I recently read a piece about the cybersecurity industry that was simultaneously sobering and exciting. It was a post by Mark Curphey titled, "A Security Tools Crash Is Coming."
Why was it sobering? Because the piece lays bare for everyone to see how the cybersecurity industry, and specifically the AppSec and SecOps categories, are inundated with nearly 5,000 security vendors, offering far too many tools, which themselves spew far too much noise, and prevent far too many security professionals from actually benefitting. Thus, amid an increasingly challenging macroeconomic environment, the post argues rather convincingly that a great cybersecurity startup crash is inevitable.
So, why would this be exciting? For me personally, as a veteran of the increasingly red-ocean AppSec industry, the story was a fresh reminder of two things:
Given that digital innovation is the last path to differentiation in almost every industry, it makes perfect sense that the world now finds itself in an incredibly complicated situation in which security teams, already short on staff, must manage risk across a diverse spectrum of technologies and functions, including:
Furthermore, the already difficult job of cybersecurity and risk management is made worse by the fact that CEOs, shareholders, and customers all have an insatiable appetite for faster innovation. Simply stated, when it comes to "digital business," tomorrow is rarely fast enough.
So, within this complicated and challenging environment, what does it mean for a vendor to "zig" versus “zag”?
Vendors that "zag" in the cyber game are representative of the vast majority. They develop and sell a wide array of reasonably complicated, often expensive, and commonly noisy tools that leave software developers and security users utterly fatigued from alert overload. Collectively, these controls are designed to do two things: (1) help DevOps teams build security into software applications, and (2) help SecOps teams govern external access to internal systems and data. SecOps tools themselves typically have architectures that are vestiges of the perimeter-centric zeitgeist that was popular prior to the advent of the public cloud. TLDR: vendors that "zag" are either busy crying wolf to DevOps teams, or feverishly building virtual walls and digging moats to help SecOps teams keep bad guys out.
Conversely, vendors that “zig” in today's cyber market are representative of the innovative minority. They develop and sell generally simple, usually affordable, and relatively easy-to-implement tools. Collectively, these "inside out" controls are designed to protect sensitive unstructured data that businesses possess internally, but commonly share externally via collaboration workflows powered by old fashion email, and next-generation SaaS applications. Their architectural designs are typically built upon open and secure collaboration services which enable simple encryption/decryption experiences, identity federation, access controls, and enforcement of granular policies. TLDR: vendors that "zig" are busy empowering employees to share sensitive data via email, file, and SaaS workflows for purposes of accelerating business innovation, without sacrificing security, privacy, or data sovereignty.
They say when the going gets tough, the tough get going.
As for me, I'd always rather be “zigging” when others are “zagging.” More specifically, as it relates to cybersecurity, I'd rather be swimming in bluer waters and adding affordable and easy-to-implement data governance to a wide range of business-critical collaboration workflows.
It might not be sexy, and it won't come close to solving all your cybersecurity challenges, but it definitely works as advertised and offers a meaningful step forward in one's Zero Trust security transformation journey.