The CISO’s role in advancing innovation in cybersecurity – Source: www.csoonline.com

Cybersecurity leaders have an advantage when it comes to innovation given their front seat facing new and old threats. That is why many CISOs are playing an active role in shaping emerging solutions, which also gives them a clear understanding of where current solutions fall short.

“CISOs can play a part in supporting innovation by shaping solutions that address these gaps,” says Shahar Maor, Fullpath CISO, who’s engaged with numerous startups to explore emerging technologies, co-develop features, and test products in real-world scenarios.

While the rewards can be significant, there are some ground rules. CISOs must know the risks of adopting untested solutions, keeping in mind their organization’s priorities and learning how to evaluate new tools and technologies. “We also ensure both parties have clear, shared goals from the start, so we avoid misunderstandings and set everyone up for success,” Maor tells CSO.

Nonetheless, helping drive innovation can lead to advancements in new security solutions and help CISOs in protecting their organization.

Partnering with startups

With threats evolving every day, organizations are finding that many existing solutions fall short, according to Nicole Perlroth, managing partner of Silver Buckshot Ventures, author and former cybersecurity journalist with The New York Times. This creates more of an appetite to partner with startups because they see potential in gaining access to tailored solutions. “Startups are looking at novel ways to address threats because clearly the old approaches aren’t stopping the attacks that are coming in every day,” she says.

When an organization is concerned about a particular problem, they may consider potential fresh solutions from startups. Organizations or they cybersecurity leaders might engage early to ensure new tools deliver value by having a hand in shaping how the solution comes into the market.

“A new cybersecurity startup may come out of stealth, announce it has a new solution and then we’ll see it partner with a Fortune 500 company so that whatever they’re building fits perfectly into their environment,” Perlroth tells CSO.

In Maor’s case, he’s partnered with numerous startups for new or bespoke tools, but these are far more than just one-off arrangements. It’s a core part of their remit. Maor and his team make it a priority to carve out time to meet with founders, hear their pitches, and understand their ideas about new and emerging security tools.

Collaborations include pilot programs to test new tools in controlled environments and formalized partnerships with certain startups. It helps the startups refine their products and allows Maor’s team to see how the solutions fit into the organization’s existing ecosystem. “When a new feature becomes available for beta testing, we have the opportunity to use it, gain early access, and provide valuable feedback to the vendor,” Maor says.

At the outset, cost and organizational fit are key considerations. Having the scope to be involved at this early stage and shape the development of the solution is vital. “Startups often build products and assumptions based on their initial knowledge, but these are tested and refined when their product is deployed in real-world scenarios,” he says.

Maor has found in some cases, startups are so innovative they need to first educate the market — their potential customers — about what they’re providing and why it’s important, if not now, then down the track. It also gives Maor valuable foresight into emerging or prospective problems. “They might offer solutions to problems we’re not yet aware of or that aren’t currently relevant to our organization,” he says.

While collaborating with startups offers the promise of new and novel solutions, Maor sounds a note of caution about putting all the eggs in one basket too soon. A prudent approach means paying particular attention to the level of funding of startups and emerging players because it indicates the future viability as a sustainable business. “There is always a chance they might not succeed. That is why we’re careful about where we invest our time and budget,” Maor says.

These projects can also demand significant resources from the security team, which in many cases are already stretched, creating competing priorities. The goal is to balance startup engagement with core responsibilities, while ensuring startups meet the grade required to offer value in the organization toolkit. “Some startups may not yet meet the security standards we require, so thorough vetting is essential,” he says.

CIOS engaging through accelerators, incubators and as advisors

Accelerator and incubator programs help support early-stage ventures and security leaders can often participate by providing industry connections for founders, acting as pitch judges on emerging tools and mentoring founders to help steer them towards commercialization.

Through these programs, supporters and potential investors may reach out to CISOs to help evaluate a potential investment and assess if a startup is tackling a high-priority industry problem. “Security leaders can offer that input and additional perspective needed to fully evaluate a startup,” says Ross Haleliuk, author of Cyber for Builders and startup advisor.

In other cases, CISOs may act as advisors to startups, earning ‘sweat’ equity for their time and efforts in helping with product feedback, go-to-market strategy, and introductions to other investors, industry partners and even potential customers. This provides valuable insights and support for founders and helps CISOs make time they might otherwise struggle to allocate to new innovations.

CISOs are often on the receiving end of pitch decks and outreach phone calls requesting meetings and opportunities but these can be easily dismissed amid the daily demands of securing the organization.

In larger organizations, CISOs may have more scope to dedicate time to hearing pitches and provide feedback and allocate budget to test-drive new, emerging solutions. A lot of it will depend on the nature of the new security tool. “If the startup is solving a problem the CISO cares about, they might take the call, but they need to be the type of security leader who’s an early adopter of technology,” Haleliuk says.

In some cases, CISOs may also learn more about certain security issues through startup outreach. “A good number of security leaders will take a call from a startup to educate themselves about a new problem it’s working to solve,” he says.

Advising venture capital firms and CISO-led funding groups

It’s a golden era of cybersecurity innovation driven by emerging cybersecurity threats, but it’s a tale of two companies, according to Perlroth. AI is attracting significant amounts of funding while it’s harder for many other types of startups.

Cybersecurity companies continue to get a lot of interest from venture capital (VC) firms, although she’s seeing founders themselves eschewing big general funds in favor of funds and investors with industry knowledge. “Startup founders frequently want to work with venture capitalists who have some kind of specific value add or cyber expertise,” says Perlroth.

In this environment, there’s more potential for CISOs to be involved and those with an appetite for the business side of cyber innovation can look for opportunities to advise and invest in new businesses.

Cyber-focused venture capital (VC) firms often engage CISOs to participate in advisory panels and assist with due diligence when vetting startups, according to Haleliuk. In other cases, private investment clubs or investment syndicates offer CISOs and other security leaders an opportunity to directly support new players. The criteria vary, but CISOs usually need to have their own investment capital to join investment syndicates.

For CISOs going down this path, Haleliuk says it’s always important to look at funding sources for the fledgling business, undertake due diligence, including on the founders themselves, and take time to test potential solutions.

He believes that when security leaders come together with passionate problem-solving founders, real innovation in security is possible. “The winning combination is the passion and energy of entrepreneurs looking to solve problems and the expertise and perspective of security practitioners.”

Other ways to drive innovation

Beyond financial and sweat investment, CISOs have other avenues to support cybersecurity innovation. Being open and sharing learnings and recommendations within your CISO network helps make new approaches and ideas accessible to the entire industry, says Haleliuk.

CISOs can also take a role in developing best practices through industry-level discussions such as speaking at conferences to help educate others about cybersecurity challenges.

By supporting new protocols or solutions to become industry standards, it will help them become more widely adopted by organizations.

Haleliuk says there’s an argument for CISOs to share in-house solutions and approaches to help the broader industry. “Some security teams build their own tools and can consider open-sourcing them to contribute to the industry,” he says.

CISOs can tap into academic research to discover new, innovative solutions that may benefit from industry support, according to Ben Halpert, CSO at the Cyber Health Company and founder and CEO of CISO Horizon. “Academia, especially universities that specialize in cybersecurity, is a good place to access new research because that research can turn into a startup that will serve the industry,” Halpert says.

To evaluate new solutions and potential businesses, CISOs may need to learn the art of innovation appraisal, including knowing what questions to ask, quickly getting a handle on new technologies and assessing their viability in the industry. “It takes experience and the more you do it, the more comfortable you become and the more nuanced your questions can be as you’re evaluating potential solutions,” he says.

With long sales cycles of up to two years in large enterprises, there are many steps cybersecurity providers have to go through for procurement and onboarding. CISOs need to assess new tools to ensure funding and business viability over this timeframe.

Halpert believes CISOs are well placed to drive innovation in cybersecurity, thanks to their unique understanding of both technical and business demands of organizations today and where security solutions fit within that landscape. “Threats come in many forms and there are a lot of things CISOs need to consider, but they love to look at the big picture and how to help a business achieve its business objectives within that.”