Can CISOs reduce risk by working with start-ups?

Start adding items to your reading lists:
Save this item to:
This item has been saved to your reading list.

December 2016

Today’s cyber risk for big companies may actually be magnified by their recalcitrance towards working with startup companies’ solutions for cybersecurity to complement their traditional security partners.

Indeed, big companies have an inclination to entrust cybersecurity to mature companies in the space selling cybersecurity solution packages. They’re proven, tested, and safe. But they’re also products of big bureaucracies. Your company is big too — so how fast does your organization move and adapt?

Exploring other options

The threat of cyberattack comes from all angles and is ever-evolving. Any mature chief information security officer knows this. The big cybersecurity firms are very good at what they do, no question. Their offerings are highly refined, robustly developed, and come with implementation support. They have the resources to constantly update their product and are largely effective. The argument here is not that these companies don’t have a substantial role to play. It’s that they just don’t have the only one. The effective CISO needs to build a roster of cybersecurity measures that run the gamut, minimizing risk on the whole and focusing on capabilities specific to their use case.

The cybersecurity options from mature providers are built by large-scale teams. These companies dominate the thought leadership space in cybersecurity and establish big profiles at conferences about the issue. But not all of these companies are agile enough to close all the functionality gaps — and that could potentially leave some customers vulnerable. Their current solutions can’t meet all needs all the time.

So when it comes to innovation around new solutions, the CISO is becoming a leader. Where his or her job was once buried at the bottom of an organization, the CISO is now the consumer and buyer of cybersecurity solutions. As a result, CISOs are at the nexus of decision-making regarding big-dollar investments. They know that for their businesses to remain agile and secure as they move to the cloud and orchestrate their many systems, they must find new ways to innovate. This may include partnering with the venture capital community to find and fund the cybersecurity advances that could fill CISOs’ system functionality gaps and address emerging risks.

Why this could work

Partnering like this could actually be a mutually beneficial opportunity for both CISO and VC. While the CISO needs cutting-edge cybersecurity, the VC and the startups they support need actively engaged CISOs ready to advise and experiment with new technologies and solutions. The CISO can influence the direction of security development to better solve his or her company’s business critical gaps and help validate new efforts. For this to work, the CISO needs the organization’s risk tolerance calibrated to work with smaller, unproven startup companies who may represent future solutions in the cybersecurity marketplace.

This is an investment of time and money for the CISO and his or her company — but with a potential return on investment that could be almost immediate. In fact, here are a few possible good outcomes:

  • This approach could help inform and validate the security strategy for the CISO specific to his or her organization. The diversification of solutions is, in essence, its own mitigation strategy against ever-changing risk parameters.
  • As evidenced by ongoing acquisitions of cybersecurity startups, this space is ripe with good investments. Since large, established companies are acquiring these start-ups, a CISO may be able to shape a product early on at a lower price than if they waited to buy the product post-acquisition. In this way, they could lower acquisition costs by being an early party to the innovation, whereas mature companies and new products, once proven, command a premium price.
  • By being an early investor, a CISO could also potentially influence the direction of the cybersecurity product specific to their needs. The CISO in effect become part of the conversation for the VCs as they make their next round of decisions on where to invest capability.

There really is no single answer. Any given company’s cybersecurity solution is a combination of products, services, and providers. It’s the CISO’s job to build this balanced security strategy — and thus it is incumbent upon them to stay informed by remaining abreast of the industry, attending conferences, and engaging across the sector. The easy route of buying solutions only from mature companies presents less obvious risk and less heavy lifting for the CISO. They have fewer questions to answer internally, as name brands inspire confidence. As a result, they are not incentivized to pursue cutting-edge solutions. Yet those mature solutions are an incomplete approach, creating risks of their own.

Promoting trust in the right choices over time may result in a better, less risky balance of cybersecurity measures from vendors, both mature and startup. Pursuing that ecosystem, which is more art than science, is the CISO’s most critical role in today’s dynamic and changing threat landscape.

Contact us

James Shira

US and Global Chief Information and Technology Officer, PwC US

Follow us