Defining and assessing the attack surface of the typical enterprise has never been an easy task. The enterprise IT environment has gotten more dynamic, and thus more difficult to assess, with each phase in the infrastructure’s evolution. As organizations transition to the cloud, the attack surface becomes even more dynamic and amorphous, encompassing thousands of applications and services, along with their supporting protocols and innumerable APIs. Innocent misconfigurations of cloud services can create an instant vulnerability, while CI/CD pipelines add, delete, and modify services, interfaces, and protocols continuously.

Because new risks arise quickly and without warning, attack surface management in…


by Jamie Lewis, Venture Partner

Since the post on our investment in Mitiga, the COVID-19 pandemic has accelerated cloud adoption significantly as enterprises grapple with lockdowns, remote workers, and budget constraints. While the “annus horribilis” that was 2020 is over, it’s clear that these circumstances will extend well into 2021 as the pandemic drags on. It’s equally clear that the pandemic is accelerating permanent change in business operations across the board. More organizations will adopt cloud architectures, perhaps sooner than anticipated and before their security teams are fully prepared. …


by Jamie Lewis, Venture Partner

Few business leaders would argue against the value of making data-driven decisions. Today, data analytics give businesses insights in — or near — real-time, allowing them to respond to changing markets and customer needs. These benefits have driven a rapid evolution of the decades-old concept of the data warehouse. “Big data” and platforms such as Hadoop emerged, followed by “data as a service” and data lakes. …


by Chenxi Wang, Ph.D. General Partner

As an investor and a technology enthusiast, I get excited when I encounter a novel viewpoint, a new way of solving a problem, or simply a new treatment to a challenge. But I have to say that it is a rare occurrence when someone solves a compelling problem, but at the same time brings fundamental innovation via its underlying technology.

JupiterOne is one such case.

I got to know Erkang Zheng, the founder of JupiterOne quite some time ago, when both of us were working in a completely different capacity.

Erkang was the CISO…


by Jamie Lewis, Venture Partner

In part one of my conversation with Malcolm Harkins, we discussed the CISO’s role as a “choice architect.” In part two, we discuss how CISOs misperceive risk and the innovation necessary to move security “to the left,” enabling security and privacy by design. (With Harkins’s approval, I’ve edited the questions and answers for brevity and clarity.)

The Misperception of Risk

Jamie Lewis (JL): [In part one of this conversation], we discussed the need for CISOs to expand their scope. As the security scope broadens, what’s the biggest risk CISOs face?

Malcolm Harkins (ML): The most significant vulnerability we face…


Malcolm Harkins is well-known in information security circles. Early in his career at Intel, Harkins held positions in finance and procurement before moving into information security roles. After serving as Intel’s chief information security officer (CISO) for seven years, he became the company’s first Vice President and Chief Security and Privacy Officer (CSPO), responsible for managing the risk, controls, privacy, security, and compliance activities for all of Intel’s information assets, products, and services. Harkins left Intel in 2015, taking the chief security and trust officer position at Cylance. He’s currently the chief security and trust officer for Cymatic, a board…


by Jamie Lewis, Venture Partner

A complex interaction of threats, attack vectors, and enterprise security architecture is behind every breach. But an examination of common security failures reveals a fundamental disconnect between the technological and human aspects of security architecture in many enterprises.

Make no mistake: security products and services are an essential part of the solution. But it’s equally important to understand that behind every bit of malware is an adversary — people who are attacking an organization. Organizations are, of course, comprised of people, and people bring risks and vulnerabilities that may be beyond the grasp of technology…


By Jamie Lewis, Venture Partner, and Chenxi Wang, Ph.D. General Partner

Cloud initiatives have demonstrated their ability to deliver significant benefits to user organizations. But in some cases, concerns for security are blocking or delaying cloud deployments. In-house security teams, which may be well-versed in on-prem systems, may not have the expertise necessary to ensure cloud-based security. When cloud initiatives do proceed, enterprises often apply traditional security approaches to cloud environments only to find they don’t work. Simply put, moving to the cloud involves both architectural and organizational dynamics that challenge enterprise information security culture in fundamental ways.

Nowhere are…


by Jamie Lewis, Venture Partner

As we discussed in a previous post, chaos engineering is a relatively new idea in the security domain. But there are products and tools that security teams can use to implement it if they so choose.

As the first to apply chaos engineering to software development, Netflix built many of its own tools. But given the results organizations such as Netflix have had with the practice, general-purpose tools have started to emerge, allowing more organizations to add chaos engineering to their cloud development arsenal. Such tools typically provide a general-purpose framework for developing experiments and…


by Jamie Lewis, Venture Partner

As we’ve discussed in several posts, organizations must apply the principles that drive DevOps and site reliability engineering (SRE) to security in cloud-native environments. Testing, of course, has always been a critical component of both the application development process and any effective security program. And like application development itself, testing techniques and time frames have changed dramatically with the DevOps model. Within Continuous Integration/Continuous Deployment (CI/CD) pipelines, constant testing and improvement are an operational given. More significantly, companies such as Netflix have discovered that testing alone cannot ensure the resilience of cloud-native systems. …

Rain Capital

Rain Capital is a cybersecurity venture fund based in the San Francisco bay area. A women-led and -managed fund, Rain invests in disruptive security companies.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store