Sign up for my newsletter to see more interviews with the biggest names in cybersecurity.
This week I was lucky enough to interview Jay Kaplan, the cofounder and CEO of Synack. Synack provides a SaaS platform for bug bounty programs (consultants get paid when they find vulnerabilities) for companies, only Synack doesn’t use your average hackers–they’ve hired their own “red team” of security contractors that have significant experience in the cybersecurity space (they only accept 10% of applicants who apply to be contractors). Synack is a big name in the cybersecurity space and they’ve received $35mm in funding from top firms such as KPCB, Google Ventures and Greylock. Check out the awesome interview below!
I read recently that companies are still spending twice as much on security services as they are on security products. You’ve mentioned that bug bounty programs are one place where machines can’t yet replace humans; are there any other major areas where this is true? Do you see this balance shifting further towards security products in the near future?
Security products play an important role in helping organizations scale their security unilaterally across the enterprise, however, unfortunately in specific areas of cyber security these products fall short. Automating attacks, for example, is a complex and largely signature-based solution — the problem is that attackers are constantly getting smarter and have a fundamentally better understanding of the target environment. It is in situations like this that leveraging a human component is critical.
At Synack you have to convince companies to trust your security consultants. Do you see any shift in attitude in how protective companies are over their security posture? Given your unique vantage point, how likely are companies to divulge threat information to the government via Obama’s initiative?
Companies are always looking for the advantage in giving them a leg up on the adversary. I think there is absolutely an attitude-shift; a few years ago, the vast majority of corporations would never share threat data, let alone open up their environments to a broader global community. Today, the realization that companies are getting attacked every single day is there — solutions like Synack give these organizations an adversarial perspective without the risk.
Your value-add at Synack relies on the Synack “Red Team,” an elite group of security researchers who collaborate to find vulnerabilities for major organizations. Given that there are only so many elite security researchers, how scalable is this model? Is the scalable aspect actually your platform for vulnerability crowdsourcing?
Being able to leverage a global talent-pool is a key scaling advantage to traditional consultancies. At the same time, Synack’s platform plays a supporting role.
You’ve received funding from some of the top venture investors in the valley–how did you differentiate Synack from the plethora of other cybersecurity companies out there? What do you think caught their eye?
Synack brings a unique approach to one of the important cyber security challenges out there; VCs are constantly on the lookout for disruptive solutions developed by teams with real domain experience. What we are doing at Synack has tremendously high efficacy and is making a real difference for our enterprise customer-base.
The News:
- Firms are shifting their spending from endpoint protection (think antivirus) to endpoint detection and response (think Tanium). EDR spending now represents just 23% of security budgets but IT professionals expect their companies to increase this number to around 40% in two years. Although 70% of companies outsource breach response/remediation, they would prefer to perform this function in-house. Look for this 70% number to drop as EDR tools gain traction.
Cyphort Raises a $30mm Series C
- Cyphort is next-gen anti-malware protection platform. The funding comes from Matrix Partners, Sapphire Ventures, and Foundation Capital.
A History of Internet Security
- The Washington Post takes a look at how the security of the internet has evolved since 1960, including how the NSA blocked a 1970’s attempt at TCP/IP encryption.
The US Tried to Stuxnet North Korea’s Nuclear Program
- Fascinating account of how the U.S. tried to infect North Korean computers with a cyber weapon to thwart their nuclear program.
Antivirus Firm Avast Mulls Acquisitions, Listing Amid Expansion Plans
- With 70% EBITDA margins (that’s not a typo) on $217mm of revenue last year, Avast is considering an IPO in the near future.
Three Reasons why the Costs for Companies who are Breached keep Rising
- Reputational damage increasing
- Attacks are messier to clean up
- Due to increasing demand, incident response and forensics are costlier
Who’s Taking the Blame for Data Breaches?
- More than 40% of corporate directors believe it should be the CEO.
Nick's Cybersecurity Blog 