As a CMO, I’m constantly trying to think of better ways to describe why what we’re doing at Axonius matters to potential customers. We target information security professionals, a group of people that share the following characteristics:
- There is no perfect end state — Perfect security does not exist. Despite being responsible for protecting all corporate information, CISOs know that there’s no silver bullet.
- They are constantly being hounded by marketers and salespeople — There are thousands of cybersecurity companies out there all claiming to be able to protect, detect, respond, and remediate all threats.
- They usually don’t have enough people — everyone talks about the talent shortage in cybersecurity, and regardless of whether you believe it, there’s little doubt that most companies don’t have the resources to do everything they want in security.
- They can’t lock everything down — People have to do their jobs, and security can’t be an impediment. There has to be a balance between security and convenience.
Given those facts, information security teams do the best they possibly can to secure the enterprise. They buy products that scan for vulnerabilities on endpoints, protect against attackers, find malicious items, alert when something is fishy (or phishy), and authenticate that users are who they say they are (to name a few).
They choose which products they’ll deploy, and like pieces on a chess board, they arrange their defenses strategically hoping to move forward without sacrificing what matters.
So What Do CISOs Want?
At Axonius, we’ve developed a Cybersecurity Asset Management Platform. The thought is that companies have already invested in many different security and management solutions (chess pieces), and if they are able to connect to each of these solutions, they would be able to see all users and devices to understand things like:
- Which of my devices aren’t secure? For example, do I have devices that aren’t managed by the security solutions I’ve purchased? Do I have cloud instances, IoT devices, or other machines I don’t know about?
- Which of my users have incorrect permissions or configurations? Do I have user accounts that have local admin access? What about users that have a password set to never expire? Maybe even service accounts that haven’t been updated in a decade?
- Which of my security solutions aren’t fully deployed? Taking the other perspective on 1 and 2 above, which of the things I’ve purchased aren’t able to see, scan, or secure devices and users?
All nice things to know. But that’s not what CISOs want (at least that’s my assumption). Those are our words, and it doesn’t matter how many times we say “Cybersecurity Asset Management” or “Continuous Policy Validation”. Too in the weeds. Important, but not necessarily keeping anyone up at night.
“Tell me when things aren’t the way I want them.”
I think that’s right. CISOs have spent a lot of time, energy, focus, and dollars determining their strategy and translating it into a security policy. Rather than focusing on the threats, exceptions, and vulnerabilities (all things that are important to security teams), the real focus is on those devices, users, and solutions that aren’t adhering to the security policy.
Back to the chess board comparison, here’s a quick video:
My Two Asks
The first one is obvious: if what we’re doing seems interesting and you’d like to see if our platform could help, let me know. It’s easy too book a call here.
The second: does the analogy make sense? If not, do you have a better one?