Cybersecurity Budgets: the Journey from Reactive to Proactive – Todd Thiemann, Theresa Lanowitz – ESW #383

Some select funding announcements from the latest Security, Funded newsletter:

1. Armis raises $200M, boosting valuation to $4.3B in push towards IPO
2. Bugcrowd Secures $50 Million Growth Capital Facility from Silicon Valley Bank - and announced Trey Ford as their new CISO!
3. Zenity Raises $38M Series B Funding Round to Secure Agentic AI

A few other interesting fundings without numbers attached:

• Island extends its $175M Series D, raised back in April, with Citi Ventures now participating
• Tidal Cyber raises a third seed round from USAA and Capital One Ventures
• and Secret Double Octopus closes possibly one of the most extended Series C fundings ever, with the first Series C investment (from SC Ventures) closing in 2020, and this latest one, in October 2024, from SBI

Some very notable acquisitions this week!

1. H.I.G. Capital and Thoma Bravo to Acquire CompTIA Brand and Products
2. Normalyze gets picked up by Proofpoint in what marks the eighth DSPM acquisition in 2 years, according to Mike Privette. I haven't seen a category get snatched up this quick since the CASB market got vacuumed up in 2016/2017.
3. Detectify Receives Majority Investment from Insight Partners
4. Last, but not least, CrowdStrike gets into SaaS security with the acquisition of Adaptive Shield - I'm curious to see if this triggers a buy-off of SSPM vendors, starting with AppOmni, which is already partnered with Wiz.

We discussed EDR Silencers on episode 380 of this podcast, and this is one of the more interesting responses we've seen to this malware trick.

TL;DR, EDR silencers simply create firewall rules that prevent popular EDR software from sending data to their consoles, effectively silencing them.

I didn't realize this was going on, but it is yet another insight into why we keep hearing cybersecurity is so flush with jobs from some sources (looking at you, ISC2 and Cybersecurity Ventures), while hearing that it takes 6+ months on average to land cybersecurity jobs from people actually vying for open positions.

I often find myself disagreeing with Ira Winkler, but in this case we're in violent agreement. Something stinks about the job numbers that organizations like ISC2 have been promoting and Ira spotted something I missed when analyzing this myth for my talks on "Myths and Lies in InfoSec".

What I missed was some fine print that stated:

The ISC2 Cybersecurity Workforce Gap is an estimate of the number of people needed globally to adequately secure organizations. The workforce gap is not an estimate of open positions or cybersecurity jobs available.

First off, NO ONE KNOWS how many people are needed to secure organizations. We don't even have a good way to measure the efficacy of the employees we already have! It's also entirely possible that a bad employee, or an employee doing the wrong thing can make an organization less secure.

Combine this with the recent fact I learned, that it is commonplace for companies to post 'ghost jobs', and I don't think we can trust ANY of the stats we see about open jobs in the industry.

I missed this back during hacker summer camp, but was SHOCKED at how quickly and easily Microsoft 365 Copilot can be poisoned.