EC Cybersecurity
Auto Added by WPeMatico
Auto Added by WPeMatico
If you’re a tech company offering anyone a service, somewhere in your future is a security assessment giving you the seal of approval to manage clients’ data and operate on your devices. No one takes security lightly anymore. The business costs of cyberattacks have now hit an all-time high. Government bodies, companies and consumers need the assurance that the next software they download isn’t going to be an open door for hackers.
For good reason, security certifications like the SOC 3 really put you through the wringer. My company, Waydev, has just attained the SOC 3 certification, becoming one of the first development analytics tools to receive that accreditation. We learned so much from the process, we felt it was right to share our experience with others that might be daunted by the prospect.
As a non-tech founder, it was hard not only to navigate the process, but to appreciate its value. But by putting our business caps on, our team was able to optimize our approach and minimize the time and effort needed to achieve our goal. In doing so, we were granted SOC 3 compliance in two weeks, as opposed to the two months it takes some companies.
We also turned the assessment into an opportunity to better our product, align our internal teams, boost our brand and even launch partnerships.
So here’s our advice on how teams can smoothly reach an SOC 3 while simultaneously balancing workloads and minimizing disruption to users.
Because we can’t expect employees to stack those hours on top of their regular workdays, as a leader you have to accept — and communicate — that the speed of your output will inevitably decrease.
As a founder, you’ll be acting as captain steering a ship into that SOC 3 port, and you’ll need all members of your crew to join forces. This isn’t a job for a specially designated security team alone and will require deep involvement from your development and other teams, too. That might lead to internal resistance, as they still have a full-time job tending to your product and customers.
That’s why it’s so important to start by being crystal clear with your employees about what this process will mean to their work lives. However, they have to embrace the true benefits that will arise. SOC 3 will immediately raise your brand’s appeal and likely see new customers come in as a result.
Each employee will also come out the other end with well-honed cybersecurity skills — they’ll have a deep understanding of potential cyber threats to the company, and all security initiatives will carry a far lighter burden. There’s also the sense of pride and fulfillment that comes with having an indisputable edge over your competitors.
Powered by WPeMatico
Data breaches have become a part of life. They impact hospitals, universities, government agencies, charitable organizations and commercial enterprises. In healthcare alone, 2020 saw 640 breaches, exposing 30 million personal records, a 25% increase over 2019 that equates to roughly two breaches per day, according to the U.S. Department of Health and Human Services. On a global basis, 2.3 billion records were breached in February 2021.
It’s painfully clear that existing data loss prevention (DLP) tools are struggling to deal with the data sprawl, ubiquitous cloud services, device diversity and human behaviors that constitute our virtual world.
Conventional DLP solutions are built on a castle-and-moat framework in which data centers and cloud platforms are the castles holding sensitive data. They’re surrounded by networks, endpoint devices and human beings that serve as moats, defining the defensive security perimeters of every organization. Conventional solutions assign sensitivity ratings to individual data assets and monitor these perimeters to detect the unauthorized movement of sensitive data.
It’s painfully clear that existing data loss prevention (DLP) tools are struggling to deal with the data sprawl, ubiquitous cloud services, device diversity and human behaviors that constitute our virtual world.
Unfortunately, these historical security boundaries are becoming increasingly ambiguous and somewhat irrelevant as bots, APIs and collaboration tools become the primary conduits for sharing and exchanging data.
In reality, data loss is only half the problem confronting a modern enterprise. Corporations are routinely exposed to financial, legal and ethical risks associated with the mishandling or misuse of sensitive information within the corporation itself. The risks associated with the misuse of personally identifiable information have been widely publicized.
However, risks of similar or greater severity can result from the mishandling of intellectual property, material nonpublic information, or any type of data that was obtained through a formal agreement that placed explicit restrictions on its use.
Conventional DLP frameworks are incapable of addressing these challenges. We believe they need to be replaced by a new data misuse protection (DMP) framework that safeguards data from unauthorized or inappropriate use within a corporate environment in addition to its outright theft or inadvertent loss. DMP solutions will provide data assets with more sophisticated self-defense mechanisms instead of relying on the surveillance of traditional security perimeters.
Powered by WPeMatico
As the second quarter races to a close, we’re down to the wire for IPOs looking to get out before June ends. One such company is SentinelOne, a cybersecurity startup backed by Insight Venture Partners, Redpoint, Tiger Global Management, Data Collective and Anchorage Capital, among others.
SentinelOne raised an ocean of capital while private, including nearly $500 million across two rounds in 2020. Its debut is therefore a huge liquidity event for a host of investing groups. And today, the cybersecurity unicorn had good news in the form of an upgrade to its IPO price range.
The Exchange explores startups, markets and money. Read it every morning on Extra Crunch or get The Exchange newsletter every Saturday.
Last week, The Exchange wrote that the company’s IPO would be a “good heat check for the IPO market” given its rapid growth and pace of losses. How investors valued it would help explain the public market’s current appetite for loss-making startups. Today’s news implies healthy appetites.
SentinelOne raised its IPO price range this morning from $26 to $29 per share to $31 to $32 per share, a sizable lift to its valuation and IPO raise.
This morning, we’re unpacking the company’s new valuation range, thinking about SentinelOne’s growth and revenue results compared to similar public companies, and working to understand if the company is inexpensive, neutrally priced or expensive compared to current comps. Sound fun? It will be!
Recall that when SentinelOne last raised capital it was valued at $2.7 billion on a pre-money basis. The company was therefore worth just under $3 billion after the $267 million round. The unicorn is going to yeet that figure into space in its IPO, barring something catastrophic.
Its new IPO price range of $31 to $32 per share values the company on a much richer basis. With an anticipated simple share count of 253,530,006 after its IPO, inclusive of a private placement, the company would be worth $7.86 billion to $8.11 billion.
Powered by WPeMatico
Turning the page from the early-stage venture capital market to the super late-stage exit market, this morning we’re talking about endpoint security company SentinelOne’s IPO in the context of Sprinklr’s own. We’ll have more on the public offering market later today when Doximity and Confluent price their respective IPOs after the close of trading.
The Exchange explores startups, markets and money. Read it every morning on Extra Crunch or get The Exchange newsletter every Saturday.
SentinelOne’s IPO, expected to price on June 29 and trade June 30, is a fascinating debut. Why? Because the company sports a combination of rapid growth and expanding losses that make it a good heat check for the IPO market. Its debut will allow us to answer whether public investors still value growth above all else. And this week, the company gave us an early dataset regarding its market value in the form of an IPO price range. This means we can do some unpacking and thinking.
A reminder regarding why we dwell on the exit market for unicorns: We care because the value of late-stage startups when they reach a liquidity point helps set valuation comps for myriad smaller startups. Furthermore, the level of public-market enthusiasm for loss-making, growth-focused companies will determine the scale of returns for many a venture capitalist, founder and early employee.
So, let’s talk about SentinelOne’s cybersecurity IPO price range; Sprinklr’s social-media software debut will play foil.
It can make good sense to pay up for a quickly growing company’s shares. This is why you may hear of a startup raising an early-stage round at a very high revenue multiple.
Why put a $50 million price tag on a startup that just crossed the $1 million annual recurring revenue (ARR) threshold? If it’s growing sufficiently quickly, the math can pencil out. If that startup was growing at 300% per year, say, the revenue multiple that you paid in the round valuing the startup at $50 million would fall sharply over the next year, at which point other investors would probably scramble to put more capital into the firm at a higher price.
Bingo! You just got a markup on your initial investment, and the company has found someone else to lead their next round at a higher price, giving it even more capital to keep its growth game going and make your early investment appear prescient. See? Venture capital is easy.1
The same general idea applies to companies going public. Growth matters, and the more rapidly a company is adding revenue, the more money it will be worth because investors can anticipate its future scale (within reason). Some companies that sport quick growth can have other issues that impact their value. Extensive debt, for example, a history of uneven growth, or deteriorating economics could come into play. Or simply very high losses.
Powered by WPeMatico
If the definition of insanity is doing the same thing over and over and expecting a different outcome, then one might say the cybersecurity industry is insane.
Criminals continue to innovate with highly sophisticated attack methods, but many security organizations still use the same technological approaches they did 10 years ago. The world has changed, but cybersecurity hasn’t kept pace.
Distributed systems, with people and data everywhere, mean the perimeter has disappeared. And the hackers couldn’t be more excited. The same technology approaches, like correlation rules, manual processes and reviewing alerts in isolation, do little more than remedy symptoms while hardly addressing the underlying problem.
The current risks aren’t just technology problems; they’re also problems of people and processes.
Credentials are supposed to be the front gates of the castle, but as the SOC is failing to change, it is failing to detect. The cybersecurity industry must rethink its strategy to analyze how credentials are used and stop breaches before they become bigger problems.
Compromised credentials have long been a primary attack vector, but the problem has only grown worse in the midpandemic world. The acceleration of remote work has increased the attack footprint as organizations struggle to secure their network while employees work from unsecured connections. In April 2020, the FBI said that cybersecurity attacks reported to the organization grew by 400% compared to before the pandemic. Just imagine where that number is now in early 2021.
It only takes one compromised account for an attacker to enter the active directory and create their own credentials. In such an environment, all user accounts should be considered as potentially compromised.
Nearly all of the hundreds of breach reports I’ve read have involved compromised credentials. More than 80% of hacking breaches are now enabled by brute force or the use of lost or stolen credentials, according to the 2020 Data Breach Investigations Report. The most effective and commonly-used strategy is credential stuffing attacks, where digital adversaries break in, exploit the environment, then move laterally to gain higher-level access.
Powered by WPeMatico
Data is the most valuable asset for any business in 2021. If your business is online and collecting customer personal information, your business is dealing in data, which means data privacy compliance regulations will apply to everyone — no matter the company’s size.
Small startups might not think the world’s strictest data privacy laws — the California Consumer Privacy Act (CCPA) and Europe’s General Data Protection Regulation (GDPR) — apply to them, but it’s important to enact best data management practices before a legal situation arises.
Data compliance is not only critical to a company’s daily functions; if done wrong or not done at all, it can be quite costly for companies of all sizes.
For example, failing to comply with the GDPR can result in legal fines of €20 million or 4% of annual revenue. Under the CCPA, fines can also escalate quickly, to the tune of $2,500 to $7,500 per person whose data is exposed during a data breach.
If the data of 1,000 customers is compromised in a cybersecurity incident, that would add up to $7.5 million. The company can also be sued in class action claims or suffer reputational damage, resulting in lost business costs.
It is also important to recognize some benefits of good data management. If a company takes a proactive approach to data privacy, it may mitigate the impact of a data breach, which the government can take into consideration when assessing legal fines. In addition, companies can benefit from business insights, reduced storage costs and increased employee productivity, which can all make a big impact on the company’s bottom line.
Data compliance is not only critical to a company’s daily functions; if done wrong or not done at all, it can be quite costly for companies of all sizes. For example, Vodafone Spain was recently fined $9.72 million under GDPR data protection failures, and enforcement trackers show schools, associations, municipalities, homeowners associations and more are also receiving fines.
GDPR regulators have issued $332.4 million in fines since the law was enacted almost two years ago and are being more aggressive with enforcement. While California’s attorney general started CCPA enforcement on July 1, 2020, the newly passed California Privacy Rights Act (CPRA) only recently created a state agency to more effectively enforce compliance for any company storing information of residents in California, a major hub of U.S. startups.
That is why in this age, data privacy compliance is key to a successful business. Unfortunately, many startups are at a disadvantage for many reasons, including:
Powered by WPeMatico
By now, all companies are fundamentally data driven. This is true regardless of whether they operate in the tech space. Therefore, it makes sense to examine the role data management plays in bolstering — and, for that matter, hampering — productivity and collaboration within organizations.
While the term “data management” inevitably conjures up mental images of vast server farms, the basic tenets predate the computer age. From censuses and elections to the dawn of banking, individuals and organizations have long grappled with the acquisition and analysis of data.
By understanding the needs of all stakeholders, organizations can start to figure out how to remove blockages.
One oft-quoted example is Florence Nightingale, a British nurse who, during the Crimean war, recorded and visualized patient records to highlight the dismal conditions in frontline hospitals. Over a century later, Nightingale is regarded not just as a humanitarian, but also as one of the world’s first data scientists.
As technology began to play a greater role, and the size of data sets began to swell, data management ultimately became codified in a number of formal roles, with names like “database analyst” and “chief data officer.” New challenges followed that formalization, particularly from the regulatory side of things, as legislators introduced tough new data protection rules — most notably the EU’s GDPR legislation.
This inevitably led many organizations to perceive data management as being akin to data governance, where responsibilities are centered around establishing controls and audit procedures, and things are viewed from a defensive lens.
That defensiveness is admittedly justified, particularly given the potential financial and reputational damages caused by data mismanagement and leakage. Nonetheless, there’s an element of myopia here, and being excessively cautious can prevent organizations from realizing the benefits of data-driven collaboration, particularly when it comes to software and product development.
Data defensiveness manifests itself in bureaucracy. You start creating roles like “data steward” and “data custodian” to handle internal requests. A “governance council” sits above them, whose members issue diktats and establish operating procedures — while not actually working in the trenches. Before long, blockages emerge.
Blockages are never good for business. The first sign of trouble comes in the form of “data breadlines.” Employees seeking crucial data find themselves having to make their case to whoever is responsible. Time gets wasted.
By itself, this is catastrophic. But the cultural impact is much worse. People are natural problem-solvers. That’s doubly true for software engineers. So, they start figuring out how to circumvent established procedures, hoarding data in their own “silos.” Collaboration falters. Inconsistencies creep in as teams inevitably find themselves working from different versions of the same data set.
Powered by WPeMatico
SolarWinds is back in hot water after a shareholder lawsuit accused the company of poor security practices, which they say allowed hackers to break into at least nine U.S. government agencies and hundreds of companies.
The lawsuit said SolarWinds used an easily guessable password “solarwinds123” on an update server, which was subsequently breached by hackers “likely Russian in origin.” SolarWinds chief executive Sudhakar Ramakrishna, speaking at a congressional hearing in March, blamed the weak password on an intern.
There are countless cases of companies bearing the brunt from breaches caused by vendors and contractors across the supply chain.
Experts are still trying to understand just how the hackers broke into SolarWinds servers. But the weak password does reveal wider issues about the company’s security practices — including how the easily guessable password was allowed to be set to begin with.
Even if the intern is held culpable, SolarWinds still faces what’s known as vicarious liability — and that can lead to hefty penalties.
Powered by WPeMatico
As 2021 kicked off, I reformulated a series of posts we published last year focused on startups that had reached the $100 million ARR (annual recurring revenue) mark. In our refreshed effort, we cut the target in half and dug up companies around the $50 million ARR threshold. The goal was to figure out what those firms were going through as they reached material scale, not after they had achieved effective pre-IPO status.
And the results were a bit medium.
While it was fun to chat with OwnBackup, Assembly, SimpleNexus and PicsArt, ultimately we were getting similar notes from each company: Hiring is incredibly important as a company scales, founders have to cede decision-making, and as startups grow from $30 million ARR to $50 million or more, they must harden internal systems and build business infrastructure.
The Exchange explores startups, markets and money. Read it every morning on Extra Crunch, or get The Exchange newsletter every Saturday.
All that made sense, but it wasn’t entirely scintillating. I meant to keep the project going; I had publicly made noise about the effort and had a few interviews in the bag that were collecting dust (and emails from various PR folks).
But they wound up in the Google Docs graveyard as the news cycle somehow managed to keep accelerating, meaning that the time required to execute the somewhat effort-intensive series dried up as I held on for dear life as the early, middle, late and IPO-stage startup market stormed.
And so after some reflection, it’s time to admit defeat.
For now, I’m hitting pause on the $50 million ARR series and whatever might have come from the $100 million ARR legacy effort. I may bring it back at some point, but for now, there are just more pressing and interesting things to work on.
What follows is what I believe to be the remainder of my notes from interviews that never saw the light of day. So, one last time, let’s discuss some big startups that are scaling quickly: Appspace, Synack and Druva. We’ll proceed in alphabetical order.
The Exchange caught up with Appspace a bit ago, chatting with a few of its executives, including CMO Scott Chao and CEO Brandon Miles. It’s an interesting company that sells a software platform that powers in-office displays and kiosks. You’ve seen office sign-in screens at a welcome desk, screens outside conference rooms showing how booked they are, or company messaging and the like on various large screens? That’s what Appspace’s software does.
And the company has an interesting vibe. Unlike nearly every other startup I’ve met, Appspace doesn’t think it is saving the world. In our chat, the company joked that its culture is to move quickly, but with the cognizance that they aren’t curing cancer.
Such modesty might feel odd, but it was actually refreshing. Appspace’s job is to white-label itself, let its customers speak to their workers through its various apps (including mobile) and services, and simply feature rock-solid uptime.
Powered by WPeMatico
Robotic process automation (RPA) is making a major impact across every industry. But many don’t know how common the technology is and may not realize that they are interacting with it regularly. RPA is a growing megatrend — by 2022, Gartner predicts that 90% of organizations globally will have adopted RPA and its received over $1.8 billion in investments in the past two years alone.
Due to the shift to remote work, companies across every industry have implemented some form of RPA to simplify their operations to deal with an influx of requests. For example, when major airlines were bombarded with cancellation requests at the onset of the pandemic, RPA became essential to their customer service strategy.
Throughout 2021, security teams will begin to realize the unconsidered security challenges of robotic process automation.
According to Forrester, one major airline had over 120,000 cancellations during the first few weeks of the pandemic. By utilizing RPA to handle the influx of cancellations, the airline was able to simplify its refund process and assist customers in a timely matter.
Delivering this type of streamlined cancellation process with such high demand would have been extremely challenging, if not impossible, without RPA technology.
The multitude of other RPA use cases that have popped up since COVID-19 have made it evident that RPA isn’t going away anytime soon. In fact, interest in the usage of RPA is at an unprecedented high. Gartner inquiries related to RPA increased over 1,000% during 2020 as companies continue to invest.
However, there’s one big issue that’s commonly overlooked when it comes to RPA — security. Like we’ve seen with other innovations, the security aspect of RPA isn’t implemented in the early stages of development — leaving organizations vulnerable to cybercriminals.
If the security vulnerabilities of RPA aren’t addressed quickly, there will be a string of significant RPA breaches in 2021. However, by realizing that these new “digital coworkers” have identities of their own, companies can secure RPA before they make the headlines as the latest major breach.
With RPA, digital workers are created to take over repetitive manual tasks that have been traditionally performed by humans. Their interaction directly with business applications mimics the way humans use credentials and privilege — ultimately giving the robot an identity of its own. An identity that is created and operates much faster than any human identity but doesn’t eat, sleep, take holidays, go on strike or even get paid.
Powered by WPeMatico