Security at the Pace of Commercial Innovation

The U.S. Department of Defense is trying to change how it acquires technology, by buying more from private sector technology companies from Silicon Valley and innovation hubs across the country.

As part of that effort, the new Defense Innovation Unit Experimental (DIUx) unit, headed by former fighter pilot and entrepreneur Raj Shah, recently published a guide on how to use existing DoD authorities to buy commercial prototypes faster. The final sentence of the guide reads:

DoD must move at the pace of commercial innovation or risk being left behind, not only by the commercial marketplace, but by our adversaries as well.

I couldn’t agree more. And it’s not just the Defense Department — the entire federal government would benefit from an explicit focus on buying and using modern software, as I’ve written previously.

In that spirit, Insight Venture Partners hosted on March 29, 2017 our first “Defense in Depth” cybersecurity forum in Washington DC.

As a leading growth investor in security and infrastructure software, we brought leading CEOs and tech executives to an intimate conversation with leadership of defense and civilian agencies about the evolving cyber threat. As the name of the forum implies, a layered defense using modern technology solutions is an important part of a cybersecurity defense in any large organization — including federal agencies.

Speakers at the event included:

• DISA Vice Director Maj. General Sarah Zabel, who highlighted the scale and scope of the attacks on the defense networks every single day;
• Air Force Deputy CIO Bill Marion, who challenged federal colleagues to think differently about risk;
• Security expert and Trail of Bits CEO Dan Guido, who noted that adversaries are using known technologies but more coordinated and sophisticated attacks;
• Former Deputy Commander of U.S. Cyber Command Lt Gen (ret.) Robert Schmidle, who discussed lessons learned from setting up U.S. Cyber Command;
• Former GSA Administrator Denise Roth, who talked about GSA’s role in federal cybersecurity, including the new Tech Transformation Service / 18F that she helped build at GSA;
• U.S. Digital Services founding member Mathew Weaver, who stressed the importance of security and IT professionals learning cyber response skills in real-world situations — based on his experience recovering from the OPM breach and many others; and
• CEOs and executives from leading companies, including Tenable, Cylance, Firemon, Docker, Pluralsight, Thycotic, and Checkmarx, who highlighted how their innovations are solving problems across the commercial and government markets.

As a thought leadership forum with federal agency leadership and private sector CEOs openly sharing their technology visions, the event generated some interesting insights:

• Both government and industry leaders highlighted their priorities of cyber analytics, cloud services, and next-generation endpoint capabilities;
• There was acknowledgment that agency-specific security certifications can negatively impact private sector success in government; and
• There are strong common interests and motivation to expedite the delivery of mission capability.

There was also candid cross-agency dialogue on accelerating the Authority to Operate (ATO) process, the relevance of Agile and DevOps methodologies, and the complexities of making cyber capabilities operational.

As I noted in my opening remarks, one of the challenges that federal agencies face is keeping pace with the sheer number of security vendors offering newer capabilities.

That’s where the venture capital community can help — helping vet the teams, businesses, and technologies. We track thousands of security vendors, talk with hundreds every year, and invest in just a handful.

Insight Venture Partners invests in growing companies at all levels of the security stack, and our portfolio companies provide options to secure government systems in real world agency environments. Our portfolio companies are being deployed at scale in federal agencies today, integrating with each other and also with complex legacy solutions in those environments.

To illustrate a layered defense strategy for securing government information systems, consulting firm Cognitio released a Defense in Depth whitepaper that maps to Insight’s portfolio. It’s worth a read.

I won’t pretend that our portfolio companies are the only options for federal agencies considering modern capabilities to secure systems, manage risk, and train the security workforce. Many other venture capital firms also are investing in cybersecurity, though I’d argue Insight has an all-star portfolio, and our firm has the necessary scale, experience, and context to help our companies succeed in the public sector.

It’s reassuring that the federal government is working to acquire the capabilities we need to protect our government, economy, and people. We still have a long way to go though, and I’m hopeful Congress and the Administration can make progress on IT procurement reform this year. There are good ideas on both sides of the aisle.

It will require real changes in how the federal government does business, but we can do this.

Let’s move at the pace of commercial innovation.