The Cyber Why: What We Read This Week...
... and why you should too! (8/25/24)
In this week's edition of The Cyber Why, we explore what happens behind the scenes when a venture capital firm decides to invest in a startup, blush at the drama surrounding the collapsed CrowdStrike-Action1 deal, and consider the implications of a Microsoft-CrowdStrike summit and its potential impact on the industry. We take a brief look at the DOJ's suing Georgia Tech as a stark reminder of the consequences of neglecting cybersecurity compliance and learn that the Oracle fed Neo a cookie (TIL)! All this and much more in this week’s The Cyber Why!
The Cyber Why POD - Now in 4k! (To be fair, it always has been in 4k and high-quality audio. We’re tech nerds like that.)
TCW Newsletter and the TCW Podcast both have 2024 sponsorship slots remaining! If you are interested in reaching nearly 5k security-minded people a week via direct mail plus nearly 30K views per month, sponsor The Cyber Why. It’s inexpensive - I SWEAR! Email tyler.shields@gmail.com for more information.
Sequoia’s YouTube Investment Memo Circa 2005
The confidential YouTube Investment Memo by Sequoia you were never meant to see (Alexander Jarvis)
Have you ever wondered exactly what happens after you’ve pitched your new company to a big-name investor? They disappear for a while, do a bunch of “research,” and if you are lucky, come back to you with an answer about their investment. But what really goes on behind the scenes? How do they grade you against the thousands of other investment opportunities they are likely to see in any given year?
Thanks to a lawsuit between Viacom and Google, we can read, in its entirety, the investment memo created by Sequoia partner Roelof Botha in 2005 as he and the firm analyzed their decision to invest in YouTube's super early seed stages.
What’s interesting in this article is the depth that Sequoia went to when analyzing the opportunity. The best investors aren’t just “dumb money” who follow simple signaling patterns to decide where to invest capital. The best approach will focus on the business fundamentals, the market, the competition, the founding team, AND the technology. Without all of that in alignment, a startup will never succeed. If you are building a startup and considering taking funding, you must read this piece and look at it through the eyes of the author. I promise that it will be enlightening!
The Game of M&A (aka A Game of Thrones)
CrowdStrike-Action1 deal collapses over user concerns (CSO Online)
Gur Talpaz comments on LinkedIn Post (LinkedIn)
The flames of the cyber drama dumpster fire continue to burn, as this week’s finger-pointing involves CrowdStrike vs. Action1. Cloud-based patch management and vulnerability remediation provider Action1 publically stated that it had rebuffed a $1B offer from Crowdstrike to acquire the company in the wake of the largest IT crash in history. Action1 placed the blame for the deal falling apart on feedback from customers after an email leaked about the acquisition. The customers felt the acquisition would erode trust in Action1, positioning them unfavorably in the market. But like any good who-done-it flick, we have a plot twist…
In response to Action1’s public statements, Gur Talpaz, VP of Corporate Development at Crowdstrike, took to Twitter to explain how he and presumably Crowdstrike see it. Crowdstrike barely had a 45-minute conversation with Action1 and never even approached an offer, let alone a deep discussion of acquisition. The LinkedIn post calls out Action1 for playing up a single meeting to get press and continued interest in their business. This move and the resulting counter-move bring into question other failed cybersecurity acquisitions over the last few years. It’s impossible to say exactly what happened when a he-said, she-said situation like this occurs, but it certainly raises doubt in one’s mind about so many other times this movie has played out.
Microsoft To Hold Cybersecurity Summit
Microsoft to host cybersecurity summit after CrowdStrike-induced IT outage (Reuters)
Microsoft plans September cybersecurity event to discuss changes after CrowdStrike outage (CNBC)
(Katie pick) Microsoft has announced its plan to host a cybersecurity summit in September, aiming to discuss how to improve security systems. After the faulty update that caused a global IT outage affecting 8.5 million devices, it seems like an intelligent move—though one might wonder why it took this Microsoft gaff to make it happen. It also begs the question of whether Microsoft will finally take steps following the summit to improve its own security program and commercial technology offerings, which are the frequent targets of (successful) attacks.
CrowdStrike has indicated their involvement, which will be critical, given the widespread impact of the outage on the company’s huge install base. With billions in market value lost and legal claims piling up, there’s a lot on the line. Here’s hoping this summit leads to real solutions rather than just more talk.
Security Isn’t OPTIONAL - DOJ Has Said SO!
DOJ sues Georgia Tech over allegedly failing to meet cyber requirements for DOD contracts (Cyberscoop)
(Katie pick) It looks like Georgia Tech is in hot water with the Justice Department, and it's not for flunking an exam. Instead, the DOJ is pulling out the big guns by suing the university for allegedly skimping on some pretty important cybersecurity homework tied to Pentagon contracts.
The DOJ is dusting off the Civil War-era “False Claims Act” to advance this case, suggesting that the cybersecurity lapses at Georgia Tech's Astrolavos Lab were more "bug" than "feature." Apparently, not installing anti-malware software and submitting a questionable cybersecurity assessment score didn’t earn them any gold stars from the Pentagon.
For its part, Georgia Tech argues that the government was fully aware of its research's nature and that no classified information was ever at risk. According to Georgia Tech spokespeople, this case is more about miscommunication than malfeasance. It looks like we’ll have to wait and see how this one plays out over time!
Neo Eats a Cookie
For story #5 this week, I bring you a simple meme. I have been a huge fan of The Matrix since it first came out. I saw every one of them on release day in the theaters, and I have even tried to force them onto my children as some of the best movies in history (yes, I failed). I’ve even gone so far as to break down as much of each movie as I can from a technical perspective trying to find the hidden computer science and hacker references in the films. That being said - it was this week when I saw this meme and nearly spit out of my morning coffee. Now I have to go back and watch them all over again just in case I missed something else.
Quick Hits and Hidden Gems
Tech Layoffs Reach 132,000 8 Months Into 2024 (PYMTNS) - This has to be close to the bottom.. right? Please, someone, say it’s going to get better soon.
Cybersecurity tool sprawl is out of control – and it’s only going to get worse (SiliconAngle) - This article almost made the top 5. The author does a great job breaking down the state of tool sprawl in modern enterprises.
CrowdStrike unhappy with “shady commentary” from competitors after outage (ARS Technica) - More pissing match drama. SentinelOne, PAN, and Crowdstrike are all going after each other like kindergarteners fighting for the one open swing.
Five Thoughts From DefCon (Frank Wang) - I was recently having similar thoughts about going back to my technical roots, and Frank’s write-up expresses my thoughts very well. Thanks for the piece, Frank!
Cyber optimist manifesto: why we have reasons to be optimistic about the future of cybersecurity (Venture In Security) - We could all use a dose of optimism right about now. Here’s what’s GOOD in cybersecurity today.
If you’ve made it this far, you either found our musings at least semi-entertaining, OR you enjoyed the pain and kept going regardless. No matter how you made it to this point, you should know that we appreciate you. Please do us a solid and share The Cyber Why with your friends. We would love to reach a bigger audience, and referrals are how we do it. Help us out, and we’ll see you next week!
On the tech layoffs link and mention, I hope the 'this has to be the bottom' sentiment is right. I have a few friends and former colleagues - smart, talented people - who went long stretches between jobs over the last couple years.
I work for a municipality now, so I'm told it is very hard to get fired. Hoping to never test the boundaries of that :)