It may be time for a corporate updating of the wistful saying, misattributed to John Lennon, that goes, “Life is what happens when you’re making other plans.” It should now be, “Workplace tech is what happens when IT makes other plans.” With the best of intentions, and not a small amount of professional diligence, IT and security teams carefully select and provision approved applications and digital services for employees to use.

Said employees are not much impressed, it seems, with 63% of Gen Z workers and 40% of millennials thinking their workplace tools are unreliable, hard to navigate and difficult to integrate with other tools. As a result, we are in a “shadow IT crisis.” Employees are taking matters into their own hands and purchasing the tech tools and services they prefer. They use credit cards to bypass official company solutions. Some estimate that as much as 40% of corporate spending on IT is taking place outside of the IT budget.

“The report is an eye opener,” said Matt Chiodi, Chief Trust Officer at Cerby. “It reveals a significant gap between corporate trust practices and employee sentiment.

Is this good or bad? It depends on whom you ask. The IT department doesn’t like it, and it’s not hard to see why. The practice is inherently insecure and costly to manage, if the IT department can even get enough visibility to manage digital services taking place outside their domain. Corporate data can end up anywhere, and often does.

From an employee perspective, though, the practice is a boon to productivity. The consumerization of IT has led employees, especially younger people, to expect a modern user experience that is not always available in enterprise solutions. They also demand more control over how they use tech to do their jobs.

Matt Chiodi, Chief Trust Officer at Cerby

The issue actually goes a bit deeper than just tech and spending. It’s about trust and corporate culture. Should employees be truste

d to select the tools they want? This is the question asked by Cerby, a company whose solutions protect “unmanageable applications” that lack support for common identity standards like single sign-on. They conducted a survey on the subject and released a State of Employee Trust Report.

“The report is an eye opener,” said Matt Chiodi, Chief Trust Officer at Cerby. “It reveals a significant gap between corporate trust practices and employee sentiment. Forcing employees to use only a limited selection of approved digital services sends a message that the company does not trust its people—a message that has an impact on productivity, as well as employee happiness, workplace satisfaction, and loyalty.”

Indeed, the report found, for example, that 92% of respondents agreed with the notion that “IT needs to get out of the way and let me do my job.” It also shows that employees rank trust as more important than financial compensation. Forty-seven percent of employees and managers say they would take a 20% cut in pay in return for higher trust by their employer. Additionally, employees most valued flexibility (48%), autonomy (42%), and being empowered to choose the applications needed to work effectively (39%). A striking 81% of employees felt increased energy, happiness, productivity, and contribution when employers demonstrated trust.

It’s hard to know if people would actually accept a pay cut in return for increased trust, but the finding is startling, nonetheless. It shows how trust could be viewed as an element of employee compensation. Trust apparently has a tangible value to employees. Managers would be wise to pay attention to this insight.

Organizations that don’t recognize the problem are heading for lose-lose scenario where employees download and use unmanageable apps they believe will boost their own productivity. Cyber risk exposure grows while people feel untrusted.

There is a way out of this jam, however. Employees want freedom. They want to be trusted to choose their own tech tools. If an organization wants to extend that trust, it needs to make unmanageable apps manageable and secure.

Cerby offers a solution by connecting unmanageable app to corporate identity providers like Okta and Microsoft’s Azure AD. Cerby discovers new applications and eliminates manual security tasks like offboarding.

Securing unmanageable apps will not solve the entire employee trust problem on its own, but it would be a big step in the right direction. People could use the tools they prefer, while IT and security teams would not have to worry so much about shadow IT.

I spoke recently with Denny LeCompte, CEO of Portnox, maker of a cloud-native network access control (NAC) solution, among other products. In his view, most Internet of Things (IoT) cybersecurity strategies give zero hope for Zero Trust.

Q: Why must IoT devices be secured to avoid becoming gateways onto the corporate network by cybercriminals?

A: In general, IoT devices are manufactured with little concern for security. While bypassing security best practices helps keep production costs low for manufacturers, it also puts the often overwhelming onus of securing the device on the end user or administrator. Unfortunately, this means IoT devices are particularly susceptible to cyber-attack. Cybercriminals know IoT is vulnerable and that many administrators and end users simply can’t keep up with the demand for more sophisticated security safeguards, so they exploit these devices with relative impunity. It’s not so much a question then of “why” IoT should be secured anymore, but rather of “how.”

Q: What are some of the ways cybercriminals are using IoT devices to gain access?

A: Some of the top ways in which hackers are leveraging IoT devices to gain access is through methods such as vulnerability probing, DNS spoofing, universal Plug & Play (uPNP) exploitation and reverse engineering firmware. And with so many ways “in,” there is no shortage of high-profile incidents involving cybercriminals gaining network access via IoT – recent hacks against Tesla, Western Digital, and even a high-end casino are some recent examples.

Q: Why should identifying, authenticating, authorizing, and segmenting IoT devices become a standard mandate of the connected business era?

A: Most businesses have limited visibility into the security posture of the vast web of devices attached to their networks, especially when it comes to IoT. But you can’t protect against what you can’t see. Businesses need to be able to see IoT devices requesting access to the network. By “see,” I mean being able to properly profile the device and determine its type, location, requested access layer, and more. Until that is possible for an organization, authorizing and segmenting those devices is moot, if not impossible. Applying access and control policies to IoT requires at least an understanding of the device’s ID…and an accurate one at that.

Once a business can see and profile all IoT devices, they can start configuring and enforcing authorization and micro-segmentation policies for these devices to further strengthen their network security posture. Most companies today can’t see, let alone control access for IoT. But ostensibly, if they could do both, they’d define strict policies that take into account the inherent vulnerability of these devices.  With the right toolset, organizations can enact these policies without additional overhead, architectural changes, or on-premises hardware.

Q: Can you explain where fingerprinting fits into establishing and enforcing Zero Trust for IoT?

A: IoT remains the biggest hurdle in achieving universal zero trust across the organization. Since IoT has been so difficult to accurately profile, the zero trust model would argue that no IoT device can be trusted, and thus should not be allowed on the network. Unfortunately, IoT is critical to business operations today – particularly in manufacturing, healthcare, construction and engineering.

Fingerprinting IoT devices is the process of identifying an IoT device’s vital characteristics on the network to define and apply unique policies based on those characteristics. Important characteristics typically include device manufacturer, make and model. These characteristics are then utilized to further classify the device types, such as security cameras IP Phones, gaming consoles, medical devices, etc. Examples of policies that could be defined based upon those characteristics and classifications would be to place all security cameras onto a designated VLAN, apply an ACL to all medical devices which block all uninitiated incoming network traffic to the devices, or even to deny access onto the network entirely, or place the device into a safe quarantine guest VLAN in the cases of gaming consoles.

With the ability to first see and then control IoT devices through the use of IoT fingerprinting, organizations can close the loop on this zero trust security model gap.

Q: How can businesses close IoT security gaps and unknown entry points?

A: Businesses can close IoT security gaps by implementing comprehensive IoT security protocols that include IoT fingerprinting, as well as access and authorization policies based on IoT profiles across their entire environment. On top of that, it’s imperative to keep firmware up to date, turn off unused services, rely on firewalls to manage accepted traffic, and stay on top of general environmental drift due to inevitable human interference with IoT. Just like the rest of the security threat landscape, IoT threats and best practices to prevent cyberattacks and network exploits will continue to evolve so businesses need to be ready to scale their security practices to keep pace.

Is the cybersecurity venture capital surge coming to an end? Overall, the VC world is experiencing a pullback, with S&P Global Market Intelligence revealing that the number of investment rounds was down 32.1% year over year from 2021 to 2022. At the same time, the value of VC rounds fell 65% in the same period. No one knows for sure what will happen to venture funding for security startups, but at least one thought leader is maintaining a positive outlook.

Dr. Lindsey Polley

Dr. Lindsey Polley is Director of Cyber & Space Intelligence at VentureScope’s MACH37 startup accelerator. The 90-day accelerator program’s goal is to facilitate the development of the next generation of cyber product companies. After earning her PhD from the RAND Corporation, where she served as a defense and policy researcher for technology projects spanning the DoD, DHS, and the US intelligence community (IC), Dr. Polley now works as a futurist who specializes in the emergent landscape around cyber and “cyber-adjacent” technologies.

I spoke with Dr. Polley in November of 2022.

Q:           What do you think is happening right now in the world of cybersecurity venture capital?

A:            From 2019 through 2021, we saw dips in venture funding for cybersecurity startups. If you take a closer look, though, it’s not that investor demand was not there. The issue was, and still is, that there are so many similar ventures in the category—everyone’s claiming to be just a bit different, but essentially, a lot of startups are offering the same thing—we’re seeing a consolidation, the acquisition of smaller companies into larger companies, or ventures combining to join a partnership or a larger entity. As a result, there wasn’t as much need for venture capital funding rounds, but that is changing. I think that venture capital appetite still there. Indeed, from our perspective, cybersecurity is less risky to investors than it was just a year or two ago. I think we’re going to see a resurgence of injection of capital into companies operating this realm.

Q:           Do you think that there’s a particular category of security venture is going to do well now?

A:            I’m like a parent. I love all my children equally. Seriously, though, if I had to choose areas to focus on, I would say cyber attack surface management (CAASM) tools are looking very strong right now. These tools help you make sure that you have adequate visibility across vulnerability challenges—aggregating data for those vulnerabilities so that you can see in real time what’s going on in your network and endpoints, along with everything that’s connected, it’s a very multi-dimensional view of an enterprise’s threat posture. I think CAASM is going to be hot with VCs in the coming year.

Plus, supply chain. We have a unique confluence of events where we have the developers and researchers working on this, the technical professionals who are now in line with the investors, investors are doubling down on wanting to fund these new capabilities to help make this happen. We like ventures that are developing new tools to secure or prevent against counterfeit components or tampering. That translates into cybersecurity for software in particular, with tools that better protect the entire software stack and the development pipeline.

Quantum security is getting attention, as it should. There’s been some confusion about this, but quantum risk is an area of cybersecurity where we are probably going to see a convergence of civilian and military attack surfaces. It’s like what we see with commercial satellites, where an attack on a corporate asset might be construed as an act of war. Quantum is similar, like if a defense contractor’s data is decrypted through quantum computing, that’s a national security issue even if it’s corporate data. Ventures that help address this risk are going to do well, in my view.

And let’s not forget semiconductors. Chips don’t always make it onto the cybersecurity VC radar screen, but they really should, if you ask me. Security needs to start in the silicon. The recently announced US Japan Joint Research Center is part of this story.

Q:           Are the venture capital players in cybersecurity changing, or is the same crowd as always?

A:            Yes, the investors are potentially changing. We have the big traditional investment firms, of course. They are not going anywhere, for the most part, even if some of them pare back their investments in cybersecurity. But, we also have the introduction of like non-traditional investors, like actors and TV personalities, along with platforms that allow crowdsourcing from regular people to put up $2,000 to potentially be betting on a huge unicorn payout. Startups that may not have been able to get funding through the traditional route are finding more opportunities now, given these other non-traditional avenues for funding that have started to open up in the last couple of years.

International Data Corporation (IDC), the market intelligence firm, just released a new InfoBrief that reveals a startling insight into the state of cybersecurity: almost two-thirds of organizations do not have high confidence in identifying their greatest vulnerabilities. Wow. Considering the scale of risk in this day and age, that’s not a reassuring number. It feels honest, however. Despite the best efforts of a lot of smart people, and a great deal of investment in cybersecurity, security managers remain unclear on just how well they’re protecting their most important digital assets.

The report, Studying the Effects of a Virtuous Cycle in Cybersecurity, sponsored by Darktrace, also found that 81% of organizations felt that artificial intelligence (AI) insights would help them to automate their security postures. These two findings go together. Security managers lack confidence in identifying vulnerabilities because there are simply too many threats in too many places for human beings to track effectively.

Today’s geopolitical and macroeconomic environment is part of the problem, according to Amber Rudd, former UK Home Secretary. She said, “Cyber security risks are one of the most pressing but least well understood risks organizations face today. As the geopolitical landscape becomes more fractious and the world continues on a path of rapid digital transformation, businesses are facing a greater, more complex set of cyber security challenges than ever before – and these are constantly evolving.”

As Chris Kissel, Research Director at the IDC, put it, “As organizations contend with an increasingly complex set of cyber security challenges, a reactive approach does not go far enough. CISOs are starting to look at cyber security just like any other operational risk and are turning to a more proactive approach that pre-empts cyber-attacks before they happen, rather than waiting to be breached. It is clear that organizations must adopt a preventative approach and will be increasingly reliant on AI to do so.”

For Nicole Eagan, Chief Strategy Officer at Darktrace, the underlying problem has to do with risk prioritization. “Most companies have siloed IT,” she said. “With systems operating in separate spheres, or in ‘shadow IT’ environments that few know about, it’s extremely difficult to know which risks carry the most disruptive potential.”

The challenge is to identify the most serious areas of vulnerability and establish a practical priority for risk mitigation. Amber Rudd spoke this need, saying, “Being proactive requires organizations to understand what their weaknesses are and proactively address these before attackers take advantage.” Without risk prioritization, it’s easy to waste time and money on activities like penetration testing (pentesting) on non-critical system. This is a lot easier said than done, but AI offers a way forward.

Darktrace’s new PREVENT solution is taking on this challenge. It offers a predictive and preventative approach for tackling cyber-threats and business risk by using AI to “think like an attacker.” The solution finds pathways to an organization’s most critical assets from inside and outside. It works at the levels of attack surface management (ASM), attack path modelling, pentesting and breach emulation.

“This technology is making the job of the attacker much harder,” said Poppy Gustafsson OBE, CEO at Darktrace. “It arms security teams with unprecedented, AI-powered tools, which can pre-empt even the most complex cyber-attacks. It represents a fundamental shift in cyber-security, putting security teams on the front foot as they seek to protect their organizations and build cyber resilience.”

Ultimately, solutions like PREVENT exist to augment the human mind, minds that are increasingly affected by the stress of the job. “Burnout is very real,” Eagan said. “One of the main purposes of PREVENT is to provide facts that can bring people together so they can work more harmoniously in their cyber defense roles.” Indeed, as Eagan pointed out, the PREVENT AI can emerge as a virtual team member in the cybersecurity organization. “It’s like having a supersmart colleague who can see around corners, but never takes a day off.”

Buying a cyber insurance policy is considered an effective way to manage residual cyber risk. Insurance carriers have jumped into the category. While still small by insurance industry standards, cyber insurance is now a $9 billion business, projected to reach $38 billion by 2030. However, there may be some bumps on the road to accompany this 15% compound annual growth rate (CAGR).

A recent report from Delinea, maker of privileged access management (PAM) solutions, reveals that 80% of companies have used their cyber insurance policies. The report is based on a survey of 300 US-based IT decision makers. Eighty percent is a high number. Indeed, cyber insurance carriers are starting to require policy holders to establish and verify that they have more security controls, with the goal of reducing how many policy holders are turning to their cyber insurance when they suffer an attack.

According to Joseph Carson, chief security scientist and advisory CISO at Delinea, insurers are now putting hard limits on payouts for incidents like ransomware attacks. He said, “The shock from this latest research is how so many organizations who have obtained cyber insurance have need to use it and again half of those multiple times.” He added. “It is almost like continuously crashing your car and not learning from the first one on how you are going to change prioritizing prevention.”

Avishai Avivi, CISO at SafeBreach, which offers attack simulation and “red team” solutions, offered insights into the report and its findings. He said, “Cyber insurance helps cybersecurity professionals manage risk by transferring the cost of a data breach. However, if 80% of companies with cyber insurance are actually using it, insurance providers will soon have to start adjusting their calculations.”

Avivi offered also offered an automotive comparison: “Think of it this way: if a car insurance company knew that there is an 80% chance that the driver they’re insuring will be in a serious accident, or an 80% chance that the car will be stolen, would it still make sense to offer the coverage?”

He elaborated, sharing, “To continue the metaphor, while seatbelts, airbags, and even car alarms might be required before a premium is granted, who knows if the drivers are really using their seatbelts, or turning on the alarm?” As Avivi sees it, cyber insurance providers need to start advancing beyond simple checklists for security controls. They should require their customers to validate that their security controls work as designed and expected. They need their customers to simulate their adversaries to ensure that when they are attacked, the attack will not result in a breach.

Further to these points, Avivi remarked, “In fact, we’re already starting to see government regulations and guidance that includes adversary simulation as part of their proactive response to threats.” He added, “As this trend continues, we foresee that cyber insurance companies will mandate or incentivize companies seeking coverage to implement security validation and adversary simulation as part of their ongoing security program. This will be especially true for customers in regulated industries or with very high-risk digital assets, such as personal data records.”

I recently sat down to speak with Christopher Prewitt, the CTO of Inversion6, a cybersecurity risk management firm that’s close enough to where I live that we could meet for kosher pizza. The first question I asked had to with the company’s name. Inversion6 had gone by MRK Technology for the previous 37 years, only recently changing its name to Inversion6.

What does Inversion6 represent? According to Prewitt, the new name reflects two ideas embodied by the business. First, inversion: As Prewitt sees things, the current cybersecurity environment amounts to an inverted world. Few things are the way they used to be. The perimeter is gone. People and digital assets are all over the place. Traditional countermeasures are nowhere near as effective as they used to be. If you want to be secure in this upside-down world, you need some fresh ideas.

The “6” in Inversion6 refers to a military term I had never of before, probably because I never served in the military. “Got your 6” means “I’ve got your back.” In the military, twelve-o-clock represents looking forward, straight ahead. Six-o-clock is behind you. Covering someone’s “6” means guarding their back. I’m glad he explained this to me, because I had immediately leapt to the conclusion that “got your 6” meant you were bringing the beer.

Covering someone’s “6” means guarding their back.

This explanation reminded me of watching the Gregory Peck classic World War II movie “Twelve-O-Clock High” for my organizational behavior class in business school. The movie told the story of brave airmen in the Eight Air Force, risking their lives to bomb Germany while coming under heavy fire from fighter planes that approached form the front—at twelve-o-clock.

The movie also provided an excellent business case study in leadership, team building and the allocation of scare resources. There’s a scene where Peck’s commanding officer explains that every squadron in the Army Air Corps is demanding more planes. There aren’t enough to go around, so Peck must demonstrate why their squadron deserves to have them. It’s a classic business dilemma. Every business unit wants capital and people, but the company only has so much to invest.

Leadership and the allocation of scarce resources are two critical success factors in cybersecurity. This is true for all businesses, but especially for smaller firms that cannot afford too many dedicated security team members.

Inversion6 addresses these needs through its fractional CISO service. Clients can avail themselves of a Chief Information Security Officer (CISO) who covers their account on a part time basis. They get the value of a CISO, but on a budget they can afford. Plus, they avoid the challenge of finding a CISO and hiring him or her.

“Many business stakeholders do not know that hacking is essentially an industry now, a collection of large, highly organized entities that are in the business of mounting cyber attacks.” – Christopher Prewitt, CTO of Inversion6

Prewitt serves in this role for several of Inversion6’s clients. He is their guide in the inverted world of cybersecurity. One core part of the job is to work with business managers who may not be familiar with cyber risks. For example, as he explained, some C-level executives do not think their companies are targets of cyberattacks. “I run a manufacturing plant. Why would someone want to hack us?” is point of view Prewitt frequently encounters.

“My job is to explain why yes, even a manufacturer is a target today,” Prewitt said. “A couple of issues are at play here. For one thing, many business stakeholders do not know that hacking is essentially an industry now, a collection of large, highly organized entities that are in the business of mounting cyber attacks. They will attack anyone who is vulnerable.” He went onto say that today’s hackers are looking to commit crimes of opportunity, such as ransomware attacks. In those cases, a manufacturer who didn’t think it was a target might find itself paying a ransom to get its operations going again.

This kind of dialogue is part of a bigger picture, however, which involves bringing tech and business stakeholders together to discuss cyber risk in business terms. “People from IT, security and business management often find themselves talking past each other. As a fractional CISO, I can be there to mediate the conversation and get everyone to understand the business impact of a security issue. I can facilitate discussions of business risk to tech people and tech risk to businesspeople.”

Out of this process, hopefully, come decisions about security that will make a difference in the client’s security posture. An effective dialogue on mitigating cyber risk can also help avoid what Prewitt refers to as the procurement trap.

He said, “A lot of corporate leadership teams are presented with a proposal to buy a certain cybersecurity solution. This may or may not be a good idea. Becoming more secure is about more than just buying the right tools. You have to have people and processes in place to implement those tools and turn them into effective countermeasures. A fractional CISO can get people to come together to understand these realities.”

The fractional CISO service is part of a broader outsourcing relationship Inversion6 has with its clients. They can take care of 24/7 security monitoring, for example, a task that most companies cannot staff for. The company also helps tighten processes for tasks like locking accounts or quarantine infected devices. It all adds up to having the client’s “6” when it comes to cybersecurity.

In this thought leader video, Howard Ting, CEO of Cyberhaven, discusses the new Comprehensive Cyber Capabilities Working Group (C3WG), which launched this past June to explore what cybersecurity capabilities are needed to protect the assets of an organization against today’s threats. As Ting describes, data is one of the most important assets and existing models and frameworks for data security are not well developed. The group will define a complete set of data security capabilities, which will be published in the industry-first Data Security Maturity Model (DSMM). C3WG is working to define for the cybersecurity community a comprehensive list of capabilities needed to secure and defend the full range of cyber assets within an organization. Comprised of security leaders from across industries, the group has deep expertise in the people, process, and technology used to solve security challenges. To learn more visit www.DataSecurity.org.