The path to innovation in security
In our recently published Security Perspectives Survey, we found that only 48% of enterprise security leaders said that their threat defenses are effective. Phishing attacks are up, more cloud services are getting compromised, and CISOs are having a tough time finding the right expertise for their teams.
We weren’t surprised by this finding, and realistically, we’re expecting the road ahead to keep getting tougher as attacks become increasingly more sophisticated, particularly with attackers leveraging the latest in AI. So what’s it going to take to get ahead of the challenge?
It’s the same story every year
As my colleague Ariel Tselin has eloquently framed the greater context, “the shift to the cloud has been a long journey” and, as employees have continued to leverage services beyond the traditional perimeter, enterprises are faced with an increasingly complex landscape to protect.
With attack surfaces continuing to expand, what does security innovation practically look like? Admittedly, we as investors are always seeking to answer this question and help grow the next generation of solutions so that operators can continue focusing on the never-ending battle with bad actors.
Bringing new solutions to everlasting problems
Thinking through what innovation could look like in security, there are many dots to connect. Diving deep on the cutting-edge of security technology and intimately understanding the pain points within the industry is an exciting and challenging mandate, which is part of what brought me to Scale back in January 2023. Scale’s approach to deep industry research and thought leadership in areas such as cybersecurity, AI/ML, and robotics is really what made me excited to join the firm.
In Scale’s 2023 Cybersecurity Perspectives Survey, 79% of respondents said that AI/ML will be “important” or “extremely important” to improve their security posture by 2024. At the same time, 68% were also worried that employees would upload sensitive data to ChatGPT and 49% that threat actors would poison AI/ML models.
It’s clear that many enterprises are at the earliest stages of defining their AI security posture. Many organizations are grappling with the details of implementing production-level AI and are still building out the full set of safety and security requirements that go along with those systems. Although AI-specific cyberattacks have not yet flooded headlines, enterprises are keenly aware that they must be proactive when it comes to AI security, particularly if AI solutions are being used to drive key business decisions.
Here are some of the themes that are coming up in our discussions here at Scale — that interest me, in particular:
- Machine Learning Security: This is a broad category that encompasses a few different streams of thought. One area of interest is securing Machine Learning assets themselves from potential attacks that are specific to the ML workflow. Examples include adversarial attacks or data poisoning. In addition, there is a growing area of LLM-specific security which can encompass capabilities like LLM proxy layers and firewalls to data leakage prevention (DLP). The topic of machine learning security is evolving quickly, both on the demand side and the solutions side.
- AI Governance: In a very adjacent area to ML Security, there has been a recent explosion in the discussions around AI Governance, particularly with respect to ensuring trustworthy and responsible AI. Regulations focused on AI, such as the EU AI Act, have come to the forefront of discussions on AI. As a result, enterprises are keen to ensure an understanding of how their model aligns with both external regulations as well as internal policies. Even further, organizations are looking to platforms to assist with building out compliant models from the start.
- Software supply chain security: As enterprises increasingly leverage third-party and open-source software tools for development – many of which are cloud-based – a growing concern is that these uncontrolled software packages and tools can introduce security vulnerabilities that are difficult to detect and mitigate. After many high-profile supply chain attacks (e.g. SolarWinds, Circle CI, etc.), it is becoming increasingly understood that the conventional and popular methods of standard code scanning are insufficient. Ensuring security across the software supply chain, without overwhelming security teams, has been a top priority for many enterprises with a sophisticated understanding of their application security needs.
Across the security stack, there are a lot of opportunities for automation to replace manual processes, something the survey already surfaced a few years ago. The order of priority will depend on strategic goals. For instance, in Scale’s 2023 Cybersecurity Perspectives Survey, we noticed that a lot of professionals are doubling down on the fundamentals of identity and access management.
At every step in technological advancement, we’ve seen that the acceleration of technology has been a double-edged sword where attackers are eager to leverage the latest capabilities to create more sophisticated threats. Although this might seem discouraging at first, we find that this creates massive opportunities for new organizations to build impactful products that can help secure the world. This ever-evolving security landscape tied with the accelerating pace of innovation keeps us excited to continue our work of supporting the next generation of security leaders by doing our own research and staying in touch with the community. If our report or our follow-up analyses resonate with you as a buyer or a builder, don’t hesitate to reach out – we’re always happy to learn from the people working in the space and see how we can be partners in building this secure future.
Originally published August 24, 2023.