The toughest decisions CISOs have to make, MCP servers, Napster’s comeback – ESW #400
In this week's enterprise security news,
- Big funding for Island
- Is DLP finally getting disrupted? By something that works?
- We learn all about Model Context Protocol servers
- Integrating SSO and SSH!
- Do we have too many cybersecurity regulations?
- Toxic cybersecurity workplaces
- Napster makes a comeback
- this week, we’ve got 50% less AI and 50% more co-hosts
All that and more, on this episode of Enterprise Security Weekly.
Announcements
I'll be running an panelcast with Fastly, titled Security Without Speed Bumps: Using WAF Simulator to Transform DevSecOps Workflows. Join me for this exciting webcast on April 16th. To register for this panelcast, go to securityweekly.com/WAF
Hosts
- 1. FUNDING: Courtesy of the Security, Funded newsletter, issue #186 – GWiz II (This Time it’s Personal)
The vibe check, as always, is thought-provoking! Last week, Mike asked, "as a security leader, what's the toughest decision you have to make?"
The results were close, which is not surprising - CISOs have to make a LOT of tough decisions. On top was "Balancing security and business needs", followed by "Adopting new tech vs reducing complexity" and then "when to push back on leadership". Notably, a distant fourth was "deciding where to invest budget", which also makes sense - there's no lack of options for using budget with > 4000 product and services vendors out there (not to mention staff training options, certs, etc)!
Funding for this week:
- Island secures $250M as valuation continues to soar to nearly $5B. By far, the largest funding is Island's series E, which didn't make this issue of Security, Funded because it happened just a day or two after it was published.
- VulnCheck, a threat/vuln/exploit intelligence platform, raised a $12M Series A from Ten Eleven Ventures.
- Orion Security raised a $6M Seed from FXP and PICO Venture Partners. This one is interesting - most of the DSPM vendors have been acquired or have reached late-stage rounds - but this isn't DSPM. Orion is labeling itself as DLP 2.0, a label I once jokingly applied to DSPM vendors. It makes sense - I recently heard someone describe DLP as "the single biggest disappointment" they've ever seen in they cybersecurity market. DSPM discovered and classified data, but didn't attempt to protect against misuse or exfiltration. There will be some overlap for sure (classification is always necessary), but my fingers are crossed for DLP that doesn't suck, for once. NO PRESSURE, ORION ;)
- HITRUST raised an undisclosed private equity round from Brighton Park Capital. At this stage (HITRUST is nearly 20 years old), deals like this are often acquisitions, but there's no mention of the amount of equity Brighton got for its investment.
- 2. ACQUISITIONS: W is for Wiz: Alphabet’s Audacious Acquisition
A very well put together analysis of the Google/Wiz deal. It's a remarkable deal in so many ways:
- Fastest security vendor to $100M
- Fastest to become a unicorn
- First security startup to break a $10M valuation
- First to turn down an acquisition offer of > $20 Billion
- First to accept an acquisition offer > $30 Billion
- Highest multiple on a security deal ever (nearly 46x)
And those are just the acquisition target and deal details!
Cole Grolmus goes much deeper into the real meat of the conversation: the deal rationale
- 3. NEW PRODUCTS: Build and deploy Remote Model Context Protocol (MCP) servers to Cloudflare
TIL what an MCP server was. It sounds like they're recommending making these accessible to the public Internet, so this is potentially new attack surface practitioners need to be aware of!
From Ayman - some MCP rabbit holes:
- 4. VULNERABILITIES: Ingress-nginx CVE-2025-1974: What You Need to Know
Along with MCP servers, this is the first I hear of ingress controllers - I don't have any large scale experience with container tech. Based on what I can gather, these should not be exposed to the public Internet, but should be at least one hop back, behind load balancers.
However, I'm not certain whether these vulnerabilities can be indirectly exploited, since they're still handling input from the public Internet - much like Log4Shell and blindSQL were able to exploit things the attacker couldn't directly access.
Wiz discovered these 4 vulnerabilities and their writeup can be found here.
- 5. OPEN SOURCE: Open-sourcing OpenPubkey SSH (OPKSSH): integrating single sign-on with SSH
A step in the right direction for centralizing IAM governance and management!
- 6. REGULATION: Regulatory Harm or Harmonization? Examining the Opportunity to Improve the Cyber Regulatory Regime – Committee on Homeland Security
I don't usually get into regulation, but there's a lot going on with this new administration. This hearing discussed streamlining regulations requiring incident reporting. I didn't get through all the testimony, but I was concerned that things like filing a SAR report were considered duplicative alongside reporting a data breach to the SEC. To be fair, there were many examples where reporting overlaps were high, even 100% (filing the same report twice to the same agency). Often, the duplication was similar/same reports to multiple agencies, who want them for different reasons.
The interest I have in all this is that detailed incident reports don't make their way to the general public, so there are a lot of lessons learned that, as an industry, we can't learn/build/grow from. Here's hoping some good comes out of all this.
- 7. ESSAYS: Toxic Cybersecurity Workplaces: How to Identify Them and Fix Them
A great roll-up of many layer 8 and other people-centric issues in security teams.
- 8. SQUIRREL: Napster makes $207M comeback
Where have I heard of this company before?
