After numerous conversations with security researchers, entrepreneurs, investors, and CISOs, YL Ventures Principal Iren Reznikov shares some insights from Black Hat 2018!
Open ModalBlack Hat USA 2018 was my first time attending the annual Las Vegas security conference. Counter to its reputation as “hacker summer camp,” I felt Black Hat had more substance and less noise than many similar conferences I’ve attended in the past. The startups floor was a joy to walk through; with most vendors educating rather than marketing. And several illuminating conversations with long-time attendees revealed they noticed the difference and that the change was recent. With the cybersecurity industry maturing at breakneck pace, it seemed the professional culture and expectations were growing in turn. Upon reflection, three overarching ideas stood out to me and contributed to this positive impression.
Address Root Causes.
Parisa Tabriz, Director of Engineering at Google, set the tone for Black Hat with her excellent keynote address–which she delivered with a surprisingly inspirational, no-nonsense practicality. In a particularly effective call to action, Tabriz talked about getting back to the fundamentals of security. “I think we all need to do a better job of understanding and tackling the root causes of bad security. We can’t be satisfied with only isolated fixes.” Deceptively simple, but deeply true. Despite rapid innovation, there are still obvious problems not being effectively addressed within cybersecurity.
One such area in need of fixing that was brought up repeatedly was phishing. While not thought provoking or a new issue, phishing is still a huge problem. I heard multiple high-profile CISOs openly claim they would gladly pay for a better solution if it existed. Whenever CISOs share their top concerns, it’s incredibly important to listen–no matter how obvious or uninspiring of an idea it seems from an engineering perspective. Especially for very technical founders, the cutting edge might be a much more interesting place to focus their work. But when it comes to building a successful business, talking to actual prospects and understanding what’s keeping them up at night is always a better idea than following hype.
Optimize Existing Resources.
While there were still plenty of buzzwords floating around Black Hat this year, even the buzz felt more responsible than normal. For instance, the emphasis I saw on orchestration and automation is a perfect example of real-world problems directing the momentum of innovation. Although orchestration and automations’ technical challenges were discussed in granular detail and at great length, genuine excitement came because this was not just another fancy technology that CISOs needed to learn how to implement.
Instead, orchestration and automation promised to optimize existing resources and improve current defense capabilities. A welcomed approach; especially considering that workplace fatigue has become so prevalent that Black Hat debuted a dedicated track this year to help overworked security staffers cope. With attack surfaces multiplying and talent pools shrinking, customers are demanding more manageable, sustainable solutions. As a result, they are far less inclined to allocate time and resources to offerings that don’t directly address those needs–not just in the short-term, but over the long-term as well. This is not just talk for us; we at YL Ventures have invested in two companies that exemplify this exact notion: Axonius, a Cybersecurity Asset Management Platform, and Vulcan, a Vulnerability Remediation Platform.
Plan Beyond Acquisition.
These long-term considerations can even extend to the post-acquisition stage. In one side conversation, a high-profile corporate development executive shared that he actively avoids investing in young startups because of the potential for growing pains. From his perspective, it’s best to acquire startups possessing not only R&D talent, but a robust product and specialized sales and marketing teams as well. Otherwise, the acquirer will have to invest substantially more than the original price to widen their product offering and incentivize their existing sales staff to sell an unfamiliar product.
Another intriguing discussion addressed the concerns of the customers themselves. Post-acquisition, no one talks about the vendor’s current customers. After investing precious time collaborating with early-stage vendors, they’re often left by the wayside. Partnerships come with expectations of seeing certain features or issues addressed in the startup’s road-map. But very often, those commitments vanish once the acquisition dust settles. This problem can even extend to the commitment of the founders themselves. Some founders either evade or break their agreements to stay on board following buy-out. Potential acquirers and prospective partners will stay away if they suspect the founder is already planning their exit strategy.
My Final Thoughts
Overall, my first experience attending Black Hat was incredibly instructive. The focus on practical skill-building and technical expertise was impressive, and the level of professionalism on display was refreshing. Whether in a briefing, on the startups floor, or at a round table event, every moment presented an opportunity to learn and improve. Although, I do wish I saw more women in the halls of Mandalay Bay. Next year I would hope to see more female researchers, entrepreneurs, investors and customers encouraged to attend and contribute their experience to the cybersecurity community.
Nevertheless, as an investor, the ability to connect with technically sophisticated CISOs and brilliant entrepreneurs was invaluable. And Black Hat’s rigorous trainings and briefings were a gold-mine for my more technical colleagues. However, one briefing in particular resonated with us all, regardless of background. Billy Rios–founder of Whitescope and newly announced Venture Advisor at my firm, YL Ventures–presented medical cybersecurity research findings alongside his partner, Dr. Jonathan Butts. Following a two-year study, the pair had discovered shocking vulnerabilities in multiple pacemakers. Armed with these exploits, attackers could compromise the device and even potentially stop someone’s heart. The most unbelievable part though was that inefficient practices for addressing those threats resulted in the issue going unresolved for months. Cases like these clearly illustrate why cybersecurity must continue to improve across the board. It’s no longer only a matter of organizations being open to breach–innocent people are left vulnerable to attack as well.