CSO Perspectives is a weekly column and podcast where Rick Howard discusses the ideas, strategies and technologies that senior cybersecurity executives wrestle with on a daily basis.
Cyber-entrepreneurship in the age of CyberAI.
Rick Howard, N2K CyberWire’s Chief Analyst and Senior Fellow, turns over hosting duties to Kevin Magee, the Global Director of Cybersecurity Startups at Microsoft to discuss Cyber-entrepreneurship in the age of CyberAI.
There are plenty of articles by financial journalists, or reports by Venture Capital firms that you can read to find out about the latest hot cybersecurity startup that raised a huge round of funding, or what blockbuster mergers and acquisitions happened this week. But that’s not what I do. I work at the ground level of innovation in cybersecurity, helping academics and researchers commercialize their ideas. I collaborate with entrepreneurs and founders to achieve product-market fit and support startups in finding new markets and customers. I engage directly with security teams and leaders in the field to accelerate innovation adoption, and I consult with business leaders and boards to guide them in quantifying risk and ROI to implement effective governance controls that ensure secure digital transformations for their organizations.
My name is Kevin Magee. I am a former startup founder and former Chief Security Officer of Microsoft Canada. I’ve been an entrepreneur, a CSO, and an early employee at many tech and cybersecurity startups like Citrix, Splunk, and Palo Alto Networks and have a unique perspective on the intersection of entrepreneurship and cybersecurity which I get to use in practice every day in my current role as the Global Director of Cybersecurity Startups for Microsoft.
I want to thank Rick Howard and the CyberWire team for this opportunity to share my perspective on the state of cybersecurity startups in 2024 in an essay I’m calling “cyber-entrepreneurship in the age of cyber-AI”.
Now this will come as no surprise to listeners of this podcast, and I am sure that many of you feel the same way. What first drew me to cybersecurity, and keeps me here, is the sense of mission and the unique common bond of our community. At our core, we’re all defenders, working together to support one another, even if we work for competing companies.
While not typical “defenders”, the entrepreneurs in our industry really do play a unique role in advancing our mission. They may not take their shift in the SOC triaging alerts daily, but their work exploring innovations and building new products is invaluable. They make their contribution by exploring new innovations, investing their time, money, energy and often parts of their soul into building mere ideas into tools; tools into products; and products into platforms; and platforms into companies. They are hackers too, in the original HomeBrew Computer club sense of the word, just of a different sort. So if you are a cyber-entrepreneur out there listening right now, please know I have the greatest respect for the work you do, and believe that we need you now more than ever.
Technological leaps that have defined the eras of cybersecurity (at least during my career).
Like many in this industry, my career path to cybersecurity has been unconventional at best and began with a history degree. And I have been lucky enough to have these two great passions intersect on many occasions. All of which began with my first encounter with a new technological innovation that ended up creating infinite business and other societal opportunities. But also ushered in the age of the stereotype black hoodie wearing malicious hacker while also launching our hitherto beforehand, small and relatively obscure industry into the mainstream. The PC.
I was nine years old when I saw my first real computer, a TRS-80 Model III, through the window of a Radio Shack at a shopping mall that no longer exists. I will ask you to pause for a second because there is really a lot to unpack about the historic impact of the PC in that last short sentence. I didn’t know it then, but I was glimpsing the future. A future that included a PC on every desk and in every house. History was being made literally right before my eyes and I saw it manifest itself right there in that Radio Shack shop window, in all of its 16KB of RAM, dual 5 ¼ inch floppy disk, low-resolution, glory. It was this first chance-encounter where I caught the computer bug that would stick for life. I saved enough money mowing lawns and shoveling snow (I’m a Canadian, so this is a lucrative business model for a kid on a mission) to buy a computer of my very own; my prized and life changing Commodore 64. And of course the first thing I did was to take it apart to see how it worked. And so I became a hacker
Later as an undergraduate history student, I logged into what would become the Internet from the windowless UNIX lab under the stairs at Brock University. This time however, I had a little better sense of the historical importance of what I was seeing. As I sent my first emails filled with ASCII art to my friends at other schools, I began to marvel at its possibilities. My fascination with this new technology, or whatever it was, led me to start three companies in the '90s—two successful, and one… well I don’t like to talk about it, but in retrospect recognize that it was a valuable learning experience. And so, I didn’t follow the traditional hacker to cybersecurity professional path of my generation, I became an entrepreneur. And yet I never felt I left one community for another, I became a bridge between the two.
Years later, I began to see employees bringing their own devices to work; laptops and mobile phones that they had paid for themselves. They did this because they wanted to use the latest and most innovative technologies that they were already using in their personal lives to do their work and do it better, rather than use the dated, spec limited and locked down devices provided by the company. As a result, I had the good sense to seek out startups that were positioning themselves for this new BYOD revolution which landed in Silicon Valley to ride the wave of innovation which would found our modern cybersecurity industry. From this experience, I learned first-hand how to hyper-scale a startup, but also the unique challenges of bringing something new to market and overcoming the ubiquitous risk aversion that is unique to the cybersecurity industry and often keeps us from maximizing our potential as defenders.
ChatGPT to the dawn of CyberAI in just over 700 days.
And yet, having lived through all of these incredible technological revolutions and careers, as many of you have as well, I think what we are experiencing right now with the emergence of AI might be the greatest story of our industry yet untold. Seeing ChatGPT for the first time, it was clear that our industry would need to reimagine and reinvent itself. Instead of running out and starting a new venture of my own, I decided to leverage my experience to support the cyber-entrepreneur community and drive innovation without the sleepless nights of coding and subsiding on family packs of ramen noodles from Costco.
My first, and likely totally obvious observation is that things are moving fast. Since ChatGPT’s public release on November 30, 2022, we’ve entered a new era. AI has rapidly transformed industries, from education and healthcare to customer service and everyday life. Even my mom, who has never heard of CNAPP or SASE, knows what ChatGPT is, demonstrating just how fast it has spread throughout general society. All in just over 700 days.
My next totally obvious observation is that AI transformation of everything, the sequel to digital transformation, has already created both unprecedented challenges and opportunities in cybersecurity at a velocity we have never seen before. While we’ve adapted to technologies like the internet, mobile devices, and the cloud over years, AI demands much quicker, even more resilient responses. The pandemic gave us, but a glimpse, of this speed of change, however the age of CyberAI will require a new level of agility. This will require all of us, security teams, procurement departments, senior business leaders, boards of directors, policymakers, educators, and individuals managing our own careers, to think and work beyond traditional linear limitations and nature risk aversions to embracing innovation. Because you can be certain the threat actors will not be held back by these constraints to anywhere near the extent we are.
What has me optimistic and most excited about all of this tremendous change, the speed at which it’s happening and the uncertainty it’s creating? Well, as an industry, I believe we now have an epic and historical new story to write. We defenders, the heroes of this story of course, will need to act boldly, innovate quickly, and stay ahead of attackers. And, for the first time, I’m convinced we have the right technologies in place to out innovate the attackers and tip the scales in our favor. This is where the cyber-entrepreneurs come in.
What happens next? And where will I be placing my bets?
What will happen next and what will the era of CyberAI bring? It’s really way too early to tell. I think we are still writing the prologue, not even the first chapter but don’t worry, I’ve skipped ahead and here are some of my best guesses, and the things I will be watching for as this story unfolds.
If I were to sum up my investment thesis for cybersecurity innovation over the next three years in three words, they would be: automation, remediation, and governance. That’s where I will be placing my big bets and here’s why.
As an industry, we’ve made remarkable strides forward in creating tools centered on detection, zero trust, and other defensive measures. Yet, the future will unfold in an AI-versus-AI landscape where the ability to automate and deploy AI solutions will be essential not only to tackle complex challenges but also to empower our limited teams of defenders, enhancing their effectiveness, efficiency, and resilience against burnout
This is where the innovative perspective of cyber-entrepreneurs becomes a true force multiplier in two ways. The simplest is through automation: eliminating tedious, repetitive tasks, which, while valuable, risks merely “paving goat trails” instead of building new highways. Real innovation will lie not in making current tools, techniques and procedures faster but in reimagining how AI can transform our approach entirely, delivering exponential efficiencies.
This is our Henry Ford moment, captured in his famous reflection: “If I had asked people what they wanted, they would have said faster horses.” Nir Zuk, a cyber-entrepreneur and founder of Palo Alto Networks, ignored all the requests to build a faster stateful inspection firewalls, and this enabled him to envision and build the next generation firewall creating a leap forward in defensive technology. In both of these examples, the technology and the idea came into existence together in the right place at the right time and were championed by someone willing to choose innovation. Today, my greatest fear is that cyber-entrepreneurs will ask us what we want, and we will similarly respond, “phishing alert triage automation” missing all sorts of opportunities to realize the full potential of AI.
Another area ripe for innovation is remediation. Even with all the impressive tools available for detection and defense, organizations continue to experience material impacts due to cyber events. While some progress has been made in automating remediation, it largely remains a labor-intensive process, handled by a limited pool of highly skilled and experienced cybersecurity professionals. This is a resource that is increasingly scarce in our industry relative to the growing problem. The reality is that we cannot recruit, train, or retain enough talent to meet this demand.
To address this gap, we must evolve our business operations and culture from merely focusing on security to that of true resilience. This includes comprehensive strategies for remediation, recovery, and business continuity. This domain is ideally suited for AI-driven efficiencies and invites cyber-entrepreneurs to create innovative, business-specific solutions that are designed to deal with the unique challenges that happen right-of-bang and help organizations survive and recover from the impacts of material cyber events. Among all potential investment areas, I believe remediation holds the greatest promise for delivering substantial returns on investment for both entrepreneurs and their customers.
The third area I’m focused on is Governance, Risk, and Compliance (GRC). We are at the opening stages of a new kind of organization and society. One operating with the precision of code. While this brings inherent advantages, it also introduces new potential vulnerabilities that threat actors can exploit. This transformation calls for innovative approaches to governance, oversight, and compliance, ensuring that we make sound and ethical business decisions while also maintaining accountability.
How can we provide board-level oversight for technologies that didn’t exist yesterday? How does a CISO assess the risks associated with AI models that we don’t fully understand or can explain how and why they work? And how can we develop compliance frameworks that go beyond static, point-in-time assessments to keep pace with an environment of exponential change? These are monumental challenges, but also incredible opportunities for cyber-entrepreneurs to do what they do best, solve unique problems and create something the world has never seen before.
The 5 key market trends I will be following.
Those were my best guesses and some insight into where I’m placing my bets. Let’s talk about some indicators, trends if you will, that will tell me if my bets are on track.
Market trend #1: Business decision based digital transformation has gone parabolic. Human ability to comprehend and adapt has not.
In a quote that seems particularly relevant today, E.O. Wilson, the American biologist, naturalist, ecologist, and entomologist known for developing the field of sociobiology, said, “The real problem of humanity is we have Paleolithic emotions, medieval institutions and god-like technologies.” Wilson was born in 1929 and died in 2021 so he had the opportunity to witness firsthand not only the leaps and bounds that human ingenuity would apply to the acceleration of technological advances, but also the ever-widening gap between these advances and our very human capabilities and human created institutions’ capacities to keep pace.
The traditional approaches of cybersecurity focused on the technology side of things such as securing endpoints and networks. These tools are, and continue to be, absolutely necessary. But they are no longer sufficient in an era where AI, cloud computing, and Internet of Things devices are exponentially increasing the complexity of security challenges while infinitely increasing the attack surface. As people and organizations accelerate the digital transformations, and now AI transformations of their lives and businesses, this trend only bends the curve even further away from our linear capabilities of responding. Creating an ever-widening gap that can be exploited by attackers. For example, a hospital might rightly invest in new technologies, digitally transforming the way they approach patient care and in doing so, save significantly more lives and alleviate unnecessary suffering. However, within these rapid advances new opportunities for attackers are created and new attack surfaces emerge that are the unintended consequences of this transformation process. Risks accelerate not along with but at an exponential rate in proportion to the degree of transformation. They often are disproportionate to the value the new service brings to the customer. We need to make the lives and care of patients better, but in doing so, we must ensure we don’t cure the patient but kill the network.
This transformation gap challenge has created an entirely new need with high demand and opportunity for startups to address. As business leaders look to balance digital transformation with cybersecurity, they will need new tools and approaches to quantify, forecast and communicate risk to help business leaders understand and make better decisions. According to a report from Fortune Business Insights, “the cybersecurity industry is expecting a paradigm shift with a more coherent and business-involved approach that reflects better understanding and management of cyber threats”. This shift is about more than just adopting new technologies, it also encompasses liability concerns, regulatory frameworks, legislation, governance and the need for more sophisticated risk management and communication practices.
What I’m talking about is not an extension of just zero trust beyond the tech stack, but an entire new way of creating digitally transformed business processes and workflows that are secure by design. The first opportunity is the one we are more familiar with. It is security-as-a-verb; to create the tools to monitor, protect, optimize and ensure our assets, processes, and operations are both secure and compliant.
The second and more interesting opportunity is security-as-an-adjective; to create and automate “secure business processes”. A whole new market is emerging that will see us create business logic as code. We have the opportunity now to shift left and build secure business processes by design. What if we could ensure that actual business processes did not include vulnerabilities that could be exploited? What if we could redteam business decisions to determine the unintended consequences to security before implementing them? Could we perhaps do this with a digital twin of the entire business operation, policies and procedures? If the “code” that not just runs, but IS the business, was secure before going into production, much like the initiatives we are now taking with software that is secure by design, imagine how much easier things would be to secure once operations hit the tech stack?
Three companies I'm looking at are great examples (and full disclosure, these are companies in the Microsoft for Startups portfolio so I may be a bit biased): Tines, Blink, and RegScale.
Tines enables teams, often with limited technical skills, to build and manage automated security workflows without slinging code. Business process owners create secure workflows without having to be a cybersecurity expert. What this advancement can do is help organizations maintain security in an environment where digital processes evolve rapidly, letting them respond to incidents and manage threats efficiently while reducing the reliance on manual intervention.
Blink is focused on automating cross-platform security integration. As organizations integrate more and more technologies and digital tools into their workflows, Blink has created a solution that can help SOC analysts unify these efforts and workflows visually, reducing the overall operational friction and enabling faster responses to threats. Not only that, analysts can use Blink to build, edit, test, and run new workflows using natural language and a user-friendly drag-and-drop interface.
RegScale focuses on the challenge I discussed earlier of adhering to continuous compliance monitoring which will become even more critical for organizations navigating increasingly complex regulatory requirements. RegScale’s unique solution embeds the actual compliance checks into the digital workflows. This enables proactive management of regulatory obligations in near real time.
I believe we need an innovative shift left that addresses business logic as code that
not only integrates seamlessly with business processes but is part OF the business process itself. This is what I mean by security-as-an-adjective, not just a verb. As digital transformation accelerates, these startups are beginning to demonstrate how automating and embedding security within business logic can help organizations manage risk effectively adapting security to business objectives rather than traditional reactive measures.
Market trend #2: Consolidation of the cybersecurity market is occurring paradoxically creating new opportunities for cybersecurity startups.
One of the most prominent trends right now in the cybersecurity industry is the continued consolidation of the market. Large cybersecurity companies are increasingly acquiring smaller, innovative startups to bolster their portfolios and address emerging threats more quickly than they could through internal development alone. We have seen large transactions such as Google acquiring Mandiant for $5.4B in 2022, to private equity firms like Thoma Bravo taking positions in, or outright acquiring portfolios of cybersecurity companies such as Blue Coat, DarkTrace, Imperva, McAfee, ProofPoint, SailPoint, and Sophos among countless others. We’ve also seen startups consolidating and making acquisitions to advance technical roadmaps and/or acquire talent and scale, such as the recent move by Cyera (another Microsoft Startups portfolio company), who just recently acquired Trail Security for $162 million to integrate Trail's advanced DLP capabilities with Cyera’s Data Security Posture Management (DSPM) platform. Even non-traditional technology companies, such as Mastercard, recently acquired global threat intelligence company Recorded Future from Insight Partners for $2.65 billion to enhance its own security capabilities as well as its service offerings in the payments ecosystem.
Larger players are increasingly acquiring niche startups to integrate into broader security platforms and business models. Yet, while this may seem like a threat to startup innovation, it also creates openings for new ventures and for serial entrepreneurs to bring multiple ideas to market faster. Established cybersecurity companies often cannot develop innovative solutions fast enough internally. They, like everyone else, just do not have enough people and resources to keep up with the parabolic demand of their customers. This is in turn creates mirrored parabolic demand for startups that can address emerging security concerns, especially in the areas of AI and cloud security.
Likewise, venture capital investment continues to pour into cybersecurity, particularly in AI-related areas. According to EY’s 2024 Venture Capital Trends Report, AI-related companies accounted for 37% of total VC funding in the second quarter of 2024, more than double the amount raised in the first quarter. This demonstrates to me that while AI investment is booming, cybersecurity remains a key area of focus, especially as organizations scramble to secure their AI deployments and protect against AI-driven threats.
Market trend #3: Increasing cybersecurity budgets and the demand for CyberAI solutions.
In 2024, cybersecurity budgets are continuing to rise, with organizations expecting a 13% increase in cybersecurity spending on average. This increase reflects the growing importance of cybersecurity as businesses integrate more advanced technologies, like AI and cloud computing, into their operations. As a result, there is a significant opportunity for startups that can provide innovative solutions in areas such as automated threat detection, vulnerability remediation, and risk quantification.
Reacting to the launch of ChatGPT just 700 days ago, CISO’s are responding. The Silicon Valley Banks’ “The Rise of CyberAI” report, notes that “74% of CISOs have already changed the composition of their cybersecurity stack, with the majority of that group primarily augmenting their existing stack with new tools” in response to ChatGPT. And beyond that, 26% of CICOs responded that they will be adding new cybersecurity tools over the next three years. This is a development cycle time frame that is not only incredibly tight and challenging, but also a gap that clearly favors startups who are well positioned to fill.
Market trend #4: The long-term impact of AI on cybersecurity is unknown.
AI is fundamentally changing cybersecurity, but this transformation will not happen overnight. Already everything has changed, and yet, we are likely on a 3-5 year journey with AI before the market drivers become more clear for both securing AI and building secure AI. As Perry Carpenter says in his recent book, “FAIK,” the moment is akin to when the Wright Brothers accomplished first flight.
AI’s role in cybersecurity is both a windfall and a challenge. On one hand, AI enables businesses to automate their security processes, making it easier to detect and respond to threats in real-time. On the other hand, AI also empowers cybercriminals, who are using AI to develop more sophisticated and automated attacks. And both groups are experimenting with innovation and driving unprecedented digital transformation.
For example, AI-driven phishing attacks have arguably increased dramatically since the release of ChatGPT. According to a report by Cybersecurity Ventures, phishing attacks rose by 13-fold in 2023 alone, as AI made it easier for bad actors to generate convincing phishing emails at scale . These attacks are expected to become even more prevalent in 2024, as cybercriminals continue to leverage AI to automate their campaigns and exploit vulnerabilities faster than ever before.
In response, many CISOs are focused on developing AI-driven security solutions in-house. A survey conducted by AXA Venture Partners found that 74% of CISOs are currently focused on building their own security capabilities to maintain control and minimize risks associated with external vendors. However, integrating external AI-powered tools is also seen as essential in the near term, particularly as the attack surface continues to grow.
Startups that specialize in AI-driven security solutions are well-positioned to fill this gap, providing the tools necessary to secure AI systems and protect organizations from the next generation of cyber threats.
HiddenLayer, (another Microsoft for Startups portfolio company. I promise, this is the last one), is one of these startups. They build technology that aims to protect enterprise’s AI from inference, bypass, extraction attacks, and model theft. They ensure privacy by not requiring access to raw data and algorithms. This allows organizations and teams to experiment and innovate, but securely and within compliance frameworks.
Market trend #5: Corporations are investing in and incubating cybersecurity startups.
In addition to increased venture capital investment, non-tech based corporations are playing a growing role in fostering cybersecurity innovation. Traditionally, corporate investment in cybersecurity was limited to sectors like finance or technology. But Mastercard buying RecordedFuture was an example of an emerging trend. In 2024, companies across a wide range of industries are looking at cybersecurity startups to incubate and to buy in order to enhance the protection of their own critical infrastructure and stay ahead of evolving threats.
An example of this I find really interesting is Chevron, a major energy company, which has significantly increased its investment in cybersecurity startups as part of its strategy to protect its operational infrastructure from cyberattacks. Similarly, RBC, one of Canada’s largest banks, has partnered with Toronto Metropolitan University’s Cybersecure Catalyst to launch a fintech cybersecurity accelerator, providing early-stage startups with access to funding, mentorship, and expertise but also a potential first customer.
These corporate-backed initiatives, but non-tech companies, are creating new opportunities for cybersecurity startups, giving them access to resources that can help accelerate the development and deployment of their solutions with industry specific focuses. By partnering with large corporations, these startups can gain valuable insights into the specific cybersecurity needs of different industries and develop solutions that are tailored to those needs.
Key opportunities for cybersecurity startups.
While the cybersecurity market is bristling with opportunities, cybersecurity startups still face significant and unique challenges. The cybersecurity vendor industry is unarguably crowded, and many startups struggle to differentiate themselves from competitors. It’s difficult for potential customers, especially non-technical business leaders, to understand the complexities of cybersecurity solutions, which can make it hard to demonstrate a clear return on investment.
The biggest challenge I see daily however is that risk aversion remains a significant barrier to adoption. Enterprises are often hesitant to adopt new cybersecurity technologies, particularly those that are untested or unproven in the market. This is especially true in cybersecurity, where even minor failures can have catastrophic consequences. As a result, cybersecurity startups must not only provide innovative solutions but also build trust with potential clients by demonstrating the efficacy and reliability of their products.
Despite these challenges, there are several key areas where cybersecurity startups can thrive. Solutions that automate security processes, remediate vulnerabilities in real-time, and quantify risk and improve communication with boards and regulators will be particularly valuable. As regulatory scrutiny increases, businesses will need tools that help them demonstrate compliance and manage third-party risks effectively.
Final thoughts.
I believe cybersecurity startups are at the forefront of creating global resilience. The cybersecurity startup landscape in 2024 is characterized by rapid technological change, increasing budgets, and growing corporate interest in innovation. While the challenges for cybersecurity startups are significant, especially in terms of differentiation and risk averse customers, the opportunities are equally immense. Startups that can develop innovative solutions to address the most pressing cybersecurity challenges and help close the gap created by parabolic digital and AI transformation trends will not only help businesses protect themselves from current threats but also play a key role in shaping the future of cybersecurity.
As AI continues to be integrated into every aspect of our lives and businesses, cybersecurity will increasingly become a horizontal platform, cutting across industries and sectors. The next wave of cybersecurity startups will be those that can leverage AI to automate security processes, detect threats and remediate in real-time, and provide actionable insights to help businesses stay ahead of the ever-evolving threat landscape.
In this rapidly changing world, cybersecurity entrepreneurs and startups are not just co-defenders of the digital realm, they are the innovators who will define the future of cyber resilience in the coming age of CyberAI.
What can you as a CSO do to help? Take that call when a startup reaches out to you. Head to the outside ring of cheap and small booths on the trade show floor at the next conference rather than just the flashy expensive ones in the middle with the nice pens. Have the courage and the foresight to overcome your organization’s risk aversion to “new things” when it comes to cybersecurity. And, when you are planning your future security posture, don’t ask for faster horses, demand jetpacks!
References:
Camille Périssère, 2024. 2024 cybersecurity market trends [Analysis]. AXA Venture Partners.
Jeffrey Grabow, 2024. AI continues to drive venture capital activity [Analysis]. EY.
Staff, 2024. Cybersecurity Market Size, Share, Analysis Analysis]. Fortune Business Insights.
Staff, 2024. RBC FinSec Incubator [Analysis]. Rogers Cybersecure Catalyst.
Staff, 2024. Microsoft Digital Defense Report 2024 [White Paper]. Microsoft.