Security without stagnation: What I've learned from mentoring startups
I have always had a passion for new and innovative products. Due to the ever-changing threat landscape, cyber security has an almost infinite demand for product innovation — which is what has made it such an exciting field for me over the past 5 years. I would even say that threat actors themselves are among the biggest innovators: every time new tools are developed to thwart threat actors, attackers quickly develop new tactics to get around those defenses.
As a CISO for a company that helps guide travelers to new destinations, I have had the opportunity to work with a few innovative companies in their own journeys. I take great joy in helping startups mature their products and product strategy — and — truthfully, being a mentor also helps me learn new ways to protect my organization.
I never sought to become a mentor, but being in a prominent position at KAYAK, people have approached me a lot for advice (perhaps even more so after this story!). As a CISO, it is easy to fall into the trap of thinking, "I don't have time for this." The truth is, no one has extra time, but I make room for mentoring because I believe it serves a greater good and helps drive continuous innovation in cyber security.
We all know that startups are vital to the cyber security ecosystem (and innovation ecosystems overall). Their growth benefits all companies and sparks new job creation and economic growth. It's a virtuous cycle: as a buyer of technology services, I want cyber security startups with good ideas to flourish and gain more customers, so that they — in turn — can invest more in improving their products. As the company becomes financially viable sooner, the products also get better, sooner. (Legacy tech companies don’t always demonstrate the same urgency).
There’s a personal element to it, too. I love to work with young people and companies with passion and watch them grow. It is a bit like raising a child. Since I am passionate about fresh ideas and finding ways to improve products, I decided it was worth taking some time out of my day to help out some of these companies.
What mentoring looks like in practice
Big companies aren't bad, but the risks of taking chances are much higher compared to smaller companies. That makes it more challenging for them to innovate. Bigger companies tend to protect what they have, rather than trying to figure out the next new thing, or they simply buy the next big thing and expand through acquisition. There's more opportunity for innovation in smaller companies because people can take more risks and there are fewer bureaucratic hoops to jump through.
But startups face immense challenges. They need more than just a good idea. Defining a market for a mass customer base (or entering an entrenched market category) involves more than solving a single problem for a single customer. Startups often struggle to take their ideas to the next level, which is where mentors come in.
Most of us are time-strapped, so you have to prioritize how and who to mentor. Before embarking on a mentorship relationship, I ask myself three questions:
Do they have a clear vision of what their product brings to the table and how they expect to grow that product over time?
Are they enthusiastic about that vision?
Is the company in an area that interests and excites me?
There's a lot of opportunity for new startups to scale and create a product I would one day consider using for our company. For example, right now, I see a lot of innovation around identity and access management, Zero Trust networking, and network micro-segmentation, and I have a personal interest in projects that fall into those spaces. There's something special about seeing mentorship make a difference in a company's fate. In one case, I began a relationship with a security company that was tackling the problem of how to safely onboard and protect the identities of independent contractors. Their initial vision piqued my interest, and our conversations began by sharing ideas. Over three years, I regularly gave feedback on product ideas, poking holes in their plans and helping provide alternative solutions. Their product eventually evolved into identity threat detection response (ITDR).
At every stage, I got into the nuts and bolts of what they were trying to achieve and what they needed to improve, including their signal-to-noise ratio (more on that below). While I can't take all the credit, the fruits of our labor paid off: A Fortune 100 company acquired the startup, and I still provide them with occasional advice.
All of these interactions have helped me gain new perspectives that I can bring back to drive innovation at my organization.
Mentoring will look different depending on your personal bandwidth and the mentee's needs. Some companies might require ongoing advice, and others just one or two meetings to set them on the right track. So much depends on where the startup is in their evolution — whether they only have an idea, a mockup of a solution, or a full-blown product. Regardless, the circumstances should work for everyone involved.
Where I've seen startups struggle
Just as no two companies are the same, no two mentoring engagements are alike. That said, I've recommended a few areas of focus for cyber security companies in recent years:
High signal-to-noise ratio. One of the biggest problems with security tools is all the noise. With a high signal-to-noise ratio, users will pour human resources into following up on every notification, running the risk of alert fatigue and missing critical alerts. Just because you can fire off an alert doesn't mean you should. Is the alert effective and valuable? Or does it just add more work? These are essential questions because if there are too many alerts people tend to tune them out. It's not just the quantity but also the quality of the alerts. You want the essential signals you send to be simple so it takes little time and effort to analyze.
Ease of implementation. Many companies make it far too difficult to implement their product. Everyone will tell you that implementation takes only 15 minutes, but that is never the case. I see a lot of companies making the mistake of expecting humans to sit in front of a graphical user interface (GUI) for many hours to configure their product. That is inefficient, especially at scale. Companies should focus on using APIs and automation for setup, certainly, but also for ongoing use.
SOC2 or ISO 27001 compliance. I know I'm not alone when I admit I get more excited about tech than compliance. However, compliance with one of these standards is critical for cloud-based companies handling sensitive data. It's the only way to gain the trust of the enterprise clients, and compliance needs to be part of the conversation early on.
While I'm not a marketer, I am often the target buyer. I push startups to define their value proposition. It can be a big challenge, but if their thesis resonates with me, I believe it will resonate with other CISOs.
For all I give, I get something in return
Mentoring isn't a one-way relationship. Sure, I provide guidance, but I get something out of the process, too. When I encounter a fresh perspective on security, there's also a potential opportunity to improve processes at my organization.
There's always more to learn, and some of the best ideas come from new conversations. For instance, in mentoring the ITDR company, I learned that my IAM session length was not what I thought it was, and was able to correct it.
I am an information junkie. The intellectual stimulation of talking to people who are excited by the same topics as me is energizing. It's why I get up in the morning and enjoy helping other leaders push forward. There's also a sense of pride in being a part of someone else’s success.
Founders create and innovate because it's what they love to do. But running a company isn't as simple as hopping on a bike, and many startups still fail. Mentoring offers an extra push to these companies, giving them a fighting chance to bring their ideas into the world.
Avoiding conflicts of interest
KAYAK has a strong compliance and ethics program. Working with vendors presents the risk of creating a conflict of interest if I think the product is a good fit for KAYAK. I have personally mitigated this risk by completing disclosure statements as required by KAYAK and by letting my team make the final decisions regarding whether a product is a fit for our company.
This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.
Author
Tom Parker
VP of IT and CISO, KAYAK
Key takeaways
After reading this article you will be able to understand:
Mentorship serves a greater good and helps drive continuous innovation in cyber security
Startups often struggle to take their ideas to the next level, which is where mentors come in
Mentorship offers mentors opportunity to improve processes at their own organization
Related resources: