The 2024 Cybersecurity Market Review – Mike Privette, Rew Islam – ESW #387
Full Audio
View Show IndexSegments
1. The 2024 Cybersecurity Market Review – Mike Privette – ESW #387
For our second year now, Mike Privette, from Return on Security and the Security, Funded newsletter joins us to discuss the year's highlights and what's to come in the next 12 months.
In some ways, it has been a return to form for funding, though some casualties of a tough market likely had to seek acquisition when they might have otherwise raised another round and stayed independent a while longer. We'll cover some stats, talk 2025 IPO market, and discuss the likelihood of (already) being in another bubble, particularly with regards to the already saturated AI security market.
It won't be all financial trends though, we'll discuss some of the technical market trends, whether they're finding market fit, and how ~50ish AI SOC startups could possibly survive in such a crowded space.
Announcements
Want to shape the future of identity? Identiverse 2025 is looking for dynamic speakers like you to share groundbreaking ideas with over 3,000 identity and access management leaders. Join the most influential voices in IAM and help drive innovation in our industry. Submit your presentation proposal today at securityweekly.com/idvcfp
Guest
Mike Privette is the founder of Return on Security and the industry’s first cybersecurity economist. With over 18 years of experience as a security engineer, leader, and CISO, Mike recognized a critical need for accessible intelligence on the cybersecurity landscape from a practitioner’s perspective.
Frustrated by the lack of concise resources to track emerging cybersecurity companies and industry trends, he created Return on Security to serve cybersecurity leaders, founders, investors, and policymakers. Mike analyzes data on technological advancements, regulatory changes, and economic indicators across major economies, providing insights that connect cybersecurity with global economic dynamics.
Hosts
2. Pondering Portable Passwordless Passkeys in 2025 – Rew Islam – ESW #387
In this segment, we discuss two new FIDO Alliance standards focused on credential portability. Specifically, if passwordless is going to catch on, we need to minimize friction and maximize usability. In practice, this means that passkeys must be portable!
Rew Islam of Dashlane joins us to discuss the new standards and how they'll help us enter a new age of secure authentication, both for consumers and the enterprise.
Segment Resources:
Guest
Rew Islam is the Director of Product Innovation at Dashlane. He joined Dashlane in 2011 as the password manager’s first iOS developer, eventually helping to lead the development of the Dashlane iOS and macOS apps. Rew is an active FIDO Alliance member who’s focused on all things passwordless and phishing-resistant. Prior to joining Dashlane, Rew was an iOS/Web engineer for Xerox Research Centre Europe where he led the development of several photo-sharing apps. Rew hails from Brick Lane in the East End of London and holds a bachelor’s degree in Computer Science and Cybernetics from the University of Reading in the UK.
Hosts
3. AWS does IR, credit card canarytokens, shared responsibility, phishing tests do harm – ESW #387
This week, in the enterprise security news,
NOTE: We didn't get to 2, 3, 5, or 7 due to some technical difficulties and time constraints, but we'll hit them next week! The show notes have been updated to reflect what we actually discussed this week: https://www.scworld.com/podcast-segment/13370-enterprise-security-weekly-387
- Snowflake takes security more seriously
- Microsoft takes security more seriously
- US Government takes telecom security more seriously
- Cleo Capital takes security more seriously
- EU’s DORA takes effect soon
- Is phishing and security awareness training worthless?
- CISOs need financial literacy
- Supply chain firewall is basic but useful
All that and more, on this episode of Enterprise Security Weekly.
Hosts
- 1. NEW PRODUCTS: AWS launches an incident response service to combat cybersecurity threats
The more I think about this, the more it makes sense. AWS is constantly changing, documentation is difficult to parse, and mistakes are easy to make. Having a service that can quickly undo malicious account takeovers, or shut down malicious activity could be a huge plus for an org that's all-in on AWS for production workloads.
- 2. NEW FEATURES: It’s Baaack… Credit Card Canarytokens are now on your Consoles
- 3. NEW TOOLS: Introducing Supply-Chain Firewall: Protecting Developers from Malicious Open Source Packages
Stupid simple
Stupid effective
We need more security tools like this
- 4. NEW FUND: Cleo Capital launches cybersecurity accelerator to help undo the ‘crushing burden’ of online threats
"Right now, Kunst is looking for companies from consumer, the defense sector, and dev tools and infrastructure. A pressing issue for Kunst is that it’s too easy for scammers to target their victims. “You can pretend to be anyone on social media or a dating app,” she said."
"The deadline to apply to the accelerator is January 20, with a February 24 start date."
- 5. SECURE BY DESIGN: Snowflake Will Block Single-Factor Password Authentication by November 2025
I've loudly voiced my doubts that CISA's Secure by Design would have much of an impact, but if Snowflake follows through on this, I might have to reconsider. Obviously, we want Secure by Design to have a broader impact than one security control at one vendor, and an argument can be made that it was maybe 5% Secure by Design and 95% massive customer breaches that helped make this happen, but whatever - details. It might inconvenience some customers, but overall, a necessary move, I think.
- 6. VULNS: Cisco ASA flaw CVE-2014-2120 is being exploited in the wild
An 11-year old vulnerability.
Being exploited in the wild.
Attack vector is the web console.
Cmon folks. Do better.
- 7. WORST PRACTICES: Understanding the Efficacy of Phishing Training in Practice
I swear this report was available for free when I first added this. Oh well. I just created an IEEE account and paid $21 for it. FML.
This is more of what we already know from other studies - phishing training generally doesn't work, and can potentially do harm. There's better stuff we can be doing instead.
Abstract—This paper empirically evaluates the efficacy of two ubiquitous forms of enterprise security training: annual cybersecurity awareness training and embedded anti-phishing training exercises. Specifically, our work analyzes the results of an 8-month randomized controlled experiment involving ten simulated phishing campaigns sent to over 19,500 employees at a large healthcare organization. Our results suggest that these efforts offer limited value. First, we find no significant relationship between whether users have recently completed cybersecurity awareness training and their likelihood of failing a phishing simulation. Second, when evaluating recipients of embedded phishing training, we find that the absolute difference in failure rates between trained and untrained users is extremely low across a variety of training content. Third, we observe that most users spend minimal time interacting with embedded phishing training material in-the-wild; and that for specific types of training content, users who receive and complete more instances of the training can have an increased likelihood of failing subsequent phishing simulations. Taken together, our results suggest that anti-phishing training programs, in their current and commonly deployed forms, are unlikely to offer significant practical value in reducing phishing risks.
- 8. PROFILE: He Investigates the Internet’s Most Vicious Hackers—From a Secret Location
Love him or hate him, Brian Krebs is the first major independent cybersecurity journalist and has had a huge impact on the industry and on cybercrime. It hasn't been easy for him, and that's what this writeup focuses on, in addition to his recent assistance in bringing the Snowflake hacker (Waifu) to justice.
