Session Summary

In this insightful panel discussion from RSA Conference, three seasoned security leaders explore the unique dynamics of securing organizations that are themselves in the cybersecurity business. David Hahn (CISO in Residence at Ballistic Ventures), James Nelson (VP of Information Security at Illumio), and Gavin Reid (CISO at Human Security) bring perspectives from multiple security vendor roles, revealing both unexpected similarities and important differences from other industries.

The conversation begins with the ironic observation that early-stage security startups often deprioritize their own security as they focus on product development, creating a disconnect between their market promises and internal practices. Reid notes that while the fundamentals of security remain consistent across industries, security companies face unique challenges including heightened targeting from threat actors who may post bounties for compromising their systems or even issue threats against security personnel. This increased risk profile is balanced by advantages including greater executive buy-in for security initiatives, with Reid noting that his current CEO immediately approves security recommendations that would have required extensive justification in non-security companies.

A significant advantage the panelists highlight is the opportunity for "dogfooding"—using their own security products internally before releasing them to customers. This practice provides valuable feedback for product development while simultaneously strengthening internal security postures. Nelson describes how security companies can leverage their position to gain early access to emerging security technologies through business partnerships, creating additional protective advantages. Hahn emphasizes that despite these benefits, security companies must maintain focus on customer needs rather than chasing industry trends, particularly for startups where resources are limited.

The discussion addresses the critical balance between security and business agility, with Nelson emphasizing "surprise avoidance" through transparent communication about security implications before business decisions are made. Reid candidly acknowledges that startups sometimes must incur technical debt to achieve business objectives, noting that perfect security with no product to sell is a failed business strategy. On third-party risk management, the panel expresses frustration with checkbox compliance approaches, advocating instead for industry-specific standards and focusing on data access controls rather than prescriptive security practices.

The conversation concludes with a compelling discussion of transparency in customer relationships. The panelists unanimously advocate for radical honesty about security capabilities and limitations, arguing that security vendors should publish their software bills of materials (SBOMs) and security practices as competitive differentiators rather than hiding behind generic assurances. As Hahn summarizes: "If anybody says 'we've got all your security things covered,' I know they're lying... Be direct, be honest, be open, be transparent... If you can't build that trust, why are you in the security business?"

Key Takeaways

1. Security fundamentals remain consistent across industries - While security companies face unique circumstances, the core mission remains enabling business objectives while protecting critical assets.
2. Security vendors face heightened targeting - Security companies experience more sophisticated attacks, including bounties for compromising their systems and even threats against security personnel.
3. "Dogfooding" creates dual benefits - Using their own security products internally provides valuable product feedback while strengthening internal security postures.
4. Executive buy-in is typically stronger - Security company leadership generally has greater understanding and support for security initiatives than in other industries.
5. Balancing agility with security requires transparency - Effective security in fast-moving security startups depends on clear communication about risk implications before business decisions are made.
6. Third-party risk management needs evolution - The industry should move beyond checkbox compliance to industry-specific standards and data access controls.
7. Radical transparency builds customer trust - Security vendors should openly publish their security practices and limitations as competitive differentiators rather than making unrealistic claims.