Is Security Strategy Your #1 Priority Yet? Fundings: Rebel Space Tech, Traive Finance, Pierce Aerospace
7 February 2024 - A Weekly Publication by New North Ventures
Is Security Strategy Your #1 Priority Yet?
It’s 2024 - Prioritizing information security in the organization is standard practice. True statement? Turns out not so much.
Sadly, even in present times with strong evidence of risks and vulnerabilities, information security still takes a back seat. Ask a startup founder at random where they have placed information security within their development strategy. CISOs for the big players such as Microsoft have gone on record identifying this issue for years, documenting how infosec is a business value problem. There are publicly available articles breaking down how nefarious cyber actors target startups due to the ease of exploitation and the promising returns.
In 2022, a single Chinese state-sponsored group, Advanced Persistent Threat (APT) 41, was attributed to having siphoned off trillions of dollars of intellectual property from tech companies worldwide to support Chinese government state requirements. However, if this is a known glaring issue within the community, why are startups still an easy target for bad cyber actors in 2024?
One key factor is that the world of startups is fast-paced and high stakes. Experts in the field of tech startups consider the space “hyperbolically” expanding. Founders are compelled to rush their product to market in the pursuit of rapid growth in technology capabilities. Leaders in the startup space are also pressured to demonstrate value to investors. These factors often overshadow founders’ instincts to properly invest in their organization’s critical need for robust information security measures. Founders are so focused on developing their product, securing funding, and acquiring customers or partners that they often view information security as a “later phase” concern. However, at what cost?
The consequences of not prioritizing infosec from the outset can extend beyond immediate financial and reputational damage. With a single breach of their cyber technology, startups risk losing customer trust, which is notoriously difficult to rebuild. Regulatory bodies can sometimes cast fines and legal actions against organizations that could compound growth challenges. Any one or all of these consequences combined could lead to an early downfall of an otherwise promising new company.
Examples of disasters are prolific in our tech industry’s history. In 2020, the SolarWinds Orion software was compromised, leading to a massive security breach affecting numerous US government agencies and businesses all over the world. This incident highlighted not just a failure in infosec strategy but also a domino effect of lack of strategy at the customer level. Despite being a provider of IT management tools, SolarWinds allegedly prioritized product development and market expansion over information security measures. This catastrophe is one example illustrating how complex the threat landscape has become. In 2024, the risk of exposure is growing exponentially and the cyber threat vectors are evolving rapidly.
Cyberark (cyberark.com) recently published a report summarizing the threat landscape of 2023, highlighting the fact that, as a cyber-driven society, stakeholders are living in a new age of cyber debt. Cyberark defined this debt as “investment in digital and cloud initiatives” greater than the spending in security solutions for most organizations for all of 2023. They predicted the identity growth of cyber systems for 2024 would increase by 240%, unleashing a massive increase in attack surfaces for bad cyber actors to take advantage of. They also hammer down the same conclusion: the growth in the use of tech and the development of technology solutions will far outpace the commitment to developing secure strategies to protect the users of tech and the technology itself.
It’s certainly time for a paradigm shift in how startups view information security. According to analysis, founders’ IP and data are set to be over 200% more vulnerable this year. So, is it worth saving 5% on a deferred infosec campaign over the next one or two years? Founders, do you think you have nothing worth stealing during your early stages of growth? Founders take note - if APT 41 and others like them had their way, you can be confident they plan to continue to sit quietly on your startup’s infrastructure, taking advantage of the 200% more ways to get at everyone’s networks and private data. They will patiently wait two or three years until there is something interesting to steal at your startup since it costs them next to nothing to exploit your vulnerable systems. They do not care if they get their B-team cyber tools caught. In the meantime, while they wait for the good IP take since it is unlikely they will be discovered on your systems for years, APT 41 will happily use your info systems to launch more attacks and pivot into the neighboring company.
Founders, executives, and investors alike must recognize the evolving cyber threat landscape, the cyber actors’ ability to strategically take advantage of new emerging vulnerabilities, and must plan ahead. The plan can be as simple as a founder developing an early strategy to protect IP. Or investors requiring a security strategy to be submitted as part of a deal checklist to help inspire that cultural change from a different angle. A basic information security strategy is better than none at all. The answer does not have to be to hire a CISO immediately and lose critical funding resources to an expensive infosec prioritization effort. Other, more financially economical options are emerging, which can serve as a foundation for a strong initial infosec strategy.
Small wins such as leveraging modern available, large language model-based AI agents, such as OpenAI’s widely available GPT-4, could help founders demystify information security at their level. AI agent chatbots, some freely available like OpenAI’s ChatGPT-3.5, could help answer questions in real-time about infosec that were only previously available when outsourced to an expensive Cybersecurity consulting firm. AI technology could help the non-technical founders develop an effective security strategy framework, which could be all needed in the early stages of Startup development. These actions will naturally grow with the organization and become part of the culture. Investors can take a role in this space as well by adjusting their onboarding requirements to call for a strategy prior to making the deal. Adding that item to a due diligence checklist could be all that is needed for that Startup founder to take action and change their mindset.
Eventually, as a startup evolves and is faced with legislation and liability challenges in the information space, they will require a CISO to navigate that space and ensure compliance. Virtual CISO services, or vCISOs, are becoming commonplace within the security space. The shortage of CISO capable cyber professionals has given way to this more economical form of expertise that can fill those compliance gaps as needed. For founders juggling multiple priorities, these vCISOs may be the answer to providing the expertise with a flexible work scope that is cost-effective and meets the organization's present needs.
Instantiating a cyber-security aware culture early within the organization, leveraging both AI technology and part-time security officer guidance, could be considered an easy-button to harden the startup’s defenses against cyber threats. This effort will surely empower founders and their partners to attract those CISO executives in the future when needed and identify additional strategy gaps early in the growth process—a win-win investment for any founder or investing partner. Information security must be a priority for startups from day one. As a society we are intertwined with our data in cyberspace, and it is for the mutual benefit of all to invest in a security strategy from the onset. The examples of organizations that have suffered from neglecting this critical aspect of operations should serve as a wake-up call. It’s not just about preventing loss; it’s about building a sustainable, trustworthy foundation to enhance information integrity and trust within the cyber landscape for the benefit of all.
Ben Faberlle
CW3, US Army
Skillbridge Fellow, New North Ventures
CEO/Co-Founder DarkRook Cyber, LLC
We are excited to share that our portfolio company Hawkeye 360 has completed the environmental testing for Cluster 8 & 9, marking a significant milestone. The focus now shifts to launch integration this spring, with a targeted launch in Q2. This progress underscores Hawkeye 360's commitment to advancing satellite technology and enhancing its capabilities for real-world applications. Well done!
In another major development, portfolio company CYBERA has joined forces with Chainalysis in an industry-shifting integration. This partnership represents a crucial step forward in their ongoing efforts to combat scams effectively, providing advanced intelligence tools for government and compliance teams. The collaboration aims to address the personalized tactics highlighted in the 2024 Chainalysis Crypto Crime Report, empowering institutions with real-time data to actively build a safer digital financial ecosystem.
The article identifies key trends shaping the future of the defense industry, emphasizing the pivotal role of cutting-edge AI/ML solutions in national security, with startups driving innovation in automation and decision-making.
It highlights the DOD's significant investments in modern data and AI infrastructure, showcasing startups like Enabled Intelligence and Aalyria as pioneers. The imperative of best-in-class cybersecurity is underscored, aligning with government initiatives and startups addressing evolving threats.
The emergence of next-gen defense tech giants is predicted to be grounded in verticalized solutions, meeting specific DOD needs. The early exploration of autonomous systems in defense, exemplified by startups like Skydio and Saildrone, signals a transformative trajectory.
The article provides insights into the challenges and rewards of adopting a business-to-government (B2G) model and outlines guiding principles for investing in defense technology, advocating for founders to have proper resources and support in this complex ecosystem.
Tech Layoffs Just Keep Coming as Sector Resets for AI
In response to economic conditions and the pursuit of leaner operations, tech companies, including DocuSign, Okta, Snap, Zoom, Google, and Amazon, are announcing layoffs, reflecting the industry's trend of cost-cutting despite earlier growth.
DocuSign plans to cut 400 jobs (6% of its workforce) to address its struggling stock price, following similar moves by other tech giants. Management experts attribute these layoffs to companies striving for efficiency through automation, as they embrace artificial intelligence tools to replace or minimize certain jobs.
The broader tech sector shed almost 16,000 workers last month, marking the most significant reduction since May 2023.
The trend is driven by factors such as increased borrowing costs, reduced attrition, and pressure to meet analysts' expectations, with layoffs often seen as a strategy to boost stock prices. Additionally, some layoffs result from common factors like lost business or duplication from mergers.
Quick Links:
Founded: 2019
Key People: CEO Carrie Hernandez Ph.D
Elevator Pitch: Autonomous intelligence software intended to build secure and intelligent wireless connectivity.
Funding: The company raised an undisclosed amount of venture funding from Everywhere Ventures on February 3, 2024.
Founded: 2018
Key People: CEO Fabrício Pezente
Elevator Pitch: A finance platform intended to connect the entire agricultural chain to the capital market.
Funding: The company raised $20 million of venture funding in a deal led by Banco do Brasil and Astella Investimentos on February 3, 2024.
Founded: 2016
Key People: CEO Aaron Pierce
Elevator Pitch: A network-based identity and tracking system designed for unmanned aircraft systems.
Funding: The company raised $1.08 million of venture funding in the form of convertible debt from undisclosed investors on February 2, 2024.
Look for a new episode of Securing the Future Podcasts wherever you listen. In our most recent episode, we have Jim Smith, Acquisition Executive at U.S. Special Operations Command, sit down with General Partner Jeremy Hitchcock for an engaging conversation about the evolving landscape of defense acquisitions, the role of artificial intelligence and data, and the importance of fostering collaboration between the government and private sector.