The VC View: Hot Trends in Security After the Pandemic
What Spaces Are Hot in Security and Will Get Attention in 2021?
“What’s hot right now in security?” is one of the most common questions I hear from CISOs, vendors and VCs alike. Being a part of one of the largest and most active VC firms in security, we are fortunate to have thousands of touchpoints each year about the state of the industry, to understand the key nuances and to share that knowledge with others.
The reality is that every practitioner, market, company and team is different in what they prioritize as part of their security program. So below are ten spaces, in no particular order, that I think are hot now and will get attention in 2021. In following articles, I’ll propose solutions I’ve seen get traction in each space and worth spending some attention.
1. Data – There is no question at this point that data is valuable. Of course it takes a lot of work and thoughtfulness to get that value, but the insights and learnings we’ve been able to generate from data have significantly changed behavior for a long time now. The issue, however, is that anything of value also comes with risk and concerns. Leading to PCI, HIPPA, COPO, GDPR, etc. This is a solvable problem.
2. Cloud – In terms of hype, Cloud Computing is one of the few categories that has gotten to ride that wave multiple times over. When the space was at risk of practitioners reverting back to optimizing their existing compute infrastructure instead of investing more in public cloud, we got COVID-19 in response. Accessible cloud resources anywhere in the world and by anyone has become the “only” option for some at this point. The only question is what is the answer?
3. Identity – To manage complexity and diversity in our infrastructure, first we started with endpoint, then network, then SaaS and then added Public Cloud. There is no easy chokepoint to inspect all incoming and outgoing activity anymore, leveraging identities to manage the perimeter is the only option. This one will take a long time but worth the effort.
4. IT / WFH Enablement – This isn’t a classic “control” but worth attention. Every single company had to triage when COVID-19 hit and had to build the fundamental infrastructure to enable employees to do their work. Triage looked a bit different for every organization but had the same fundamental goal. Now that we’re past a year and cases are moving in the right direction, the IT role has forever changed and security practitioners either own it or have to support it. We’re close to figuring this one out.
5. Digital Transformation – Another buzzword worth attention. Especially because everyone has a different definition of what digital transformation means. In some companies, the word digital transformation is said and heard at least once a day, in others once a year. Companies in the former are thinking about what this term means and have the support to make more strategic changes in their security program. Another long-term program but worth it.
6. Vendor Risk – Of course this one is on the list because of Solarwinds. Everyone is aware of this problem and everyone is at different levels of comfort with their Vendor Risk Management (VRM) program. There are going to be some successful projects in VRM this year.
7. Endpoint – Yes the endpoint is becoming an unlikely single control point in security. However it is still one of the highest fidelity places to get a sense of what is going on currently and historically. There is a reason why endpoint solutions are so popular in incident response cases. Visibility is the new black.
8. Response / SOC Evolution – The concept of “everyone will get breached” has been incredibly powerful and supported by a rapid increase in the frequency of public breach disclosures for a long time now. It has both created and energized multiple categories focused on what to do when “right of the boom”. Now with a lot of budget spent on existing solutions in this space, it’s inevitable that folks are thinking how they can get more value from it.
9. DevSecOps – This one I have to put in this list even though it’s obvious. It’d be silly to not mention the impact and importance of security in developing public-facing, data-rich applications that have the risk of losing both your employer’s data but your customer’s data as well.
10. AppSec – This is my opportunity to bring up something not obvious but still a bit obvious: AppSec & DevSecOps are different spaces. So many folks combine or confuse the two. DevSecOps is securing and enabling the SDLC. AppSec is finding ways to defend the actual applications. A lot of obsession with DevSecOps with phrases like “shifting left”, “shifting right”, “shifting everywhere”. DevSecOps is hot because it’s relatively new but AppSec at the end of the day is the bigger lever.
That’s ten categories and ten planned accompanying articles that I’ll be writing and publishing here in the future. Thanks to SecurityWeek for having me as a columnist, and I’m very much looking forward to sharing my thoughts about security in general and on these spaces here.