About this series: Ahead of Mandiant’s 2024 mWise event in Denver Sept. 18-19, we’re talking to security industry influencers about the current state of security—specifically the topics, challenges, and opportunities that are on the mWise agenda.
After helping to build the security culture at Microsoft, Kymberlee Price went on to build enterprise-grade security teams at other major organizations. Today, as Co-Founder of Zatik Security, Kymberlee is working to secure smaller businesses.
In this Q&A, she reflects on the key events in her career that culminated in the founding of Zatik, what worries her about the current state of the cybersecurity market, and what needs to happen next.
You're known as a builder of security teams at large companies and for your work building a security culture at places like Microsoft. With Zatik, you’re advising mid-market organizations. Describe the journey.
Price: When I was on the market for a new role last summer, I talked to a lot of small and medium companies, tech startups that were ready for their first security hire. What I learned about their capabilities shocked me. There are two different types of SMBs: Those that are like consumers, they might be accountants, little clothing boutiques, hairdressers, plastic surgeons and attorneys. They don't have an IT person. Their routers and their systems are being used by malicious actors. They don't even know their routers have passwords, let alone that they should change them. Those small and medium businesses are basically like a consumer.
Then you have small and medium businesses that are producing new technologies, new software, new IoT devices, and they don't have security teams, they frequently don't even have an IT person. They want that first security hire to do everything from outlining the strategic roadmap for the next three years and reporting to the board to all the hands-on management. You don't need me full time. You don't need my salary. What you really need are a few part-time specialists. The more small and medium companies I talked to, and the more I understood the realities of their security capabilities, the more I realized there's a market here for helping these companies. And it's a bigger market than I even realized. These companies need a roadmap, to know exactly what they need to do for the next 36 months.
What are your views on the state of the security market?
Price: I have a lot of concerns. As I walked around RSA’s vendor hall last month, I saw 650 vendors and was thinking about what the user experience with these vendors might be like for a small to medium business that's trying to figure everything out. It's chaos. Everything is shiny and loud. And when you do start talking to people at a booth to learn about their product, when they realize that you're looking at maybe buying 10 licenses, they don't really have anything to help you with that. You're not their target audience.
And some of these products are an add on to something else. It's like, “Hey, here's this great ransomware solution. But you must have someone like a Sentinel One as well, because this first vendor only has the ransomware solution. They don't have any of the other detections. The reality for a lot of small and medium companies is that ransomware is the big driver for protection at this point. There's a new breach all the time, and what happens is that maybe your stock price goes down 4% for one quarter, and then everything's fine, you're still profitable, you're just not quite as profitable as you would have been. All your customers get identity monitoring, and the world keeps spinning, but ransomware hits, and your service goes down. And now you can't make money.
Ransomware is changing the priority of security, especially around such security features as multi-factor authentication and SSO. We recently saw testimony that Microsoft detects almost 4,000 password-based attacks against customers every second of every day. If you think about that scale of attacks, small and medium companies aren't detecting those at all.
If we come in and advise them to turn multi-factor authentication on, it’s because most of these attacks are coming from phishing and credential stuffing. It's not that somebody is launching an exotic attack on your users, it's that they phished you or you reused passwords. And so let's get you set up with MFA.
But now you must manage MFA across multiple different applications. It's so much easier with SSL. So now you have to pay for SSO, every SAS application requires you to be on the Enterprise tier to have SSO support. So you can have a free slack. You can have basic slack, but if you want SSO, you have to be on the Enterprise tier. There are hundreds and hundreds of enterprise applications small and medium companies can't afford. What I'm deeply concerned about is that secure by design has somehow turned into secure by upsell. It's not secure by design if I'm not secure without buying more products and more services and more solutions and using the enterprise here. Medium-sized companies just can't afford to secure themselves, and then they get compromised, and that affects the whole nation. Ransomware operators can significantly disrupt the American economy simply by targeting the small, weak companies. Put that against the backdrop of the threats to critical infrastructure.
Having identified that problem, where do we go from here? Is this just the way it's going to be, and so it's up to companies like Zatik to fill in those cracks?
Price: If software vendors don't find a healthier equilibrium that protects more people, I think we're going to see software liability and requirements coming from the government – US and otherwise. It’s inevitable that someone will have to intervene to make it happen if these companies don't do it on their own. Software vendors are lobbying hard against software liability. But they have the power to avoid that outcome if they will simply include these security features by default in the base model, not in the Cadillac LX premium model.
If the industry starts doing these things, there isn't much need for Zatik and I would actually love to live in a world where Zatik doesn't need to exist, because software is just secure. But until we reach that future, I feel good about what we're doing to help small companies.
Of all the roles you have had in your career, which ones, in hindsight, best prepared you for Zatik?
Price: When I was in my first stint at Microsoft, I got tapped to help with an internet crime investigation. This was when the Zotob worm happened. I was doing community engagement, but I was also good at open-source intelligence gathering.
(Microsoft) were like, “You can't tell anyone where you're working.” They take me off to a lab and give me a hacker handle. This was in 2005. They say, “See what you can find on this” and don’t expect me to find anything. And in about two hours, I'm asking if a particular URL means anything to anyone, and they nearly fell out of their chairs. It’s the main command and control channel. I explained how I tied it all together and wound up working on that team for three weeks.
I identified the people behind Zotob who were ultimately arrested, convicted and jailed. It felt like I had protected people from criminal activity and that was huge.
I worked to change security culture and the industry around how we treat security researchers and how we engage with them through community by holding and attending conferences. They're not the bad guy. If they were, they would be hacking us.
Initially, what Microsoft asked me to do was get researchers to work with Microsoft. But to make that work, we had to change the culture at Microsoft. When I see all the conversations about Microsoft security culture and how they need to come back to a secure-first culture, I'm thinking about how I was there the first time it happened, I watched it happen and was part of making it happen. That was incredibly, incredibly powerful.
When I went back to Microsoft in 2017 (after a stint at BugCrowd and elsewhere), I got to help them come back to that relationship with the external researcher and how it can change the shape of application security and impact customers. You must be willing to partner and work together and build trust. My ability to build trust in that environment is possibly what I'm most proud of in my career.
As you were talking about this, I remembered how, as a reporter, I wrote a lot about the cultural shift as it was happening: Everyone loved to pile on Microsoft but in that five-year period you really started to see security being front and center. You really started to see Microsoft taking it seriously.
Price: But it also required transparency. There are a lot of the things I did that were not attributed. Microsoft was afraid that if the security community knew I was working with law enforcement, they wouldn't trust me in the outreach capacities.
I have the service award from the FBI and got all the recognition internally but didn't get any public recognition. For a lot of the community work where we organized and held a researcher camp, basically for browser researchers, we paid to fly them to Redmond, they got to meet with the security team, they got to meet with the Internet Explorer team. They got to meet with a bunch of people at Microsoft and have great conversations about how Microsoft builds software and why they do it the way they do. They talk about design choices and maintenance and things that security researchers don't necessarily think about, like localization or app compatibility testing to make sure that if we're going to release a new version, let's be sure we don't break 80% of the third-party software on the market.
What ended up happening was about a month later, somebody would be criticizing and complaining to Microsoft on full disclosure. And one of the people who came to the browser camp started defending us. That's amazing. You couldn't have planned it, and you couldn't have asked for it. But people trust people. And so, when you have somebody that has built trust in the community and they leave a company, the community doesn't still trust that company. They trust that person wherever that person went. That's one of the challenges that we see for any company: You have people who invest in the community or in custom numbers or in partners, building a great relationship, and things get really good. The community loves you. Even when you make a mistake, that customer base -- that community base -- is willing to give you the benefit of the doubt: “I know these people, they're really smart. This must have just been a mistake.”
If you lose those people, now you must start over and rebuild trust.