The Cyber Why: What We Read This Week...
... and why you should too! (5/12/24)
I’m finally home after a long week of RSA Conference madness. The announcements were amazing, the keynotes inspiring, and the expo hall … well, that left a bit to be desired. Walking into the hall, I felt an overwhelming feeling of “beige.” By that, I mean that pretty much all the messaging on the booths was eerily the same. I feel like we’ve moved into an era of cybersecurity where the technology differences are so overlapping and grey that you can’t possibly stand out amongst the noise and not paint yourself into an awkward positioning corner. With that said, a few of the companies’ messaging was clear and concise and talked about something innovative, and those few companies gave me a bit of hope for the future.
In this week’s The Cyber Why we cover the CISA Secure By Design Pledge, WIZ raising a BILLION bucks and actually having a real need for it, AI cybersecurity moves from Palo Alto and Crowdstrike, a throwback to 2003 Trustworthy Computing Memo from Microsoft, and a chuckle filled video from Matthew Broderick. All this and more in this week’s The Cyber Why!
Sponsor The Cyber Why!
The Cyber Why reaches nearly 5,000 cybersecurity, technology, and investing professionals per send. With over 30,000 views a week, our content is frequently in front of your target audience. Reach out to The Cyber Why to find out how you can drive leads and brand recognition for your business. Sponsorship packages are available. Click HERE for more information.
CISA Secure By Design Pledge - YAY or NAY?
CISA Announces Secure by Design Commitments from Leading Technology Providers (CISA)
Statements of Support for the Secure by Design Pledge (CISA)
I'm not cheerleading for the CISA pledge (lcamtuf’s thing)
This week, the Cybersecurity and Infrastructure Security Agency (CISA) announced a “Secure by Design pledge”. The pledge is voluntary for enterprise software products and services, in line with CISA’s secure-by-design principles. Many companies have taken up the torch and made public statements of support, including Armis, Cisco, Cloudflare, GitHub, Google, HP, IBM, Lenovo, Tenable, and dozens more. I love the idea of a pledge, but it won’t actually make anything better in the long run. If it was as easy as declaring “we are going to be secure,” we would have done it long ago. At first, I thought this was just another piece of lip service that software vendors were putting forward, but the article by “lcamtuf” made me see it differently. For many software companies, this may be how they get out in front of what could be coming down the pipe in the form of legal requirements containing teeth.
Finally, a REAL Reason to Raise $1B
Wiz Lands $1B In Funding, $12B Valuation Amid Surging Cloud Security Growth (CRN)
When I think WIZ’s growth rate can’t increase any faster, they go and pull something like this. At the RSA Conference this week, WIZ announced a $1 billion (YES with a B!) investment from major silicon valley VCs, including Andreessen Horowitz. I typically am pretty cynical when I see announcements of raising funds of this size. We live in a world where it takes way less capital to build a technology and software startup than ever, yet I keep seeing massive infusions of cash into companies that are blitzscaling markets that may not need to be blitzscaled. HOWEVER… On this particular piece of news, I think it’s imperative that WIZ bring this large amount of funding to bear. They are currently in a war with Palo Alto Networks, Crowdstrike, and others to become one of just a few major platforms that large enterprises will look to purchase. This battle is the final epic scene of the tale of cybersecurity consolidation that is upon us. The raise puts significant funds into WIZ’s war chest, allowing them to make acquisitions as they continue to broaden their product portfolio and prepare to go public. Also, they had a pretty crazy kickass booth at RSA this week - the sucker couldn’t have been cheap!
The AI Cyber Platform Wars Heat Up
INSERTING and REPLACING SentinelOne® Unveils Future of Autonomous Security (Yahoo Finance)
Palo Alto Makes Artificial Intelligence Push At RSA Conference (Investor Business Daily)
Palo Alto Networks Launches New Security Solutions Infused with Precision AI to Defend Against Advanced Threats and Safeguard AI Adoption (Palo Alto Website)
The cyber AI platform wars have begun. Last week at RSA, I had the pleasure of sitting in on the announcement by Palo Alto Networks of their new Precision AI cybersecurity solutions, three distinct platforms, and connected co-pilots. It was an exciting presentation in which Palo Alto clearly depicted how they plan to leverage their industry-leading broad set of data and context to provide preventative security solutions ranging from code all the way to cloud-native operational security. Also last week, SentinelOne announced their future of autonomous security built on the back of their Singularity Data Lake and Purple AI system. While Palo has a much broader approach today, it appears that the first battleground will be where AI and security operations collide. Improvements in the SOC are the “low hanging fruit” in which these cybersecurity behemoths can have a massive impact quickly. Over time, AI will stretch to broader solution sets and value propositions. I plan to follow these two companies, as well as Microsoft, Google, Wiz, and a few others, very closely as this new AI cybersecurity reality emerges.
Trustworthy Computing 2.0
Read Satya Nadella’s Microsoft memo on putting security first (The Verge)
Trustworthy Computing (Wikipedia)
Microsoft is tying executive pay to security performance — so if it gets hacked, no bonuses for anyone (TechRadar)
I’m guessing many of you aren’t old enough to remember the famous email of 2002 from Bill Gates to every Microsoft employee announcing the “Trustworthy Computing (TWC) Initiative.” In the years leading up to the 2002 memo, attackers and security researchers had been making a complete mockery of Microsoft and the security of their software and products. There were significant customer breaches, product vulnerabilities weaponized, and, quite frankly, Microsoft became the laughing stock of cybersecurity. We reminisced about the initiative in the most recent The Cyber Why Podcast as we covered the Cyber Safety Review Board Report on Microsoft and
even broke down some of the issues in a TCW Deep Thought piece on the topic. When we think we have seen another new low for Microsoft, they pop up and take a page from Bill Gates’ old playbook from 2003. Satya Nadella, Microsoft CEO, sent out his own version of the Trustworthy Computing Memo to over 200K employees. Suppose they put the same effort behind the new initiative as Gates and their team did in 2002. In that case, we should see Microsoft become a more secure and hopefully dominant player in the cybersecurity space. Good luck, Microsoft - it’s a tough hill to climb!I <3 Matthew Broderick and Wargames!
Cybersecurity, AI and Alicia Keys: What We've Seen at the RSA Conference (CNET)
What do Ted Lasso, Alicia Keys, Matthew Broderick, Homeland Security Secretary Alejandro Mayorkas, and Secretary of State Antony Blinken all have in common - absolutely NOTHING except that they were all at the RSA 2024 conference as speakers or keynotes. While I’m not sure why a couple of those names were chosen (Alicia Keys, she’s fantastic, but what’s the connection to cyber?), most speakers were perfect for content and inspiration. Some videos can be found on the official RSA Conference YouTube Channel; others are available as bootleg shots, like the Matthew Broderick one below. I loved this video as Wargames was a HUGE influence on me. If you have free time, look at the content - you’ll be sufficiently inspired.
Quick Hits and Hidden Gems
Palo Alto Networks Abdicates (The Security Industry) - Richard, do you have a vendetta against PANW? First, you snipe them for their 2024 strategy; then, you snipe them for pulling out of RSA. A major conference like RSA provides a vendor with both demand generation and brand awareness. When you are a massive company like PANW, you already have both in large quantities, making guerilla marketing a potentially smart move. Alternatively, if you are a tiny company, it also makes sense to go rogue due to ROI metrics when nobody knows your name and your tiny reach. I disagree with you on this one - PANW pulling out of RSA and doing their own thing is just the start of many major companies moving to run their own side conferences during that same week.
The free advice economy; 500-foot baguette; 40,000 robot narrators (Josh Bernoff) - Great brief article on why I give free advice to others. tl;dr, I get self-reward from it, and hopefully, they find value in it! This is how the world operates.
Akamai Doubles Down On API Security With $450M Noname Acquisition Deal (CRN) - Bargain basement acquisition prices are here. Akamai snaps up NoName.
Note to investors and security pros: drive innovation by going on the offensive (SC Media) - Bob Ackerman on driving innovation with offensive moves. A great investor with great advice. Must read.
The Alleged LockBit Ransomware Mastermind Has Been Identified (WIRED) - With eyes like his, I would have pegged him for a criminal overlord from a mile away. Either that or as someone who has to tell his neighbors that he just moved in.
IntelBroker Hacker Claims Breach of Top Cybersecurity Firm, Selling Access (Hack Read) - No proof yet, but where there is smoke, there’s typically fire. Watch this one closely, as I bet it breaks further over the next two weeks.
If you’ve made it this far, you either found our musings at least semi-entertaining, OR you enjoyed the pain and kept going regardless. No matter how you made it to this point, you should know that we appreciate you. Please do us a solid and share The Cyber Why with your friends. We would love to reach a bigger audience, and referrals are how we do it. Help us out, and we’ll see you next week!