Security for the other 99 percent

· 3 MIN READ · DAVE MERKEL · APR 10, 2018 · TAGS: Announcement / Company news / Mission

Every time I read the words “RedThreatStormDoom, the market leading provider of cybersecurity next-gen whatnots, announced it has secured seventy-flabillion dollars in series Q financing …” I jump for joy. The thought of more widgets for massive security organizations that can create yet more categories of spend in their ever expanding budgets warms the cockles of my heart (which are technically the ventricles).

OK, no, it actually doesn’t warm anything. I sort of sigh in exasperation. Y’see, while there is great innovation coming from entrepreneurs, it’s frequently focused on solving problems for elite security organizations – or at the very least elite security spenders. Security “one-percenters,” if you will. Maybe that’s too cynical. But the reality is that much of the innovation coming out of security vendors today can only be effectively employed by security one-percenters, regardless of how much the vendor thinks everyone should (or can) use their product.

Why is that? Two primary reasons: budget realities and people.

First, security budgets are finite. Unless you’re a top-tier bank it’s unlikely your spend is increasing every year. You probably don’t buy one of everything. And even if you do, it’s highly unlikely you’ve got the people you’d need to get the value out of all those widgets. People are expensive – whether you’re talking salaries or the opportunity cost of keeping them happy or dealing with the times you fail to keep them happy. And if you’re looking to have 24×7 operations you can multiply that expense yet again.

“But what about the AIs?” you might ask. “Aren’t they supposed to get those pesky humans out of the loop?” Well sure … but only if you embed them in a blockchain. And name your company blockchain.ai. THEN you might be on to something. (How sad is it that I just typed “blockchain.ai” into my browser to make sure it wasn’t a thing because in this day and age you can’t be sure?).

OK, fine, let’s actually deal with that. What about the AIs? A variety of advances in computer science, including AI, machine learning techniques, etc., can help us. But it’s not going to eliminate people any time soon. Improvements that come from the AIs and MLs will increasingly augment the human decision maker. Ergo, my prior comments regarding one-percenters and the expense of keeping the brains in the loop happy.

With that overlong preamble, I’m pleased to announce Expel, the nowhere-near-market-leading (yet … because we’re a 20 month old start-up) provider of transparent managed security has secured $20 million in series B financing, led by Scale Venture Partners, and joined by all of our existing (and fantastic) supporters at Battery Ventures, Greycroft, Lightbank, NEA, Paladin Capital Group and Profile Capital Management.

Why am I pleased? Because increasingly we’re finding people of like mind that agree with our view of the world: the biggest gap in the information security market isn’t a lack of interesting, innovative technology to generate security signal in your (endpoint, network, cloud) infrastructure. It’s an inability to turn that into something you can action at a realistic, predictable cost. Hiring your way out of the problem isn’t going to work for most organizations, and you can’t buy a magic AI-in-a-box to make the problem go away.

So what are the other 99 percent supposed to do? The logical answer is “go get yourself a managed security service provider (MSSP).” But we think that market’s in flux. On one hand you have the legacy MSSP providers, long in the tooth, mired in old technologies and processes, slogging through alerts with hordes of analysts stacked up like a cord of wood in a SOC. On the other hand, you’ve got niche managed offerings – often referred to as managed detection and response (MDR) – focused on specific managed security use cases and technologies. While some of these solutions provide value, they still operate as a black box. It’s hard to know what’s happening behind the curtain (in their SOC). Nobody is going after the whole solution and no one is using your existing security investments to provide a transparent managed offering that delivers answers … not just alerts. Here at Expel we’re trying to fix that. And this new investment will help us do it a bit faster.

Now, in the spirit of ending with an “executable” – something you can go away and do without writing a check – take a look at this post from our CISO, Bruce Potter (we say it “SEE-so,” mostly to annoy Bruce). It shows how you can use the NIST Cybersecurity Framework to evaluate and visualize where you’re at and where you want your security program to go. It includes some tips and a self-scoring Excel spreadsheet that lets you use the NIST CSF in a common sense way. It also speaks to what Expel provides in a CSF context. If you’re thinking to yourself “that’s nice you got funding and all, but what specific impact will you have on my environment” this provides the answer.

Expel self-scoring tool for NIST CSF