Over the past two weeks, I was at the annual shenanigan bonanza that is the RSA Conference and was also invited to sit on a “Shark Tank” panel for emerging technology startups in Miami. In the span of two weeks, I went from seeing big, well-established companies with massive marketing budgets and millions of dollars for R&D to the other end of the spectrum: folks pitching their “technology” — or a good PowerPoint leading up to real technology — and scrambling to pay bills while pushing their dreams forward on a wing and a prayer.
Without a doubt, it was an honor to be invited to see these pitches and offer what little insight I have gained in the industry to those dreamers that see a problem they think they can solve — and possibly get rich while doing it. As a former failed startup entrepreneur myself, I still have scars and nightmares from those days. Reciprocally, I consider myself lucky to interact with the titans of cybersecurity at RSA and discuss the items and trends that are driving a worldwide market. It was interesting to see the giant gap that really exists in relation to discussions and considerations around security between these types of entities.
Conversations at RSA ranged anywhere from how to go to market and leverage the Zero Trust concept to discussions on global threat vectors and microsegmentation to improve network security. Usually, those discussions were deeply technical and pointed toward trying to solve a problem on a global scale.
While that was the case at RSA, it was not even a point that came up during the discussions I had at the startup event. Those discussions went about like this:
“I like your pitch, and your technology certainly can be useful for enabling GPS location tracking of dog poo” (you get the idea; not sure how many “innovations” are left in food delivery . . .). “But have you considered how your system will implement security? You said during your pitch that you are using APIs and data to track user locations and better enhance your targeting. Are you aware that there are privacy concerns and data security needs for those scenarios?”
“Uh, we are considering security. We have that on our timeline.”
“So you aren’t focused on security or really enabling privacy, but you are using data as much as you like?”
“Uh, well, not exactly. We value our user’s privacy, and we will be secure.”
“OK, super . . . but how? What are you doing to enable those things? It sounds to me like security is an afterthought.”
“Umm . . .” (looks to other team members in dirty hoodies)
“So just to be clear, you want to run your app, collect data, interface with established networks, and code via API — and you have no plan for how security is part of this whole thing? You’re essentially becoming the avenue of compromise for your users and whatever networks you touch. Does that concern you?”
“Sure, yes, absolutely.”
“OK, good. So what do you plan to do about it?”
“Uhhhhh . . .”
“You said you plan on being worldwide. Do you know about GDPR?”
“OK, got it. Let’s chat afterwards. I would love to offer you some guidance on this.”
It sounds like a joke, but there were 130 startups at the event. I made it a point to ask every third team about security, privacy, and GDPR. I had five responses that I would say were even in the ballpark of security; only two even knew what GDPR was. Seriously, only two! Most of them thought it was an acronym for a protocol that they would “ask their devs about.”
After being at those two events and seeing all of this take place, I think this is an identification of a continual problem. These young companies are moving at the speed of development and have little, if any, concern for security, privacy, or regulations because they see it as something that they can bolt on afterwards. Or, in many cases, it’s “a barrier to onboarding users.” Those same startups might become successful and grow, but when they connect to established networks, they may be the point of failure in those infrastructures. Or if they get acquired by bigger companies, they will be absorbed into the Borg anyway. And so it goes on. This is the self-licking ice cream cone of failure that is enabling continual failures in the security space. I think it’s interesting to see security failure at a product’s inception and compare it with an industry focused on solving a problem introduced by the startups that are working their way into the market.
Security has to start at the ground level and can’t be seen as a barrier to growth. As long as that’s the perception, the reality of failure will continue to propagate.