My background is primarily in workforce/labor analytics, so I approach far too many complex problems through a human capital focused lens. But as a relative newcomer to the security world, I can't help but view the major challenges/opportunities that exist as a human capital problem, not primarily a technology one.
Cybersecurity is a relatively unique industry because it combines a number of factors into a potion of complexity that is unlike other large, 21st century problems.
First - it's still relatively new. Disinformation warfare has existed for a while (I'm sure it's always existed, but was formalized in the early 1900s). But what we classify as information, or cyber, security is still ~30 years old. In other words, we've only had one generation's worth of knowledge & training to create a common lexicon of understanding.
Second - it's inextricably linked on both a macro and micro level. Security affects both countries/governmental blocs, as well as an individual consumer using his or her personal computer. People are only beginning to realize the "supply chain" nuance that exists in this industry, and how those links create multiplicative risks to the system as a whole.
Third - training is underdeveloped and unstandardized. There are over 1000 cybersecurity certifications of various degrees of quality. Colleges offer a mix of technical and non-technical four year programs that may or may not be tied to what the industry currently needs. There is a level of technical complexity (see point four) that is required for all trainees, especially at the policy level, that isn't always there.
Fourth - there is a level of obfuscation and complexity that exists at the elite agency/company level that is extremely poorly communicated to the constituents that matter most - everyday citizens and corporations operating in the normal course of day-to-day life. I struggle to think of another industry (maybe biotech or logistics) where the general public understands so little of what is going on, what is important vs not, etc...
Beyond its uniqueness, security is also extremely high-stakes. By all indications, the US is currently in a second "Cold War" of sorts, except instead of nuclear annihilation being the catastrophic outcome being avoided, this one is much harder to define and understand. Another big difference is the depth of the "supply chain" involved. Whereas the first Cold War was primarily "fought" through geopolitical leaders, spies and media propaganda, the current situation reaches nearly every organization and/or person. The SolarWinds/FireEye attacks in the past two weeks show that our obsession with interconnectedness (which has been lauded as a feature) may turn out to be a pretty substantial bug.
Given that difference, and the fact that humans, not tools, ultimately solve creative, nuanced problems, we think there is an opportunity to create a new kind of company. Prelude aims to accomplish two related goals, both of which I'll explain in more detail below.
Build tools that bring Intelligence-grade security to every organization by radically increasing accessibility, while decreasing cost.
Arm a new generation of human capital with training + tool augmentation to have the workforce necessary to defend organizations + countries.
Lowering The Barrier To Defense
Whether through necessity or ideal business model - the vast preponderance of security products/tools are:
Focused on Fortune 500 companies + government agencies (see points #1-3)
By definition, this boxes out 99%+ of organizations who can’t afford or don’t understand the need for critical security tools. This may have made more sense 20 years ago, when security threats were fairly low, however, it simply does not today.
While the federal government has a set of standards (NIST), the industry simply changes too quickly for a fairly static set of principles to be the guardrails that will protect organizations from chaos. More-so, those standards are still difficult to understand and there is uncertainty around what tools can actually accomplish some of the goals, and whether non-behemoth sized organizations can actually afford those tools.
In the same way that nearly every company was forced to become a technology company over the past 30 years, we believe the same thing has been occurring, more recently, in security. Large organizations realize this - there is a reason they have hundreds of full-time staff employed and have large technology budgets to deploy against the latest tools.
Smaller organizations, in short - have not yet made this transition. While some organizations understand that they need some form of anti-virus software, password management and multi-factor authentication, they leave much of the “security” work to abstracted third parties like Google or Amazon, where they run their core business infrastructure through.
However, as the security supply chain flattens, smaller organizations become more equally important to a national cybersecurity risk mitigation strategy.
Finding backdoors through organizations that have vendor relationships, share contractors or are linked through the same IT infrastructure is becoming much more commonplace. Therefore, it’s not enough to just focus on the largest/most important institutions alone, we must adopt a much wider defensive surface area approach.
This is why we have decided to approach product-development from an individual-first perspective. We want to design for the security individuals on the ground-level of organizations, whether they be a one-person devops/IT role or a technical blue-teamer in a large organization. This has a series of product-development and business-building implications:
We will focus on open-source as a core of what we do. Building trust is incredibly important, and by building on the principle of reciprocity, we want to show our users that we value their concerns and use cases.
We will pursue a bottom-up, individual-first distribution strategy. This means having a free tier with real value, a paid tier with transparent pricing, that is affordable to an individual and can scale up to the size of the organization.
We will design a product that sits within the workflow of the individual, allowing them the flexibility to customize and extend the tool to meet the unique needs of their organization.
We will design a lexicon of understanding that is accessible to all decision-makers, reducing the opaque nature of how security methods are currently communicated.
Tools -> Training
By now, people are fairly familiar with the stats. The US security industry needs another ~500k workers at the moment (https://www.cyberseek.org/heatmap.html), rising to millions in the coming years. (https://www.isc2.org/News-and-Events/Press-Room/Posts/2020/11/11/ISC2-Study-Reveals-the-Cybersecurity-Workforce-Has-Grown-Globally). What these stats miss are how these workers are being trained and what knowledge/tools they are being equipped to succeed with.
Fundamentally, complex problems are human capital problems. Tools can act as aggregators, enablers and informers, but ultimately - they are augmenters to a human. We believe that at the end of the day, no set of tools can actually get close enough to the “metal” of the problem to fix or prevent catastrophic risk. This must be done by increasingly better-equipped human beings.
In practice, this breaks down into two distinct but related issues.
We need to increase the pipeline of talent to the industry, specifically with the end goal of working in the most critical/needed areas (a topic for another post)
We need to arm those workers with a: base set of knowledge to give them the foundation they need to succeed, skill development through tools that augment their ability to do their job, and the ability to continuously learn.
We need to look at the talent pipeline from a holistic perspective. Unless we are able to create a pathway from 0->1 in a scalable, repeatable way - we aren’t going to be able to create the “net new” supply that we need to meet the talent shortage that exists. But unless we are able to develop a set of accessible, individual-first tools, we won’t be able to equip those workers with the augmentation they need to protect their organization from an increasingly-complex ecosystem.
Like most innovation that has occurred in the US, if we are to sufficiently advance the security industry as a nation, it is going to be done through a reciprocal top-down + bottom-up decentralized approach. This issue, like many others, is far too complicated to be solved through a single body. Just like Shopify has radically simplified the process of starting + running a business for millions of entrepreneurs, reducing the friction of non-core functions, we must invest in tools + training that reduce friction for security workers. It is only through empowering these individual workers, reducing complexity and providing continuous learning that we can expand the aperture of who we currently defend.
It is Prelude’s vision that we will help enable this innovation. In the coming weeks, we’ll dive into more specifics around our tool(s), how we are consciously building our organization with this future in mind, and how we anticipate collaborating with the broader ecosystem.