PeakSpan Capital – Why We Partnered with Kenna Security
PeakSpan is thrilled to have partnered with the Kenna team and wanted to share what we saw and why we invested.
First, Kenna’s CEO’s wrote a great blog post here praising the company’s customers – we couldn’t agree more! We’ve spoken (literally) to hundreds of security companies over the last ten years – many of them extraordinary leaders in their fields – but we’ve never seen a security software platform experience such widespread adoption and consistent usage by non-security professionals (maybe with the exception obviously of the “invisible” security tools like authentication, spam filtering, etc). We were amazed to hear from each Kenna customer:
“Professionals in business groups outside of Infosec are using Kenna to do their jobs.”
Customers, partners, and other folks that know and use Kenna consistently pointed to the fact that Kenna’s value extends beyond the Infosec team and provides rich and actionable insights to the extended enterprise that should be concerned with risk. Professionals at Kenna’s customers both across and up the organization expressed down right enthusiasm for the tangible and palpable intelligence and peace of mind that Kenna brings to the table.
INFOSEC’S THE MACRO DILEMMA
Well-known to CISOs, a “Perfect Storm” has formed over the last decade (or more…) making life hard for Infosec:
Attack Surface Complexity – Constantly expanding and increasing in complexity – there’s literally a steady and drum beat of new areas to adopt and protect – cloud, virtualization, mobile, APIs, oh my!
Security Tool Overload – On average, large enterprises have over 70 distinct security tools in their kit and these tools are (rightfully so) “noisy” as they respond to actual or perceived exposure points.
Threat Growing in Intensity – $445 Billion annual cost, according to CNBC, fueled by state-sponsored attackers, hacktivists, criminal organizations, oh, and Hackers in it for the fun/notoriety.
Information Overload – So much data and so little time, an issue currently in almost every vertical. The consequences of not keeping up in infosec are dangerous…
Security Staff Shortage – CRITICAL. How big? Forbes says 1M open positions in 2016
“We’ve been trying to solve the Infosec problem with Infosec people and just Infosec tools.“
The VOLUME of data generated across the Attack Surface by the fragmented number of security tools is too big to keep pace with – we simply can’t remediate the vulnerabilities fast enough. VA scanners alone, like those from Qualys, Rapid7 and Tenable can produce hundreds of thousands to millions of vulnerabilities with each scan and it’s impossible to know which of these are the poison needles in the haystack. Some enterprises carry an average daily alert load of over 20 million events. The volume simply can’t be remediated – we’ll never catch up. And the problem gets worse because in many cases if the CISO team spots a chink in the enterprise ramparts they can’t get access to correct the problem. Numerous discussions we’ve had with CISOs suggest:
“While Infosec may see 100% of the problem, they only directly touch 20% of the systems to be able to carry out remediation.“
This is obviously a huge issue. For decades, InfoSec teams have struggled through a tenuous relationship ACROSS the enterprise with other Business Groups – Sysadmins, Developers, DBAs, Network Admins, DevOps, etc, the list goes on and on. The InfoSec team is constantly either the bearer of bad news or is seen as constantly hitting peers over the head in these organizations to remediate a never-ending volume of vulnerabilities. Given technical complexity and an abstraction between security issues and the important business systems and processes they impact, it’s also historically been hard for InfoSec to clearly communicate UP the org stack to the C-Suite and Board in a language these groups can understand.
THE SOLUTION – RISK-BASED METHODOLOGY
A different approach is clearly needed and over the last several years a movement has been underway to adopt a “Risk-Based” methodology to vulnerability management.
“Not everyone understands Infosec, but everyone understands risk.“
While Risk-based information security management makes sense and represents a major leap forward in thinking, until recently the theory has been well ahead of the technology needed to support it. It isn’t solved by yet another security tool, but instead by the marriage of:
People + Process + Technology
Technology – Like any big data problem, it has only been in the last few years we’ve solved the 3 Vs of volume, velocity, variety.
People – BRIDGE THE GAP between InfoSec and IT Ops.
Process – Risk-based isn’t a “set it and forget it” device or piece of software (or, ahem, shelfware). It requires marriage of software with people and workflow / methodology / process to drive awareness, adoption AND success across such a broad-based number of constituent groups within an organization.
KENNA SECURITY – ENABLER OF CHANGE
How does Kenna help? In discussions with customers, partners, and folks in the security eco-system, we heard words like “Collaboration”, “Awareness”, “Accountability”, and “Motivation.” These are not buzzwords one typically hears be bandied around the enterprise watercooler by InfoSec and IT Ops as they talk about remediation. It was clear to us that Kenna is enabling REAL change – the question is, how?
“Kenna unlocks value through the coordination of People + Process + Technology”
Kenna aggregates the massive volume of data generated by security tools about vulnerabilities WITHIN enterprise IT infrastructure AND CORRELATES with external threat exploit intelligence data about where attackers are focusing time – PRIORITIZING the highest risk exploitable assets – you know, all those Windows 2003 servers that haven’t been patched yet (!) Instead of fighting RANDOM volume, Kenna’s customers FOCUS on the highest actual risks. This isn’t just volume, velocity and variety, but significant investments in prioritization, correlation, remediation workflows, and more.
Kenna breaks down barriers both horizontally and vertically.
HORIZONTALLY – Kenna’s prioritized results are fed through an absolutely beautiful interface (seriously, crazy UI/UX), and, more importantly, a dead-simple workflow of i) what the vulnerability is, ii) steps of how to fix, and iii) where to find patches, etc – all of which can be delivered through ticketing connectors like ServiceNow and Jira.
Ok, so Kenna remediates, but is risk lower? Users can see the impact of their efforts through highly-refined algorithms, translated into risk scores that measure the impact of the changes to that group’s, device’s, organization’s, etc. overall risk posture. Kenna’s customers have graduated from Infosec as a stick-to collaborator and partner. Business units outside of Infosec even log-in on their own accord to help streamline their responsibilities – not confined just to remediating real “Risk” to the enterprise, but doing their jobs more efficiently and in a more rewarding way.
VERTICALLY: Kenna’s elegant Risk Meters and reporting enable Infosec to communicate its messaging in a more digestable and quantifiable manner to the C-suite and Board. This communication is a logical extension of the workflow carried out across the enterprise, enabling the coordination of the discussion around “information security” and “risk” in a common format that everyone can understand, enhancing more timely and informed decision-making around important Infosec-related decisions.
Kenna has invested deeply in Customer Success. Kenna LOVES their customers, and customers are feeling it. Kenna is a true THOUGHT PARTNER to their customers on the journey to a Risk-Based methodology. Kenna is “productizing” the customer engagement model so that as we penetrate beyond the Early Adopters, the company will be supremely-positioned to assist customers on executing this shift.
Security isn’t an InfoSec problem, it’s a Business problem, and as a result must be solved by Business Groups working together as one. Kenna is an enabler of change – and we’re excited to be their partners on this journey.