If you’re tired of cybersecurity being a black box (lacking in transparency) and inaccessible for small and medium-sized businesses, you’ve come to the right place.
We had the pleasure of speaking about these current dire issues in the industry with Kevin Qiu, Director of Information Security at SafeBase. Kevin has been in security for seven years: he has worked in cybersecurity and privacy consulting at PwC, built out the security department at SeatGeek from the ground up, and is the Founder of TechEx, a coalition of security experts who establish security programs for businesses.
Much like what Fletch has in store for the future, Kevin anticipates that cybersecurity startups have the opportunity to change the status quo around cybersecurity transparency and affordability (or lack thereof). Affordable, accessible technologies are underway, and overcharged, antiquated systems will soon be a thing of the past.
Grant: Hey everyone, it’s Grant. Today I have a really cool guest. I have Kevin Qiu, Director of Information Security at a new company, SafeBase. Kevin's joining us today from New York City, and we're going to talk about the problem of transparency in cybersecurity, how the industry is very black-box, and how that needs to change.
Kevin, do you want to take a minute or so to introduce yourself to everybody and talk about your background?
Kevin: Yeah, hey, everyone, my name is Kevin. Like Grant said, Director of Infosec at SafeBase. I've been in security for about seven years now. Started out in consulting with one of the big four companies working with banks on compliance prep, then moved on to security engineering at Jet.com. I got us through a huge acquisition we had with Walmart. After that, I went to a company called SeatGeek and I started the security program there, just as they were onboarding a whole bunch of big sports teams. After that, I did consulting a little bit. Now I am on the vendor side, as Director of Infosec at SafeBase, where I do internal security and customer success. I also have a role to play in developing the product as a security subject matter expert.
Grant: Awesome. I remember some of our chats before this, that part of why you took that job is because of the transparency issues in cybersecurity. So let's talk about this black box that’s been in cybersecurity for so many years and go back in time, to your days at the consulting firms.
Why do you think [the black-box approach] is a problem? What do you think needs to change [in cybersecurity]?
Kevin: I think one of the big problems is the way security used to be viewed. It was something where people thought if you reveal too much information, it would allow people from the outside to have easier access into your network or to exploit your employees and things like that. And this is why we have this problem of these gigantic security questionnaires that I'm sure everyone loves, right? So you have these customers that want to buy products. And then at the end of an RFP, their IP or security team sends the vendor, sometimes like 100 questions, sometimes 1000, and one of the reasons is that CISOs kind of created this problem for themselves. Historically, they never really want to share a whole lot of information about what they're doing with other people. And so, as a result, now that we have really public breaches, like SolarWinds, I know everyone hates hearing about that, and it’s beaten to death, but this is becoming something that's reaching mainstream news for the first time in a while, right? And so there was Equifax. But really, after Equifax, not a whole lot changed, but now we're starting to see Joe Biden and the White House is starting this executive Review Board for future critical infrastructure attacks, right? And I think it's because it's just an old mindset. And people weren't used to saying, hey, this is my security program. I'm really proud of it. This is exactly what we do. I have nothing to hide, right? And that's why I think a lot of the older companies act like that. This has been the status quo. Thinking back to 10 years ago, SOC2 just started becoming a thing. Before that, there was nothing right; it was kind of the first way for people to share a standardized set of information security materials with someone. And even then, the SOC2 was required to be shared only under NDA by design. So until the CAIQ was formed and the Vendor Security Alliance Questionnaire was formed, there was no organization pushing openness and transparency. And, the industry hasn't caught up to this mindset yet.
Grant: Yeah, I couldn't agree with you more. So this has made for a lot of products that follow this like, well, if it's going to be clandestine and our products will be clandestine, you don't even know how these products work or how they come up with their risk scoring or anything like that. And I go back to my start in cybersecurity; you bring me back to 2015. I started trying to automate a lot of manual labor and be very transparent with the natural language and machine learning. But that was just the tip of the iceberg. And it's what we need to do to start bringing about much more clarity and how things are accomplished. Put the human in it, make this actually human so non-super technical can invest, the person in the corner can understand it so the business can understand it. Because it’s becoming a business need, you know what I mean?
So, in your opinion, how can third-party risk be improved? How can cybersecurity tools be made better? If you think of all the tools you've used through the years, what can we do to give more transparency so leadership can understand what the cybersecurity team is doing? And so that the cybersecurity team can collaborate more with the organization. And should it cost a lot less?
Kevin: Yeah, so lots of things I can share about that. I saw a really interesting post on LinkedIn the other day, and someone in sales said he'd lost a deal to some credit union because the cost of his product was too high. And the way he framed it was, this credit union wasn't willing to spend 50 cents per user on cybersecurity. This would have been their first investment in a cybersecurity product. And I think that salespeople don't really frame it that way often, right? And if you think about it, 50 cents per user to reduce the amount of fraud calls that they get, you know, like an additional way to say, hey, we actually protect you as our customer because we have this tool. They're not willing to spend 50 cents per user because they see their cost as $10,000, $20,000, or $30,000. So that's something that I think more sales folks should try adopting because that changes the frame from this one-time purchase to a recurring thing that we're spending on our users. And it's actually very low when you think about it.
Grant: Really well said. And it's really interesting. Because now more and more companies need to need to be thinking about cybersecurity. And when you phrase in terms of business risks, when you phrase it in terms of actually running the business, instead of in terms of like, well, this is a cybersecurity tool that costs tens of thousands of dollars or hundreds of thousands of dollars. Either talk about value like you just said, or we can talk about this thing, this big black box that does something. And so yes, changing that conversation with the sales folks is really important. Especially when small and medium-sized businesses now need to be buying this stuff, and they're not going to pay tens of thousands of dollars. They can't. It just doesn't fit their business model.
Kevin: That's another issue that I've seen with vendors that have been in security for a while. When I was still consulting, there was one company I was working with, they were about 15 to 20 people, and I wanted to buy one of the big EDR solutions because they had just had some ransomware issues, and I thought, okay, let's get something basic in place so that it will catch the really obvious stuff. And I started talking to a bunch of vendors, and all of them said our minimum buy-in is 100 endpoints per year. And so this raises the question of, well, if there's a company that has fewer than 100 employees, let's say far fewer, like 20, what are they supposed to do? Are they supposed to just buy consumer-grade? And usually, the answer is yes. And so you end up getting these consumer-grade tools that maybe don't have a centralized dashboard, aren't as effective, and you don't get support. And so these guys are kind of left behind, right, because the big-name tools that you see - the RSA, and all that - they don't even want to sell to these SMB folks, and there is that humongous gap. And I think that part of it is, people don't see them as high ACV because the contract will be for a small amount. But at the same time, these organizations are getting attacked just as much, and I think there is an opportunity for newer startups to say we will protect any organization of any size. And huge contracts aren't what we're going after; we want to just protect people. And there needs to be more of that.
Grant: I couldn't have said it better myself. I mean, in a world where 48% or something, 50%, of all cyber attacks now target small to medium-sized businesses because they know they can't defend themselves as well. They have the out-of-the-box Microsoft thing or the out-of-the-box Google thing, and okay, that's a start. But let's make things that solve the risk for them. Let's do things and tell them if this stuff in the news affects them. Let’s do things to have them see their population. This shouldn't be so difficult, but yet we've built a model over the last couple of years, and well, there are lots of big companies out there that this model caters to. So yeah, this does have to change right now. A lot of democratization needs to happen.
If you think about the future of the industry, do you have a lot of hope for where it's going? Do you see a lot of small startups, like you, like us at Fletch, do you see a lot of small startups doing really different things?
Kevin: I think so, yeah. With the SaaS model, right, it gives us an opportunity to make this less of an issue. Whereas in the past, everything was on-prem, you would need a whole team to install appliances. But these days, most SaaS tools are built to be self-serve, for the most part. You can sign up for a free trial and get started. And I think that once these vendors understand that this is how things are, there'll be less of that minimum requirement, right? And honestly, if a deal doesn't require a salesperson, why would you have a minimum? Let the company grow with you. So we're starting to see a lot of successful companies that are growing because they adopted that mindset. Sneak is a great example. For those that aren't familiar with Sneak, it's a really good tool. It's used to tell you if your open source dependencies are out of date. They've always had a free plan from the very beginning. And so what they were going for was hey, use our free plan, it's, it's a bit limited, but if you're small, it should be good enough for you. And the idea is, if your product is good enough, it'll be sticky, users will want to stay with you. And when they get their funding, and they get bigger, they'll pay you. And they'll pay you a lot because they probably love your product, and they don't want to move off of it.
Another good example of how SaaS is starting to change things is vulnerability scanning, right? So these days, with remote work, not everyone is connected to an internal network anymore. So before, Nexus was kind of the gold standard of vulnerability scanning. You set up a Nexus instance in your network, and you put an IP range, and it would scan. But now we see tenable.io, you can install an agent on any host, and all it needs is an internet connection. And now you can do your scans, right? You don't need to have that traditional model anymore. And so if we see more of these non-network-focused and more individual-endpoint-focused staff solutions, where the centralized dashboard can be just a website that an IT admin can access at home, instead of being run from a local web server, we're going to start seeing more of these tools be available to the SMBs.
Grant: All right, Kevin. So to wrap things up, we talked a lot about the various parts of security. But as the world moves into the future, let's talk about tangible security means.
What can organizations, especially small to medium-sized businesses, do to secure themselves and have better peace of mind to sleep at night?
Kevin: I think it boils down to going back to the business. At the end of the day, if a company wants to do something, it has to support the business's goal of making more money, right, whether you like that or not. We're starting to see people realize that security is a sales enabler and can help you sell products faster, more quickly, and more efficiently. People are actually declining vendor fees because security isn't up to standard. And so until we start tying security to the dollars, people aren't going to take it seriously. Once leadership starts to really understand it, that's when we're going to see a real investment in security, not just in terms of dollars, but in terms of culture, mindset, and willingness to listen to the chief security officer and not just make him the scapegoat. That's kind of how I see it.
Grant: Love it, Kevin. That's well said. Thank you so much for being with me today. It's been a lot of fun to have you on, Kevin, and I'll see you soon, my friend.
Kevin: Thanks for having me.
