Forget ChatGPT, the most overhyped security tool is technology itself, Wiz warns
Infosec also needs to widen its talent pool or miss out
Interview It's a tough economy to ask for a bigger security team or larger budget to buy technology to protect against cyberattacks.
For infosec, already facing a skills shortage before this year's tech layoffs and economic downturn began, this is an especially serious challenge as ransomware infections and data security breaches become more frequent and organizations' attack surfaces get larger.
The three-year-old cloud security startup, founded by ex-Microsofter Assaf Rappaport, earlier this week announced a $300 million funding round with a $10 billion valuation. This, according to Rappaport, makes Wiz the world's largest cybersecurity unicorn and fastest SaaS company to achieve a $10 billion valuation.
As he looks ahead — with a potential recession looming — Rappaport says the biggest challenge facing security teams is figuring out how to be more efficient.
"We have cyberthreats — this is not new — but what we need to be very mindful of in, let's say, the next year, is being efficient with our budgets," he said. "I see the teams are under a lot of constraints, budgetary constraints, and mostly how to do more with less, how to become a more efficient team."
From a technology vendor's perspective, this means thinking about the people using the products being developed. "When you build technology, first and foremost think about the people and the processes that are going to support the technologies," Rappaport said.
Herzberg puts it more bluntly: "Technology, in general, is overhyped when it comes to being successful with security. Obviously, we are selling technology. But in the end, it's not really about the tools you buy. It's about the processes and the people."
Technology, in general, is overhyped when it comes to being successful with security
Organizations moving to the cloud and shifting to a decentralized IT environment requires security teams adapt and change these processes. Moving to cloud environments means developers can move faster, but it also requires security to keep up, Herzberg said.
"Every dev team innovates faster than ever before, but they also choose their own stack, they choose their own infrastructure, and they don't go through a centralized IT team," she said.
"Development has become decentralized, and in that way security has to become decentralized to address it. That means breaking down silos between security and dev teams, and building a different process for how security is done."
In practical terms, this means providing visibility across cloud environments so security and development teams alike take ownership of security risks.
- Google looking outside the usual channels to fix security skills gap
- Infosec still (mostly) a boys club
- Microsoft's Nadella: Tech is in for a rough two years
- OMIGOD: Cloud providers still using secret middleware
Of course Wiz, being a technology provider, argues that it does this best. Still, when Herzberg says that "every infrastructure owner, every dev owner," should have visibility and understanding of their own risk, she makes a good point.
"That's the only way to scale cloud security, because you have hundreds of developers, you have small security teams and infrastructure is de-centrally owned," she added. "So the risk also has to be de-centrally owned."
Security still hasn't solved its diversity problem
Part of the solution is to look beyond the usual pool of applications: white men with prior cybersecurity experience, Rappaport said. Instead companies need to explore further outside the usual pool and find new talent.
"Technology is part of the solution. But having said that, we need to be more diverse, and more open as a community," Rappaport said, during an interview with The Register.
"I'm sure most of the people you talk to in leadership positions are men, and I would love to see that change. We're too homogeneous, and we need to provide more opportunities."
Raaz Herzberg, Wiz's VP of product strategy told us the question of why there are so few women in cybersecurity is one that she asks herself often.
"I think cyber, specifically, has this notion of you have to have prior experience, and that's not really the case," Herzberg said. "Personally, I think the best background you can have for a cybersecurity role in most organizations is probably dev experience, cloud experience, IT experience."
"There are also a lot of challenges around being a good manager" and having skills outside of strictly infosec knowledge that a diverse group or people can bring to the cybersecurity table, she added. "Lack of prior experience, unfortunately, scares women away."
The numbers reinforce this. A Microsoft-commissioned survey found more than half (54 percent) of women believe the security industry has a gender-bias problem that results in unequal pay and support.
But women, even more than men, according to the survey, reinforce these biases: 71 percent of women (compared to 61 percent of men) think cybersecurity is "too complex" a career, and more women than men (27 percent and 21 percent, respectively) believe men are seen as a better fit for technology fields.
It's a complex problem, and not one that we are going to solve in an hour — or a month — but one that should be top of mind as we near International Women's Day. And, really, every day.
While the Wiz duo didn't sit down with The Register specifically to discuss the lack of women in infosec, it makes sense that it would come up, considering this is an industry, and a company, concerned about solving really big problems. ®