As any veteran CISO knows, migrating to new security tools is disruptive, costly, and a general pain in the neck. When building our security stacks, we tend to prioritize familiarity, consistency and practicality over innovation, striving to offer our teams with the most tried-and-tested security mechanisms possible by relying on established vendors and their legacy security tools.
This may have sufficed in the on-prem days, but the cloud and data transformations have ushered in a new era of information security and technological advancement driven by AI that have made legacy tools increasingly irrelevant. They often are a security risk, may demand high maintenance, are sometimes inefficient, and are often not fully compliant with updated industry regulations and standards.
Coupled with the alarmingly fast progression of technological innovation, increasingly sophisticated malicious actors, more complex threats and constantly shifting and evolving attack vectors, it’s clear that the industry needs to update its legacy approach to security.
CISOs must contend with a wide array of constraints when building their security stacks. While with the constant barrage of attacks today security has become a growing C-suite concern, the organizational security budget is not immune to the down market’s sweeping impact.
With tight budgets and emerging threats looming, forward-thinking CISOs are increasingly looking to the most nascent security products that are best-suited to contend with these developments. Rather than wait for the cycle of early-stage security vendors to reach maturity and for their products to achieve wide market reception – which could take years – many CISOs turn to cybersecurity startups still in stealth mode, companies that are building the next generation of agile, efficient, and innovative cybersecurity tools.
This novel approach – actively seeking vendors of products not yet on the market -- isn’t for everyone. Much like with any security strategy, there are pros and cons. Many CISOs prefer their tried-and-true legacy products for cost-effectiveness, without considering their updated needs and how their existing stack addresses them – or doesn’t. Young security startups prioritize costs, ease of use and seamless, agentless implementation much more than their predecessors and many of their products lower overhead costs by leveraging automation.
Many CISOs like that when they partner with early-stage security startups they can positively impact new products because they are in on the ground floor. They can actively advise and offer feedback, ultimately tailoring these new products to fit the most current, pressing CISO needs.
This approach does require more active involvement than just procuring a product, but for tech-forward security practitioners, this isn’t a bug, it’s a feature. They focus on giving their organization an edge by addressing the most emerging security threats and adopting nascent technologies while their competition still uses outdated, irrelevant security tools.
For these startups, when established companies engage with them they very much appreciate the professional feedback from industry experts. Most startups are open open to adapting their roadmap, they are agile, fast-moving and flexible, ultimately promising faster development cycles and optimized production value.
The security early adoption model may just be the win-win the industry should encourage during times of economic uncertainty and increasing cyberattacks. Yes, these are untested, unproven technologies without strong support mechanisms, but that’s not what security early adopters are looking for. Cutting-edge innovation comes with its risks and rewards, which every CISO must navigate through when deciding on the organization’s strategy for the future. With malicious actors actively innovating at record speed, security leaders should consider doing the same. Each CISO must decide if it's worth the risk.
Justin Somaini, partner, YL Ventures
