Attention cybersecurity entrepreneurs: CISOs want simplicity!

Successful entrepreneurs in all segments recognize the importance of keeping ahead of market trends and helping customers close gaps. In cybersecurity, those gaps are often shaped by newly discovered vulnerabilities and other emerging threats. Today, enterprise IT groans under the weight of bloated security stacks and IT departments are straining to use their budgets more efficiently.

For their part, cybersecurity startups face difficulty in getting a foot in the door at Fortune 1000 organizations or even SMB IT shops. CISOs in organizations of all sizes have begun to institute stricter procurement measures, a trend juxtaposed upon the continuing growth in size, variety, and sophistication of cybersecurity threats and the myriad solutions designed to address those threats.

These incongruities beg several questions: in this period of organizational cybersecurity severity, which threats are most critical to address in today’s threat landscape? How can cybersecurity entrepreneurs meaningfully differentiate their next big idea and insert their offerings into existing security stacks, or even supplant those stacks?

A good starting point lies in insights from top CISOs and other noteworthy experts. In this vein, Renee Guttmann (CISO at Campbell Soup Company) and Adam Ely (VP & Deputy CISO at Walmart), as well as cybersecurity experts Dino Boukouris (Director & Founding Member at Momentum Cyber) and Karthik Subramanian (Partner at Evolution Equity Partners) weigh in.

Clearing the cybersecurity pile

Campbell’s Guttman minces few words as she shares her concerns about the enterprise security stack from the perspective of a customer who finds herself approached all day, every day, by aspiring cybersecurity entrepreneurs. “We don’t refer to the ‘security stack’ anymore. We call it the ‘security pile’ and we joke about how it smells.” Like many CISOs today, Guttman has a mission to simplify her organizational security. To that end, she warns that “CISOs must be ruthless about selecting and leveraging products and security environments,” explaining that tight budgets require IT organizations to adopt a strict and systematic evaluation process. “I’m looking at strategic gaps in cybersecurity, and whether legacy products provide the needed coverage. To some degree, it’s a zero-sum game – I often need to shed incumbent components and solutions to free up budget for new tech.”

Adam Ely concurs, citing the popular “shift-left” approach to managing solutions at Walmart. “I’m looking at how can we build security into the fabric of our operations, as a process, as a technology, so that we can stop bolting on tech ad hoc, force-fitting tools and solutions that were not designed for a given workflow.” He warns cybersecurity vendors against narrow point solutions, as large companies are increasingly drawn towards migration to a single platform that can be leveraged across use cases and applications.

In this attraction to simplicity lies the first key for winning over CISOs to a new security product—new solutions need to streamline an organization’s existing security operations. Every legacy line item that a new solution can remove from an existing security software inventory scores points with CISOs and their teams. Maximal bonus points go to suppliers with solutions that introduce security tech as early as possible into the development cycle. Moreover, as many vendor platforms shift left and take ownership of whole solution stacks where they reside, new opportunities arise to close gaps within those reformulated stacks as well.

Looking beyond technical value

The next key to cybersecurity product or service success lies in the type of gaps CISOs are most keen to address. Again, the opportunity ties into concerns over existing stacks and the complexity of piling on a litany of incremental solutions. As Evolution Equity Partners’ Subramanian points out “If you examine traditional security domains, network security, cloud security, endpoint security, et cetera, incumbent solutions don’t provide customers with visibility across events at the level of Layer 7, closer to the application, concerning communication among various software entities, applications, etc.”

Momentum Cyber’s Boukouris concurs, connecting the upsurge of interest in visibility to the high demand for risk mitigation and compliance solutions now dominating the cybersecurity marketplace. He postulates that the high profitability of third-party risk managers and cyber insurers is connected to concerns CISOs have for “how to distill the nature of the risk to their organizations, and how to quantify that risk. We expect everyone in visibility assessment scoring to provide a comprehensive view of the organization and how to protect it from a range of threats.”

One glaring lesson can be drawn from these perspectives: technical value as a standalone will no longer suffice in this mature market and a business value proposition is vital to make the cut. Vendors may be subsuming increasing swathes of the security stack, but the cybersecurity sector is still replete with opportunity for the startups that dare to differentiate themselves with the sharpest, most targeted, and the most streamlined solutions. As Dino Boukouris points out, 33 public cybersecurity companies comprise a market cap of over $200 billion in 2019, with this robust number expected to continue growing for the next several years.

To close, let’s return to Renee Guttmann’s colorful description of the security stack as a moldy pile of software components. The ad hoc integrations of incumbent cybersecurity software present cybersecurity startups and entrepreneurs that run them with the opportunity to start clearing the pile, to simplify and streamline cybersecurity operations with unified stacks offering greater situational visibility.

Like all “shift-left” efforts and as with most platform unification exercises, such streamlining is easier said than done and can be even more difficult in the face of customer fastidiousness. But the most agile of entrants in cybersecurity will be able to embrace the opportunities presented by enterprise IT rigor and turn them to advantage through greater simplicity and lower costs from a single unified vendor offering.