I chose my position with the Zerocopter team last year very consciously, because I believe that our industry requires a higher perspective - beyond commercial thinking, beyond ego, P&Ls, buildings, brands, and profitability. Don't get me wrong, I know our industry is still leaning largely on the private domain, thus, economically driven entities. But, this introduces a potentially unhealthy intrinsic motivation, where the primary focus lies on the healthiness of the companies rather than on the global balance of cyber criminality.
These commercial entities provide security solutions to customers who are overwhelmed with the fast-paced and complex nature of this era, the high costs, combined with solution uncertainty in their buyer space, creating an ethical challenge to our domain: What if we can make money by selling the illusion of control? What if your competitor's solution, in fact, is a better fit? And what if this actually introduces a fresh attack surface to criminals? Do we think about money or security?
For years I have been putting a lot of effort into the aspects of 'real security'. I am driven by my inner belief that we should help buyers with clarity and honesty on what can be controlled and what cannot. Making sure we have the real talk on risks, without thinking of bonuses, margins, and being an economic winner, but rather focusing on growing a healthy interconnected world.
It is interesting how competition is viewed by both ourselves and the buyers in the security industry. Strict procurement processes have led us to the race to the bottom. Where security value should be leading, the empirical approach for the lowest price is killing the industry. This race to the bottom might sound like a normal evolutionary progression of market forces, but is this acceptable for an industry that strives for a healthy, balanced, digital, globally connected world?
Two years ago, I did a small study based on my hypothesis: what if we would structure all security providers in the Netherlands in a defense stack? This would mean placing high-end security value (complex and unstructured) at one end and the providers who offer stable, proven, scalable solutions at the other end. Would we actually cover all the bases? Are our lines of defense handled?
The main findings of this exercise were shocking to me:
- We only cover 10%* of the market needs with all providers (calculating with a benchmark of the target operating model of the company I worked for at that time);
- The vision has to go beyond profitability, otherwise most providers focus on reaching for the scalable business, leaving many wide open gaps in our line of defense.
So the question remains - Why do we still treat each other like competitors instead of understanding the real challenge we are facing?
Moreover, when we add the growing lack of capacity in both skills and expertise in our domain, it becomes clear that there is a pressing need for a larger vision by greater people who can go beyond their own parameters. This blog is not about providing solutions, but about exploring the solution space.
Zerocopter has been cultivating a network of screened hackers for years now. The highest driver for most of them is security value, even to the level of 'no cure, no pay' offerings. What makes this way of working unique to me?
The hacker network is an open ecosystem, and trust is built by delivering quality, or the willingness to invest, cooperate and learn. No one is owned by a label or company, which introduces a natural challenge for the Zerocopter team to be interesting enough for people to join us. And we love a challenge!
In an open setting, where curiosity thrives, innovation and creation flourish. Security is a typical domain in need of a rich basis of ideas to ensure that we can still provide intact defense mechanisms for our common future.
I feel very privileged to be part of this, hoping we can unleash all potential within this network. No matter which company or label we represent, our ultimate goal is to achieve a healthy and secure balance for our ever-evolving interconnected world.
Written by: Renza Gruter
*The 10% calculation was based on Gartner's statement from 2018: half of all organizations will use MDR Services in 2025. Wanting to understand these numbers, I mapped 50% of all organizations in the Netherlands to a benchmark based on the operational/delivery numbers of the security provider I worked for at that time (which of course is not fully representative). But even if more thorough research would result in 25% coverage.
Don’t let vulnerabilities become your weakness: implement a Coordinated Vulnerability Disclosure program
Written by Zerocopter
May 4, 2023
Share this blog: