Cloud Control: Q&A with Kymberlee Price, Founder and CEO of Zatik Security on Cybersecurity Challenges faced by SMBs

January 23, 2024

Want weekly newsletters featuring interviews with security and cloud leaders delivered right to your inbox? Sign up for Cloud Control here.

‍

Kymberlee Price, Founder and CEO of Zatik Security on Cybersecurity Challenges faced by SMBs

Get a front row seat to a front row seat to what it looks like to work with cybersecurity SMBs. In this week's edition of Cloud Control, we have a conversation with Kymberlee Price, Founder and CEO of Zatik Security. Learn practical solutions tailored for small and medium-sized businesses from the best in the game. Read on below 👇

Question 1 💭

Can you share a bit about your journey in the cybersecurity industry, from starting a security researcher outreach program to founding Zatik? What are you most focused on currently?

Answer 1 🎯

In my career, I’ve cleaned up a lot of messes. Now I want to focus on preventing them.

I started in 2003 at the Microsoft Security Response Center. I had a background in behavioral psychology, which gave me a unique skillset to ease tension between Microsoft and security researchers. In the past 20 years, I have worked different security roles including vulnerability response and open source and supply chain security strategy, but I found that all security solutions require collaboration built on trust and respect. Just as I was building trust with security researchers and product engineers then, I am now building trust with small and medium-sized organizations looking to invest in security, by breaking down the toxic stereotypes of security teams as the House of No, always making unreasonable demands of engineering teams.

I believe we can do better and create an effective secure by design culture if we get involved earlier in a company’s maturity curve and create a great developer user experience. I also believe we can do more to help small and medium sized companies access experienced security expertise to help guide them early in their development journey, to make sure they minimize technical debt and protect their customers and brand from the outset.

Question 2 💭

Zatik Security provides top-tier guidance for small to medium businesses. Can you share insights into the approach Zatik takes to address the unique cybersecurity challenges faced by companies outside the Fortune 100? What are organizations often missing, not prioritizing correctly, or forgetting?

Answer 2 🎯

I have heard jokes made about how shipping secure products can be perceived as a zero-sum game where “You can ship. Or you can be secure. You pick.” But it’s not all or nothing.

I have heard jokes made about how shipping secure products can be perceived as a zero-sum game where “You can ship. Or you can be secure. You pick.” But it’s not all or nothing.

As many small companies are growing, they’re mainly focused on getting things up and running and delivering their product so they can acquire customers. This totally makes sense. As these companies mature they know they need to start investing in a security program but often don’t know where to start. Sometimes their best resources are search results, or they’re relying on friends at other companies to share their security recommendations. That’s not a great way to build an effective security program, but with the experienced talent shortage in security, they may not feel like they have any other options. Maybe their primary security goal is reducing risk to protect existing customers, maybe it’s getting a compliance certification like SOC2, maybe it’s customer acquisition and reducing friction in the sales pipeline… Most companies need guidance tailored to their business goals, and that’s where Zatik can help.

Question 3 💭

Competing for security talent is a common struggle. How does Zatik Security tackle this challenge, and what does delivering world-class security guidance look like?

Answer 3 🎯

First, I have to say that I keep hearing there’s a talent shortage, and that’s just not true. I have seen entry level job postings get up to a thousand job applicants in a week. So it’s not about the lack of talent. There is a lack of experienced talent due to rapidly accelerating demand, and simultaneously a lack of opportunities for early in career professionals to get experience and relieve that pressure. To address these security staffing challenges, the industry needs to do a better job of onboarding new people. Zatik is committed to training people who want experience.

Zatik’s approach to delivering guidance is to offer a fractional expert approach - we have experts in nearly every field of product security - cloud, infrastructure, mobile, hardware, software design and architecture, Security Development Lifecycle (SDL)… and for the specialties we don’t do in house, we have a network of trusted partners we can refer clients to. Our goal is to help companies get up and running with an effective security engineering program so they don’t need us anymore. We start by evaluating existing technology, controls, processes and people to do a security posture gap analysis, providing clients with a pragmatic 18-24 month roadmap to achieve their goals. We can help with fractional staffing for execution if the client wants, but some just want to know they’re headed in the right direction and have a clear map of where they’re going and what they need to get there. In either case, they don’t need multiple speciality experts full-time, so Zatik’s model offers a cost effective way to tap into just the capabilities a company needs, when they need them.

Question 4 💭

Zatik Security is actively involved in training the next generation of security leaders. What specific skillsets and qualities do you believe future cybersecurity professionals should hone to become leaders in the industry?

Answer 4 🎯

We believe it’s critical that the people with experience train the next generation. There are people who are eager to learn and they’re just looking for the opportunity. The security ecosystem is incredibly diverse and there are roles for people who write code and those who don’t. So the first step is to seek out diverse skillsets and perspectives and nurture them in security teams.

Once you’re in the field and looking to grow as a leader, being deeply technical and competent at execution is not enough. The problems leaders are tasked with solving are big and complicated, and cannot be solved by a single person at a keyboard. Leadership requires the ability to think about the big picture and understand the business impact as well as the technical impact. It also requires excellent collaboration and communication skills, to influence and lead others without direct authority as their manager.

To become a CISO (chief information security officer), VP of Security, Senior Director, Architect, or Staff Engineer, you will be expected to speak the language of the business and understand business objectives outside of security. For example, you will want to understand go-to-market strategies, which customer segments generate the most revenue, what features are most popular (or generate the most support tickets) and why, what regions or customer verticals are growing or declining... It’s not just about the technical risks, but also the business risks. These are all important things to learn as security professionals grow in their careers.

Question 5 💭

For smaller companies, building a security program can be challenging. What’s your approach when working with smaller security teams? How do you manage where resources should be allocated?

Answer 5 🎯

Zatik specializes in advising small and medium-sized businesses, and we focus on what’s going to have the most impact. First, I want to make sure they start with basic hygiene. I want to make sure they have the fundamentals like strong passwords and multi-factor authentication (MFA), as well as identity access controls. Those are going to have the most immediate impact. We also look at what security options they may already have in existing tools and services, but might not be using that they could enable for a no-cost quick win. These are some pragmatic practices that can really help improve the security for small and medium-sized companies. Building up from the basics, we have a series of building block components we outline for companies so they don’t try building a roof before they have walls, that also take account of their needs. We make sure to prioritize for incremental growth since we know not everything can be done simultaneously.

We also look at what security options they may already have in existing tools and services, but might not be using that they could enable for a no-cost quick win. These are some pragmatic practices that can really help improve the security for small and medium-sized companies.

Question 6 💭

Having been involved in starting the first security researcher outreach program, how do you see the landscape of security researcher engagement evolving in the future? What trends or changes in dynamics should organizations be prepared for? How has security researcher outreach evolved alongside emerging trends in cloud, AI, etc?

Answer 6 🎯

Researcher outreach is a big investment that can have tremendous business impact to both reduce customer risk and improve brand reputation. And a successful security researcher outreach program comes down to building collaborative goodwill. Some community managers are all about sentiment analysis and some use Net Promoter Score (NPS) to evaluate success, but researchers are not a revenue source; they’re not buying from you. Working with researchers is a lot like DevRel in that it’s a little customer success and it’s a little customer support.

One of the biggest challenges I see for researcher outreach programs is that many companies make the mistake of decreasing their investment in community programs once things get to a good state… at which point things start going badly again. Another mistake I see is in staffing - just because someone has friends and is good with people doesn’t mean they’re qualified to run a community program. Like curriculum development or constitutional law, community management is a skilled tradecraft that is best done by individuals who have specialized training in behavior modification, gamification, and sociology or psychology.

Question 7 💭

Open Source Security has been a focal point throughout your career. How do you see this strategy evolving? Are there emerging practices or trends that organizations should be aware of, and how can they better integrate security into open-source initiatives?

Answer 7 🎯

Because Open Source Security is community driven, maintainers don’t always want or need money or endowments from big vendors that use their code, what they need is time. They need developers to upstream fixes and to take an active role in maintaining the open source libraries. OpenSSF is doing a lot of great work to do both - channeling funding from vendors to improve open source projects and staffing initiatives like the Alpha Omega project.

For companies that use open source software in their products, they’ve got a substantial challenge in front of them to stay on top of keeping all their dependencies up to date. I find myself frequently encouraging companies to use GitHub Advanced Security (GHAS), which offers solutions right in the developer pipeline, which is great UX for developers. Dependabot in GitHub helps reduce friction by keeping things up to date, there is secret scanning, vulnerability scanning… all before security issues ever get into production.

Question 8 💭

Cybersecurity threats are increasingly dynamic. How do you see security operations evolving to address future challenges? Are there specific technologies, methodologies, or approaches that you believe will play a role in enhancing an organization's ability to detect, respond to, and mitigate emerging threats?

Answer 8 🎯

Big companies with big security teams are investing in their Security Operations Centers (SOC) capabilities, including 24/7 response operations and leveraging automation to accelerate their response. But then you look at smaller organizations that can’t afford big internal security teams. They aren’t going to have their own 24/7 response teams looking for intruders in their network. Who’s helping the small companies?

Similar to fractional product security we offer, MDR solutions are great for small companies as they enable “talent sharing” in a vendor SOC that services multiple customers. Given the increasing need for incident detection and response, I think we will see this market continue to grow.

Small companies are looking for pragmatic solutions, and Managed Detection & Response companies are often filling that need. Similar to fractional product security we offer, MDR solutions are great for small companies as they enable “talent sharing” in a vendor SOC that services multiple customers. Given the increasing need for incident detection and response, I think we will see this market continue to grow.

Question 9 💭

You speak at many conferences across the globe. How can professionals and organizations in the cybersecurity space better collaborate with one another? Do we need to be more collaborative in any particular area? How can we create a more interconnected (and global) cybersecurity community?

Answer 9 🎯

Security conferences are phenomenal for building trust and expanding our trust networks. You start having conversations that aren’t limited to what can be typed out on a screen but include tone, nuance, and enable authentic interpersonal trust to form. Security conferences are in many ways the information watering hole where people gather and have discussions that set off creative sparks for new research.

At the same time, security conferences can also be an echo chamber. It’s important that security folks get out of their comfort zones and go to more customer and developer conferences and start engaging more with the people they serve in their spaces; versus us all getting together in our events and talking about how to best engage our non-security stakeholders. Let’s go talk to them. I get that it’s hard because we have limited budgets, but finding more bridges with those communities will be valuable to our industry growth and our outcomes.

Question 10 💭

Given your understanding of gamification models, could you tell us more about the evolving role of gamification in cybersecurity? How can gamification models shape the future of cybersecurity practices? Should every organization be incorporating gamification models into their security strategies?

Answer 10 🎯

Gamification can be a really useful tool in motivating people to do security processes and tasks to achieve better security. If you choose to go that route, you’ll want someone who has experience with behavioral psychology or game strategy and development. Do you want people to start doing a new behavior, or stop doing an existing behavior? Is the task simple, complex, luck based? An experienced gamification designer knows that you use different gamification models for different tasks - Candy Crush versus Portal have very different gamification models, and often offer multiple reinforcements for the broadest possible appeal. It’s not always about competing with each other, some people are motivated by just being better than they were yesterday.

And while gamification is one way to incentivize people to improve, it’s not the only way. Gamification is in the same theme as user experience (UX) and smart user interface (UI) design live, and all of these are critical in leading employees and customers to improve their security practices.