You're told not to click on unsafe links. But you're bombarded with inscrutable URLs every day, including many from the same people who will blame you the one time you make an error.

Emails from the outside partner you work with every day have the same "dangerous outsider!" label as those from a threat actor trying to social engineer you.

You're told not to use unsanctioned tools for communicating and collaborating with outside parties. But any company-sanctioned alternatives are too locked down to be useable.

If you're a developer, you're expected to write bug-free code, even though you face unrelenting pressure to ship new capabilities continuously.

If you're a SecOps pro, you're expected to catch every threat, even though you're hit with an information firehose every day.

It's been like this for years. But I'm encouraged by how many security vendors I now see:

• Respecting the practical needs of users who must communicate and collaborate across geographic and organizational boundaries.

• Giving developers something better than boring online training modules to develop their security acumen.

• Creating security process linkages to non-security teams like developers and infrastructure ops teams who can improve security at a foundational level.

• Harnessing the power of machine learning to bring greater focus and context to threat hunting and security monitoring.

There is still a long road to travel. But it feels like we're finally starting to embrace the human element of security rather than point fingers at it.

-Doug

And it satisfies no one. Security-conscious users will be annoyed because (a) they can't use their preferred MFA approach, and (b) they understand that if someone truly wanted to take over their account, they could probably pay an insider $500 to execute a SIM swap (ask a T-Mobile customer) or attempt a smishing attack (ask a Verizon customer). Less technical users won't turn it on at all, because it's a poor user experience.

There's also a growing trend of passwordless authentication using one-time email links. This is probably more secure than just a straight login and password. It eliminates the risk that a database of customer passwords somewhere will be compromised. But this approach pushes the authentication process into one of the biggest attack surfaces out there: the email inbox.

It's also not just account access that is being authenticated with emails. One of the things that big tech companies don't talk about much is how often they turn over information about their customers to law enforcement agencies. There are many legal and legitimate reasons for them to do it. But it also isn't something that can be taken lightly from a customer privacy standpoint.

Big companies like Meta and Apple often set up secure portals for information requests. But they also take requests via – you guessed it – email. According to a recent Bloomberg article, here's how that story ends:

Apple Inc. and Meta Platforms Inc., the parent company of Facebook, provided customer data to hackers who masqueraded as law enforcement officials, according to three people with knowledge of the matter. Apple and Meta provided basic subscriber details, such as a customer’s address, phone number and IP address, in mid-2021 in response to the forged “emergency data requests.” Normally, such requests are only provided with a search warrant or subpoena signed by a judge, according to the people. However, the emergency requests don’t require a court order.

Now, it's easy to play Monday morning quarterback on stuff like this. We would probably be even more critical if law enforcement failed to prevent a school shooting because they couldn't log in to one of their 20 vendor portals – or if the tech company took too long to comply.

But at a time when we seem to be moving more in the direction of SMS and email as an authentication mechanism, we should instead be finding innovative ways to solve for strong authentication and user experience.

-Doug

It offers some conveniences. After all, that Alexa speaker way out in your garage might have an easier time connecting to your neighbor's Ring floodlight than your own WiFi router.

But features like this raise a big question. How much access to your devices and network is an IoT device manufacturer entitled to? Is it OK for Amazon to use Sidewalk to transmit logistics data from its trucks and handheld devices over your network? Could they sell an expensive IoT beacon service that allows third parties to send bits of data over a network you pay for using a device you own?

I'm picking on Amazon here, but the same questions can be asked about any IoT device. If you buy a connected car, who owns the data it generates? Can it be sold to third parties?

I'm a fan of IoT. Everything from my lightbulbs to my lawn sprinklers is connected. But I also think it's important for both companies and individuals deploying IoT devices to make sure they're actually in charge.

-Doug​

Consider this example. In August 2021, content delivery network (CDN) provider Cloudflare absorbed an IoT botnet attack that was generating 17.2 million requests per second at its peak. Kind of a lot, right?

The same botnet, known as Meris, took down Yandex (basically Russian Google) around the same time with an attack that peaked at 21.8 million requests per second.

So you might think Meris must have enlisted many different kinds of IoT devices to pack that much punch, right?

Nope.

It is primarily powered by hijacked devices from a single vendor you've probably never heard of: Latvian networking gear company MikroTik. (Meris is the Latvian word for "plague," apparently.)

And the really scary part is that MikroTik released a patch for the vulnerability Meris exploits in 2018 and has been doing active outreach to customers. But there are still a couple hundred thousand devices whose owners missed the memo.

So, this is a pretty good illustration of how narrow the margin of error is when it comes to getting IoT device security practices right.

-Doug​

How do we know that? Well, we've already seen it happen.

You may recall a day in October 2016 when it felt like a sizeable chunk of the Internet stopped working. Amazon? Nope. Slack? Nope. Netflix? Nope. Spotify? Nope. Twitter? Nope. And so on...

This was caused by IoT botnet malware known as Mirai. Mirai scans the Internet for IoT devices using default login/password combos. When it finds them, it adds them to bot armies that perform distributed denial of service (DDoS) attacks. On this particular day, a Mirai botnet was aimed at DYN, a major domain name service (DNS) provider. So even though the services mentioned above weren't directly targeted, Mirai overwhelmed the address lookup mechanisms that we all rely on to reach them, effectively rendering them useless.

The source code to Mirai was released publicly, and mutations targeting ever-increasing varieties of IoT devices continue to appear years later. And as I'll cover tomorrow, new IoT botnets are now appearing alongside the Mirai variants.

-Doug​

The number of devices that a human can use directly on a daily basis has a practical ceiling. I use four: laptop, smartphone, tablet, smartwatch.

But most individual IoT devices aren't used directly by people. They're machine-to-machine (M2M) communicators. This means that the number of them that could someday be practical for me – or an enterprise or government – to use daily is practically limitless. In the not-so-distant future, connectivity will be assumed. It will be like we think about electricity today. Can you even guess how many devices around you use electricity?

According to the Cisco Annual Internet Report, 50 percent of the world's connected devices – 14.7 billion in total – will be M2M communicators by 2023. And this share will keep growing. According to the same report, the projected compound annual growth rate (CAGR) of M2M devices is 30 percent. To put that in perspective, smartphones are in second place at 7 percent CAGR.

So why does this matter from a security perspective?

The scale of connected IoT devices means that even if most companies making and deploying them have excellent security practices, a small percentage of irresponsible actors who allow their devices to be hijacked can have a devastating impact on the rest of the connected world.

-Doug​

Why? Two big reasons:

1. Low-cost devices are required to make IoT work. When product companies need to drive costs down, it's a recipe for (a) missed hardware and software vulnerabilities and (b) low incentive to invest in post-deployment support and updates.

2. Many IoT devices are aimed at consumers. As with things like social media, we're being drawn into many opportunities for fun and convenience that will likely bring along personal privacy hangovers later.

-Doug​

The short version:

• Amazon is responsible for security of the cloud.

• The customer is responsible for security in the cloud.

AWS has cloud-native security features to help with this. But it's kind of on the customer to figure out how to best apply them alongside the rest of their security stack.

This is a fairly defensible way to approach things. But I do think it opens up opportunities for other cloud players to do more to show customers the way.

Google is making an interesting play on this front. I was a bit dismissive when they first announced their Siemplicity acquisition. But now that they've dropped another $5.4 billion on Mandiant, there's a clear story coming into focus.

They now have:

• A substantive vision around Zero Trust and proactive risk mitigation.

• The combined capabilities of their Chronicle offering and Siemplicity to help customers detect threats and execute sophisticated response playbooks.

• A premium set of research, advisory, and response services from Mandiant that also sets them up to be a leading industry voice and resource when large-scale security incidents break.

These are still disparate pieces that need to come together more cohesively. But if they can bring it together into a more prescriptive cloud security blueprint – backed by cloud-native tools and experts on demand – it will be a compelling point of differentiation.

-Doug​

1. The ring-leader of Lapsus$ is reportedly a teenager from the UK. 😲

2. Their techniques are very low-tech and focused on social engineering and bribery of insiders and supply chain partners, according to Microsoft (who, as you have heard, was also breached by Lapsus$).

3. In an open letter to Okta, Tenable CEO Amit Yoran provides an even better example of the power of competence + transparency than the one I offered yesterday:

Trust is built on transparency and corporate responsibility, and demands both. I’ve been in the space long enough to know that security is imperfect. Even Mandiant was breached. But they had the fortitude and competence to provide as much detail as they could. And they remain one of the most trusted brands in security as a result.

-Doug​

But rather than piling on with criticism of Okta's response, take a master class in supply chain security crisis response from Cloudflare. A major security vendor in their own right, Cloudflare was one of the Okta customers whose information was visible in the screenshots shared by the Lapsus$ hacking group.

Even as their own incident response was unfolding, Cloudflare CEO Matthew Prince was out with an initial Tweet acknowledging the issue at 1:38 a.m. Eastern time. By early yesterday afternoon, there was a blog post up with a down-to-the-minute account of Cloudflare's response activities, initial findings, and next steps.

During a crisis, there's a natural tendency to wait until you have all of the answers to communicate. But putting your competence on display early – even if you're working with imperfect information – is the best way to build trust.

-Doug​

In addition to the challenge of extending security across company boundaries, supply chain security is complicated by the fact that it comes in many different flavors.

I can think of at least four:

1. Software vulnerabilities: Does third-party software I use to build my products or run my business have vulnerabilities? (Think SolarWinds and Log4Shell.)

2. Hardware vulnerabilities: Does my product include third-party hardware that has hidden vulnerabilities? (Think Spectre and Meltdown.)

3. Platform provider compromises: If one of my cloud or SaaS providers is breached, will my sensitive data be compromised? (Think Okta today and Hubspot a few days ago.)

4. Partner infrastructure compromises: If a supply chain partner is breached, will it provide a possible entry point into my infrastructure? (Think infamous Target breach that originated with a small HVAC vendor.)

In short, digital supply chain security is a complex problem that nearly all security buyers now face. And there's lots of evidence that it can't be ignored.

-Doug​

What does it actually mean?

These days, nearly every technology product or service is built through collaboration across multiple companies. So securing them effectively requires tools and practices that extend across organizational boundaries. And guess what: this doesn't happen very much.

Why is it interesting?

1. Two of the most catastrophic security incidents of the last several years, SolarWinds and Log4Shell, were supply chain attacks.

2. Managing security across organizational silos within a single company is hard enough. Coordinating across companies takes the degree of difficulty much higher.

3. We're already getting clobbered on software supply chain attacks alone. But as I'll dive deeper into tomorrow, this is just one of several possible supply chain attack vectors.

-Doug​

Here are some of the areas of security that I'm thinking about the most right now:

• Securing the digital supply chain

• The evolution of cloud-native security

• Internet of Things (IoT) security

• The human element of security

• Securing web3 and blockchain

I'll take them one by one this week and share some quick thoughts on why I think they're interesting.

Which security trends or topics are on your mind right now?

-Doug​

The general premise is that the best way for a startup to get attention – especially while the product is still taking shape – is to make the founder's ideas and personal brand the focal point and go direct to your audience through channels like social media and podcasts.

I love the idea of replacing outdated B2B marketing rituals with a more human approach. I also think it's a great way to build buzz during the early days without resorting to pitching vaporware.

But the idea of making the story too much about one person resonates with me less. If you have (or if you are) a founder who was born to operate in this way, by all means, use that to your advantage. But I've also met many highly effective founders who aren't well-suited to this role.

In my mind, these concepts become even more powerful when you make them part of your broader culture and empower people to lean into their strengths.

-Doug​

I like to think of positioning at different stages of the startup journey like setting the aperture on a camera lens. The scene that you're photographing – in this case, your company's long-term vision – doesn't change. But how much you choose to bring into focus for the viewer at different stages of your company's journey can.

-Doug​

So what is a narrative?

Simply stated, it's a story about your buyer that helps them understand how their life will be different with your company in it. Depending on your positioning style, you might employ one of two types of narratives:

• A "strategic narrative" that lives at the top of your positioning hierarchy and frames a major industry shift.

• One or more "sales narratives" that sit beneath your overall positioning and speak to specific buyer pain points – and your unique point of view about them.

For most cybersecurity startups, I recommend the latter. Major shifts in the security landscape are very real. But it's very difficult for security startups to stake an exclusive claim to them. Plus, most security buyers evolve their security strategies in iterative steps.

-Doug​

I don't think an old-school "fill in the blanks" positioning statement provides much value. Choosing from the other two options really comes down to your category definition approach.

If you're trying to define a new category – or radically redefine an existing one – I think the Andy Raskin-style "strategic narrative" approach is a great way to go.

But as I noted in an earlier email, most security startups probably shouldn't try to define a new category. That's why I think the April Dunford-style positioning canvas is the ideal approach for most.

This approach keeps you focused on specific buyer pain points and forces your leadership team to eliminate ambiguity in your strategy. At the same time, the document remains high-level enough that it doesn't become a "boil the ocean" exercise.

-Doug​

1. Positioning Statement

In "Crossing the Chasm," Geoffrey Moore shared one of the most commonly used positioning statement templates:

For (target customer) who (statement of the need or opportunity), the (product name) is a (product category) that (statement of key benefit – that is, compelling reason to buy). Unlike (primary competitive alternative), our product (statement of primary differentiation)."

2. Positioning Document

Trying to force your positioning into a pre-defined statement like the one above can be kind of annoying and unhelpful. In her book "Obviously Awesome," April Dunford does an excellent job of articulating why:

One of my biggest complaints about the positioning statement was that the statement itself was too brief to communicate the subtleties of a product's position, and at the same time too contrived and awkward to be memorized or repeated.

She provides an alternative in the form of a "positioning canvas" document that is still very concise but focuses on key elements of positioning that matter – like category, alternatives, unique value, etc.

3. A Sales Deck That Does the Job

Finally, one emerging trend promoted by smart people like Andy Raskin is to lean on your sales deck as the definitive home of your company's positioning. In fact, he takes it a step further and advocates thinking about the story as the master articulation of your company strategy. In other words, don't get hung up on positioning documents that no one will ever look at. Nail the strategic narrative, get the whole company aligned, and live it every day.

-Doug​

While I'm a bit biased, I think product marketing should lead the effort. But it requires involvement from all aspects of the business.

Why?

• Your founder and/or CEO knows more than anyone about your company's strategy.

• Sales knows more than anyone about the alternatives prospects are considering – and how any existing positioning is landing.

• Marketing has data about whether leads are converting and advancing – and within which customer segments.

• Product knows more than anyone about what makes your product unique.

• Customer success knows more than anyone whether your product is living up to the expectations your positioning sets.

-Doug​

​

​

• Difficulty generating leads

• Prospects don't get it

• Prospects mistake it for something it's not

• Prospects get it but don't see the value

• Prospects get it, see the value, but don't see it as a priority

The key to curing these symptoms is finding the intersection of what your company is good at, why, and who cares about these things the most.

That's positioning.

-Doug​