The need for cybersecurity is a given at this point. Organizations of all sizes and across all industries understand that they are essentially under siege from cyber threats and that they need to have tools and processes in place to defend themselves. To allow organizations to get the right tools or the best tools for the job, we need to level the playing field and democratize cybersecurity.
There is a wide variety of cybersecurity solutions in the market offered by vendors of all sizes. The challenge, though, is getting the right combination of tools when the big players in the cybersecurity market are pushing bundled products comprised largely of mediocre solutions.
Meet Banyan Security
I spoke with Tarun Desikan, COO and co-founder of Banyan Security, during the RSA Conference last week about this issue. Banyan Security is a smaller vendor that provides zero-trust remote access solutions for customers—enabling employees, developers, and third parties to remotely access on-premises, hybrid, and multi-cloud infrastructure and applications without the need to rely on legacy VPNs.
Banyan Security raised $30 million in B-round financing earlier this year—bringing total investment in the company to $47 million as momentum increases around the concept of zero trust. Den Jones, CSO of Banyan Security, joined me on the TechSpective Podcast to talk about zero trust security and share more about how they approach zero trust at Banyan Security.
Democratizing Cyber Threats
One of the things that Desikan and I discussed is the current threat landscape. Historically, most companies have not considered nation-state adversaries to be a direct threat. While US government agencies or companies in the military-industrial complex or critical infrastructure might be concerned about nation-state threat actors, a small dry-cleaning chain in Nebraska assumed they weren’t a target worthy of the attention of Russia, China, or other nation-state adversaries. However, that is no longer true.
For one thing, the line between nation-state adversaries and cybercriminal threat actors has eroded. With Russia and China, in particular, it is increasingly difficult to say with any certainty where cybercrime ends and cyber espionage begins.
The other factor is that the threat landscape has become more democratized. Threat actors understand that there is a “six degrees of separation” aspect to attacks. They don’t have to attack a government agency or military contractor directly. They can instead go after the low-hanging fruit and compromise smaller, less well-defended businesses, which enable them to eventually exploit trust relationships to get to the larger, more valuable targets.
Cybersecurity Suffers from ‘Cable TV Syndrome’
To address the democratized threat landscape, we also need to democratize cybersecurity. The industry needs to adopt the mantra of Liberty Insurance and only sell customers what they really need. Unfortunately, larger cybersecurity vendors seem to be going the other direction and suffer from “cable TV syndrome.”
Cable TV providers sell packages of hundreds of channels and market it as a benefit. You get 185 channels for only $60 a month! The problem is that only a handful of those channels are consistently producing great content. The vast majority are filled with mediocre content at best, and buying the bundle means that you are also paying to subsidize channels you would rather not support. For example, I don’t want a penny of my money going to Fox News under any circumstances, but it is difficult to separate junk channels from the channels you actually want given the way TV content is packaged and sold.
The bundling of cybersecurity tools creates a similar challenge. Many vendors merge products and services together into packages that ostensibly offer greater value for customers, but in effect paint them into a corner at the same time.
Microsoft stands out in this regard. Microsoft offers a wide range of cybersecurity solutions. Some of them are very good—possibly best of breed level—solutions. Others, however, are mediocre. They are good enough to allow an organization to check a box and say they have that tool in place but don’t really provide the protection an organization needs. They let you be compliant, but not necessarily secure.
I talked about some of the challenges with the way Microsoft bundles and sells its cybersecurity solutions with Michael Farnum, CTO of Set Solutions, on a recent TechSpective Podcast. Farnum described scenarios where the IT security team recognized gaps in their protection and wanted to implement better tools, but were unable to get budget approved. From the perspective of the CFO or whoever controls the money, it doesn’t make sense to spend money on a “redundant” tool when you’re already paying for something similar from Microsoft—even if it is not as good.
The bundling of tools also makes it more difficult for smaller cybersecurity vendors to gain traction. Desikan explained, “Most startups, by the nature of how we start, we pick one piece of the puzzle. We go and target and build for that. Democratizing security—part of that is unbundling security as well.”
Desikan stressed that cybersecurity needs to be unbundled so customers can buy just the features they need rather than paying for tools they don’t want or need, or accepting inferior versions of tools they do want or need just because they are part of a bundled package.
For now, Banyan Security is doing its part by offering a free version of its product—freeing customers to test it out without having to worry about the “cable TV syndrome” or paying for redundant tools. Customers can deploy the Team Edition of the Banyan Security Zero Trust Network Access (ZTNA) platform for up to 20 users at no cost.