Cybersecurity has come a long way over the past 20 years. The advent and spread of the commercial internet—along with all the innovations that have followed since, from cloud computing and social media to machine learning and real-time analytics—has transformed our relationship with data. More to the point, the amount of sensitive data that is sliced and diced, passed back and forth, and stored on far-flung servers has skyrocketed.
This has resulted in data becoming an increasingly valuable, sought-after commodity, raising the stakes for cybersecurity professionals. With no end of this trend in sight, security professionals can expect to play an ever-more-important role in building brands and supporting the customer experience.
In that context, the perspectives of someone who's been on the front lines of pretty much every aspect of security in the 21st century take on added importance. Our CISO Speaks series of Q&A interviews seemed the ideal forum for sharing one such set of perspectives.
Jay Leek is managing partner and co-founder of ClearSky Security, a venture fund focused on early- and growth-stage security investments. Leek also happens to be the former CISO at The Blackstone Group, and before that, he headed up global security for Equifax and Nokia. At Blackstone, he also worked closely with the firm's cybersecurity portfolio companies, and he continues to serve as co-leader of Blackstone's portfolio company CISO community.
Not surprisingly given his background, Leek has a lot of thoughts about the current state of cybersecurity, what makes a good security investment, which technology innovations are worth paying close attention to, and where cybersecurity is headed. What follows is a lightly edited transcript of my recent email interview with him.
Q: As a former CISO, how strongly do you equate good cybersecurity and privacy practices with good business, and why? What does effective cybersecurity say about a business?
A: Having good cyber and privacy hygiene is critical to building trust in any business today. While many breaches and incidents were easily swept under the rug or not understood by the average consumer or business partner 10 years ago, everyone has a heightened awareness about this today, and it is a very sensitive issue to most. So companies are absolutely being held to higher security and privacy standards today, and I expect this will only continue and increase, especially as security and privacy are increasingly becoming more prominent in organizations' efforts to ensure they are being socially conscious through adherence to environmental, social and governance (ESG) criteria.
Q: How can CISOs strike the perfect balance between supporting and enabling the business and ensuring that data and applications are protected by a strong cybersecurity program?
A: Security is not about being perfect or the best; it is about striking the balance between protecting the business and being user friendly and enabling the business too. A wise security professional once told me that “Without security there would be no business, but without the business there would be no need for security. We must find the medium.” This was in 2000, and I have spent the past 20 years of my career doing just that. A constant striving to continuously adapt, improve and change is necessary to ensure that proper balance.
Q: What are you looking for when vetting cybersecurity or privacy investment opportunities?
A: While this may sound like an episode of "Silicon Valley," the first thing I always look for is the 3 Ts: team, technology and TAM (Total Addressable Market). I cannot tell you what numbers two and three are in terms of priority, but I can tell you that the team is definitely number one. A good team can fail, iterate, iterate, fail, iterate, fail, fail and then succeed. This is key to any successful startup. The only thing I can predict about a startup is that things will not go as planned. However, a good team will adapt and overcome the unplanned events.
Q: How do you anticipate AI and data analytics and their offshoots pushing cybersecurity forward in the coming years?
A: Well to begin with, I do not think that any security or privacy solution today is actually using AI. However, both the good guys and bad guys are definitely using machine learning and various forms of analytics, and I think we are just starting to scratch the surface of what is to come. We have met with over 1,700 security startups since we started ClearSky Security in 2017, and almost all, if not all of them, talked about their AI, ML or analytics capabilities. That being said, when you peeled back the onion a bit, I would argue that only a single-digit percentage of those companies provided better security or privacy through those capabilities. However, I fully expect that to change over the coming years, and I believe we are on the precipice of massive change and evolution, but so are our adversaries. It will be interesting to see how this all plays out.
Q: What perspectives do you bring as a former CISO when advising the cybersecurity companies in your portfolio? To what extent does that background help those startups better match their products to customers' needs?
A: The most significant differentiator is that we bring the voice of the customer into the boardroom. We are able to significantly contribute to the product strategy, roadmap and go-to-market, and we are able to help identify friction points in the sales and (technical and non-technical) deployment processes. Don’t get me wrong, I learn something new every day, but I have also seen a lot through the deployment of about $250 million worth of security technologies. Through this comes a lot of learning and scar tissue. So we can help our companies avoid many mistakes that we've experienced firsthand, and many of these have nothing to do with security. In fact, some of the most significant friction points that cause security deployments to stall come down to how they integrate with things like infrastructure, DevOps, compliance and human resources. We can help our companies navigate through this.
Q: Bringing together all the threads of your background, what do you see as the most important trends in cybersecurity (and privacy) in the coming years?
A: The lack of qualified security professionals will continue to be a major challenge for all. As a result, there will be an increased focus on automation, not just within the security operations center but across the entire security (and privacy) program. For the rest of our careers, companies who are not born in the cloud will likely remain hybrid by design. This will continue to drive even more complexity across security programs, and valuable results from ML and analytics (and maybe AI) will become more prevalent.