Red Canary Co-Founder: MSPs Key To Closing ‘Haves And Have-Nots’ Security Gap

‘It’s all a leverage game. If we can partner with one managed service provider in the financial services industry, on the back end we can protect hundreds or thousands of community banks. That’s a huge, huge point of leverage,’ says Keith McCammon, co-founder and chief security officer at Red Canary.


Cybercriminals know all about the differences in the level of security at large and small businesses: The former generally have more security, the latter have less.

So it’s no surprise that threat actors are increasingly targeting smaller businesses, attacking their more vulnerable systems and often demanding eye-popping ransoms for seized data.

Keith McCammon, co-founder and chief security officer at Red Canary, a Denver-based managed detection and response vendor, strongly believes that the gap between the “haves and have-

Sponsored post

nots” needs to be addressed.

In a recent interview with CRN, McCammon, who helped found Red Canary in 2013, stressed that small-business protections have improved in recent years.

“We‘ve made progress, absolutely,” said McCammon. “I’m not a pessimist.”

But McCammon, whose company has raised $125 million in funding and employs more than 400 workers, told CRN that the “haves and have-nots” gap will persist unless the industry does a better job assessing exactly what type of security small-business owners both need and can afford.

“Part of closing the gap is just folks understanding what is the simplest and most effective set of things that a company can do to protect itself from modern threats,” he said.

“Most of the threats companies face aren’t novel, and most of the things that they need to do to counter them are also not novel,” he said. “And so a huge part of making progress is just helping people to understand that.”

And he said MSPs, working with vendors and customers, are key to communicating with small-business owners about what types of security they need—and at a cost they can afford.

Following are excerpts from McCammon’s interview with CRN:

The whole idea of having a haves and have-nots gap in cybersecurity, what do you mean by that?

It’s definitely been something that I’ve been thinking about for a super long time. I guess how I think about it has definitely evolved over the years. We’ve grown and the industry has grown. But the original problem that we set out to address, and I think is still the No. 1 problem, is that we’re just doing incident response work and you just see these organizations that are so upside down in terms of resources and expertise. When you’re comparing yourself to an adversary, they’ve kind of got information asymmetry on their side. They know something you don’t. They;ve obviously got the initiative on their side. They get to decide when they’re going to do what they’re going to do. And there’s only a very, very small percentage of organizations that have a good high-functioning risk management program, or any risk management program, let alone a good security operation that can detect and respond to things like ransomware before it shuts down a school district.

So only a few have good detection and response security.

Yes. And it’s a really small percentage. It’s just exceptionally hard [to obtain] the major moving parts—good threat intelligence program, having a good threat research program, being able to operate around the clock and affording the cost of staffing enough human beings to look [for threats] 24x7. It is kind of beyond the bar of most folks, let alone doing it really, really well.

That’s kind of always been one of the guiding principles of how we operate and why—which has always just been to to try to flip [access to security] upside down and make it possible for an organization with a few thousand employees to get the same security outcome that you expect from a Bank of America or these places that are investing like tens of millions or even hundreds of millions of dollars in security. You see this with some tech companies too. The amount that they invest [in security] is not even a thing that 99 percent of companies can think about.

Have we made progress in chipping away at this haves and have-nots gap or are we falling behind?

We’ve made progress. absolutely. I’m not a pessimist. We know we’ve made progress. I’m actually getting ready prepping a talk for next month, and one of the things I was looking at is the evolution of security technology and solutions over the last like eight or 10 years, such as fundamental improvements to things like tech platforms, like Apple, Microsoft and Google, and the steps they made to make technology on the order of magnitude safer than it was. That’s good. And I do think in the security services space, consumers have gotten smarter. We’ve learned a lot about what works and what doesn’t. We’re starting to see our customers asking better and harder questions about how to prove the efficacy of the service and what’s our track record protecting customers from things like ransomware and nation-state attacks. So, yes, we’re way, way, way better off than we were.

But do we still have a long way to go in order to create equity?

Yes. We’ve made progress. The numbers side of it is super interesting. We were [recently] talking about the state of the market and where we see things going. I’m not sure what to make of all these numbers, and they’re not mine. But if you look at some numbers, there’s a million people working in cybersecurity. And so, yes, we’re making progress. Things are getting better. But there’s an interesting dimension to that: Almost close to half of these jobs are unfilled. And a super interesting way to put that in perspective for me was that one of our folks [at Red Canary] did some research. There’s maybe a million open sales jobs in the United States. But the denominator [of total sales jobs] is something like 23 million. So that really puts in perspective cybersecurity relative to other industry segments. People are looking for a lot more cybersecurity staffing and expertise than exists now

What can we do to close the gap between the haves and the have-nots?

One of the challenges when people do talk about the cybersecurity skills shortage is whether you’re doing the right things. Yes, you might say you need 20 people in cybersecurity next year, but do you really know where’s the best use of them, the best place to direct that energy and expertise? A huge part of closing the gap is just folks understanding what is the simplest and most effective set of things that a company can do to protect itself from modern threats. … Can you hire Red Canary or can you hire someone else to do [a job]? And then there are things that aren’t transferable, things that you need to have a lot of organizational context to do.

So I think a huge part of closing the gap is helping to drive a lot of clarity with organizations and helping them understand security threats. We say words like ‘threat model’ and we wave our hands around and no one knows what the hell we’re talking about. And so helping people understand stuff like threat modeling is not this huge complicated exercise. …

Most of the threats companies face aren’t novel, and most of the things that they need to do to counter them are also not novel. They’re not unique. And so a huge part of making progress is just helping people understand that, ‘Hey, here’s what you need to worry most about, here’s what‘s most likely to happen to you and here’s the most effective ways, whether it’s technologies or services or in-house operations, to counter those threats.’

When you talk about the haves and the have-nots the thing that-s always keeping most organizations down is - just lack of access to good information, lack of a clear understanding of threats, lack of a clear understanding of what works and what doesn’t. For better or worse, there’s no Consumer Report s for this industry. There’s nowhere a company can go to get objective data that says, ‘Hey, Company A claims to do this and it works, or it doesn’t.’ It’s really hard to come by such information, and and so I think just being more transparent across the board and just helping to educate organizations is a huge part of that.

At Red Canary, is your target audience SMBs or enterprise?

Mid and large enterprise primarily. I won’t say that’s ideal but that’s definitely the core of our customer base, mid to large enterprises. When you want to talk about the haves and the have-nots—the folks all the way at the bottom of the pecking order, like small businesses and very small enterprises—and when you look at how like they’ve been served over the years, you have the managed services market. Which has done a good job of taking on a 10- or a 20- or even a 200-person company that can’t afford to build a huge in-house IT team and they probably shouldn’t. The managed services market has made it easy for them to get their hands on [security products and services] and get those outcomes that they want. And so while mid and large enterprise is definitely the core of our customer base, we serve a lot of customers on the smaller side through managed service providers.

[MSPs] provide leverage and one that we’ve always liked. It’s been there as long as we’ve been around. We’ve been working with managed service providers and we’ve always been just super proud of that because it’s working.

So working with MSPs is part of the solution to closing the gap?

Absolutely. It’s all a leverage game. If we can partner with one managed service provider in the financial services industry, on the back end we can protect hundreds or thousands of community banks. That’s a huge, huge point of leverage.

You said you're not a pessimist as far as security. But do you think we’re going to ever reach the point where we’re ahead of the curve in terms of confronting the cyber bad guys?

Getting ahead is really hard. The [threat actors] are just like us. They’re trying to eat too. And so we all have a lot of motivation. And it’s really, really tough to think through, from an adversarial kind of industry, how you get ahead. But I will say, if you look at things like market penetration, like endpoint detection and response [EDR] technology, and then managed detection and response [MDR], which is the segment we‘re in, we’ve grown a ton in the last few years. When we think about getting ahead like that, we’re just scratching the surface of companies that are adopting outsourced managed detection and response and outsourcing things like security operations, which are really hard, expensive and complex but an effective way to protect organizations from cybercrime. ...

But I definitely think we’re approaching a tipping point where it feels like we’re going be able to make solutions more available. It’s just a matter of the cycles of budgeting and adoption. And also partnerships, figuring out where and how technology providers like Microsoft can get a lot of leverage protecting customers with someone like us and how someone like us can get a lot of leverage protecting customers by partnering with a managed service provider. That’s the cycle we want to see. We’re getting there. Things are moving in the right direction. It’s just a matter of time.