecture in many enterprises.

Make no mistake: security products and services are an essential part of the solution. But it’s equally important to understand that behind every bit of malware is an adversary — people who are attacking an organization. Organizations are, of course, comprised of people, and people bring risks and vulnerabilities that may be beyond the grasp of technology. The 2020 Verizon Data Breach Investigations Report (DBIR ) found that phishing and the use of stolen credentials were the top two threat actions in 2019, accounting for more than 50 percent of all breaches. …


Image for post
Image for post

By Jamie Lewis, Venture Partner, and Chenxi Wang, Ph.D. General Partner

Cloud initiatives have demonstrated their ability to deliver significant benefits to user organizations. But in some cases, concerns for security are blocking or delaying cloud deployments. In-house security teams, which may be well-versed in on-prem systems, may not have the expertise necessary to ensure cloud-based security. When cloud initiatives do proceed, enterprises often apply traditional security approaches to cloud environments only to find they don’t work. Simply put, moving to the cloud involves both architectural and organizational dynamics that challenge enterprise information security culture in fundamental ways.

Nowhere are these challenges more apparent than in the case of Incident Response (IR). For the most part, incident response processes and techniques haven’t changed since 1993 — a fact that cloud migrations make painfully clear. In far too many cases, organizations learn about a security breach after the fact from a third party. And once they determine there was a breach, most enterprises will call in a consultancy that specializes in breach assessment and response to investigate, determine the extent of the damage, and define a response plan. …


Image for post
Image for post

by Jamie Lewis, Venture Partner

As we discussed in a previous post, chaos engineering is a relatively new idea in the security domain. But there are products and tools that security teams can use to implement it if they so choose.

As the first to apply chaos engineering to software development, Netflix built many of its own tools. But given the results organizations such as Netflix have had with the practice, general-purpose tools have started to emerge, allowing more organizations to add chaos engineering to their cloud development arsenal. Such tools typically provide a general-purpose framework for developing experiments and tools for deploying them and reporting the results. …


Image for post
Image for post

by Jamie Lewis, Venture Partner

As we’ve discussed in several posts, organizations must apply the principles that drive DevOps and site reliability engineering (SRE) to security in cloud-native environments. Testing, of course, has always been a critical component of both the application development process and any effective security program. And like application development itself, testing techniques and time frames have changed dramatically with the DevOps model. Within Continuous Integration/Continuous Deployment (CI/CD) pipelines, constant testing and improvement are an operational given. More significantly, companies such as Netflix have discovered that testing alone cannot ensure the resilience of cloud-native systems. …


Image for post
Image for post

by Jamie Lewis, Venture Partner

The rapid move to cloud-native architectures is having a profound impact on enterprise security posture and operations. In the world of containers, microservices, and orchestration frameworks, the notions of an “application” running on a “machine” in a persistent “state” are obsolete. The application, or service, is now a distributed system, consisting of multiple components running on a highly variable number of nodes, in a nearly constant state of change. Traditional security controls that rely on machine isolation and a predictable system state are ineffective. …


Image for post
Image for post

By Jamie Lewis, Venture Partner

Many organizations are making the shift to cloud-based collaboration and productivity tools because they make it easier — and cheaper — to deploy, manage, and use the tools people need. With services such as Google GSuite, Microsoft Office 365, DropBox, or Box, organizations can start small and scale quickly with predictable costs. Mobile device support is a given, and with a central storage facility for documents and other data, sharing is easier and more consistent. These benefits enable a dramatic reduction in organizational friction, driving higher participation and facilitating better business outcomes.

As significant as these benefits are, however, the ease with which people can share data using these cloud services brings new challenges to security and risk management teams. With SaaS tools, it’s easier for users to make an innocent mistake. They can share data with the wrong people, share the wrong data, or give outsiders broader access than necessary, creating risk for the organization. At the other end of the spectrum, malicious insiders find it easier to locate and share data with outsiders. Making matters worse, most organizations lack the tooling to find and manage these risks. …

About

Rain Capital

Rain Capital is a cybersecurity venture fund based in the San Francisco bay area. A women-led and -managed fund, Rain invests in disruptive security companies.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store