Felicis’s Jake Storm: Three Trends that are Revolutionizing Cybersecurity

ABSTRACT

KEY POINTS FROM JAKE STORM'S POV

Why is cybersecurity such an important category moving forward?

• The cybersecurity space is struggling with one of the largest talent gaps in tech, and automated security processes are trying to address this resource disparity. “The talent gap is a massive driver right now because there are close to one million unfilled jobs within cyber security in the U.S. alone,” says Storm. While the disparity is primarily driven by rising demand, he explains, it is exacerbated by increasingly complex training requirements within these roles that are delaying the onboarding process.
• Security is increasingly “shifting left”—becoming more proactive in addressing security issues—which should decrease the frequency of inadequate configuration processes, the most common source of data breaches. “Gartner just came out with a report saying that over 90% of cloud security failures are the fault of customers,” says Storm, “primarily in the form of cloud resource misconfiguration.” Cybersecurity has historically had a reactive outlook, he explains. Shifting-left allows vendors to implement security controls that help mitigate misconfiguration risks.
• Security tools and infrastructure are now a key strategic issue for enterprises as the cloud becomes the primary form of data storage. “We recently crossed a milestone where more data is now stored on the cloud than on-premise,” Storm says. As a result, a massive volume of data is being transitioned into potentially risky data stores. “Breaches happen because bad actors are always searching for access to data,” he explains. “This shift to the cloud significantly impacts both data security as well as data governance and compliance protocols.”

What are some companies that might be attached to these trends?

• Automated security response systems can help understaffed security teams scale their threat reaction abilities. One solution that will help address the skill shortage in data security is the automation of some security responses. “One of our investments, Tines, uses no-code automation for security practitioners,” says Storm. “This allows companies to scale what the security team can accomplish with the same head-count by simply narrowing the team's focus.”
• Embedded security tools can address common vulnerabilities arising from cloud resource misconfiguration. “Since we know from Gartner that most data breaches are the result of customer mistakes,” Storm says, “the only way to solve this problem is by bridging the gap between security teams and developers.” He explains that “security guard rails” and “secure-by-default” systems are now being integrated into the development process, an example of shifting-left that should help customers configure cloud systems with less vulnerabilities. Storm cites portfolio company, Resourcely, which addresses this problem by simultaneously improving efficiency for developers and making the cloud more secure.
• Data monitoring services can be used to deal with the more reactive aspects of data security, automatically responding to cloud-related security threats. These systems can detect attempted breaches as they are happening and take preventative action in real-time. Storm cites portfolio company Dig as one such solution, allowing companies to execute data discovery and classification, which can then be monitored in real-time.

What are some of the potential roadblocks?

• The risk of investing in any individual automated protocols is high, given the technical complexity of the problems they must solve. “A big roadblock in this space is the need for automated tools to be extremely accurate and timely,” says Storm. “There's more risk on an individual product basis than in the larger macro-trend, because a product’s success is ultimately determined by its implementation.”
• Shift-left security tools will only be integrated by teams if they can offer a win-win solution of improving security without adding friction to the development process. “The primary focus for developers is efficiency, not security,” Storm explains. “New tools can’t be seen as increasing complexity for the sake of being more secure.” Even though a security solution may seem logical from the security team’s perspective, anything that impedes the development process will ultimately not be adopted.
• While a wide range of solutions will compete in the market, they will eventually narrow and leave many feasible tools behind. Security solutions on the whole are a critical need, but that doesn’t guarantee any given solution will succeed. “As in any solution to a security issue, there are going to be competing ways to approach the problem,” Storm says. “Over time the most efficient solution will win.”

VISUAL: CYBERSECURITY MATERIAL TO BUSINESS SUCCESS

IN THE INVESTOR’S OWN WORDS

While we invest across sectors here at Felicis, I spend much of my time focused on cybersecurity. There are incredible long-term tailwinds, given many of these tools are mission-critical. Things like the talent gap, alert fatigue, and evolving infrastructure all require a need for constant innovation, and I’m excited to continue spending more time in the sector.

MORE Q&A

Q: Beyond the three trends we’ve discussed, what are other developments driving change within cybersecurity?

A: "These trends and their corresponding markets are essentially split between proactive and reactive tools. The shift-left trend is driving proactive tools. Secure-by-design processes are emerging that are meant to eliminate errors from the start. One of the main issues security teams struggle with is alert fatigue. There may be hundreds of issues that need to be resolved at any given time, but the reality is that many of these issues are low on the security team's priority. Nonetheless, these issues still drain teams' mental bandwidth. If you can remove those lower priority issues, it will allow constrained security teams to be more productive.

On the reactive side, there will always be things you need to deal with. Some of the main use cases for automation are phishing attacks, suspicious log-ins and vulnerability management. As these tools operate in real-time, the shorter the response time, the better."

Q: From the outside looking in, it appears that a lot of companies achieve solid outcomes, but very few really scale exponentially. Is that the case, and does this impact how investors view this landscape?

A: "Within security, there are a lot of companies that find success by providing point solutions, but to become an enduring, generational company you have to develop a platform that offers a fleet of solutions or modules that expands your market. In many cases it’s “acquire or be acquired.

After starting with one particular pain point, you need to be aware of the greater threats and opportunities long-term so that you can offer deeper or broader solutions in adjacent markets. If you consider automation players like Tines or Resourcely, for example, you would need to go deeper by increasing the variety of automations, or broader by increasing the solutions’ applications amongst other infrastructure teams."

Q: Given the nascent state of compliance and governance around cloud infrastructure, could the solutions that seem like the best fit today become irrelevant in the near future?

A: "When you look back to 2018, there were a number of companies that popped up in this space, but they were all compliance-focused. A lot of them had a really tough time trying to scale for several reasons, but the biggest issue was that cloud security, at the end of the day, is a security problem first and a compliance problem second. When you think about security ramifications compared to compliance, compliance is a "check the box" issue, but security failure poses exponentially greater risks to the customer.

To answer the question — no, I think that most of the companies that are focused on security first will be able to satisfy the data governance and compliance issues that evolve alongside this technology. To satisfy compliance requirements, you need to show where the data is stored, who has access to it, and a lot of other similar questions. Some of the companies approaching from the security angle will be able to answer these questions.

One of the reasons we were so excited about Dig is that they were the only company in this space that was hyper-focused on security while being able to also satisfy compliance and governance needs. On top of that, they not only supported data discovery and classification, so you could find what type of data you have and where it is, but they also have data detection and response, DDR, that enables them to respond in near-real-time to security threats. The data detection and response will play into security and also help enforce the compliance posture of the company. It's going to be far easier for security companies to address compliance than for compliance companies to address security."

WHAT ELSE TO WATCH FOR

• While "Human-First" security solutions — which engineer security infrastructure to harmonize with  human behavior — can improve the proactive side of security infrastructure, there will always be a critical need for reactive tools. “Within security you have to account for psychology in recognizing that developers are more incentivized to make code that runs properly than they are to make code that is the most secure,” says Storm. Security is often an afterthought for employees. “Shifting-left and embedding secure features, even when designed with the human element in mind, still can’t completely prevent the fact that bad actors often play on the human psyche.” There must be reactive tools ready to respond as quickly as possible to limit the damage when attacks do occur.

STARTUPS MENTIONED IN THIS BRIEF

• DIG Security
• Resourcely
• Tines