X
Story Stream
recent articles

A recent Forbes investigation into Israeli venture capital firm Cyberstarts raised ethical questions about a profit-sharing program at the firm, and the threat the program poses to corporate data security. 

The controversy at Cyberstarts, which counts the cloud security unicorn Wiz as the crown jewel in its portfolio, centers around its outside adviser network, dubbed Sunrise, that includes chief information security officers (CISOs) from some of the world’s largest companies, such as Colgate-Palmolive, Feddie Mac, and Kraft Heinz. In theory, these executives are meant to act as mentors to start-ups and give product feedback; in return, CISOs get an inside track on new technology that could be useful to their companies. It’s a relationship not uncommon in the security industry.

But the compensation structure Cyberstarts offered its CISO advisers is uncommon, and it raises significant concerns related to conflicts of interest and corporate cybersecurity. CISOs participating in Sunrise were expected to provide insights to the companies Cyberstarts invested in. In return, they received a percentage of the fund’s profits. According to Forbes, CISOs working with Cyberstarts could have raked in as much as $250,000 over the lifetime of a fund if Cyberstarts companies succeeded on the market.

Putting aside the ethical quandary a handshake agreement like this puts CISOs in with their employers, the Sunrise program also raises serious corporate security concerns — particularly as cyberattacks against Fortune 500 companies grow both in frequency and sophistication. The problem has become so widespread that cyberattacks have been labeled the “No. 1 worry for business leaders.” It’s easy to understand why.

In 2023, the number of cyberattacks in the U.S. hit an all-time high, with more than 3,200 breaches, according to the Identity Theft Resource Center. These attacks put sensitive data in jeopardy, creating legal and reputational headaches, harming sales, and, in some cases, costing companies millions of dollars

And if recent attacks are any indication, the problem has only grown worse in 2024. 

In February, a ransomware attack against UnitedHealth-owned prescription processor Change Healthcare caused huge disruptions in the U.S. health care system that lasted for weeks, and prevented many pharmacies and hospitals from processing claims and receiving payment. The issue was only resolved when the health care system paid a $22 million ransom to a Russian-speaking cybercrime group. Overall, the health care giant said it has recorded $2.5 billion in total impacts from the attack through the nine months ended Sept. 30, including $1.7 billion in direct response costs.

Then, over the summer, CDK Global, a software firm serving car dealerships, was hit with a ransomware attack that paralyzed thousands of dealerships across the country and was only remedied after CDK paid $25 million to hackers affiliated with BlackSuit.

Even Wiz – Cyberstarts’ biggest unicorn – was recently hit with a deepfake attack when hackers tried to steal credentials of employees by using deepfake audio of Wiz CEO Assaf Rappaport’s voice. While the attack was ultimately thwarted by employees who knew how the CEO spoke in daily life, the deepfake highlights how vulnerable even cybersecurity companies themselves are to the increasingly sophisticated tactics of hackers and cyber-criminals.

Given the frequency and severity of cyberattacks like these, there is an inherent problem with any corporate security executive – not just one participating in Cyberstarts’ Sunrise program – making such critical decisions about their company’s security if there is even a suggestion that they are doing it for financial gain. With so much at risk, the idea that corporate security executives’ actions could be swayed by this kind of payout should keep CEOs up at night.

Neither corporate security executives nor their bosses should want a situation where they are purchasing products that do not meet their company’s needs or purchasing products that could be inferior to others solely for financial reasons. Corporate leaders need to know whether their CISOs have any real or even perceived conflicts, as even the appearance of conflicts could be enough to erode trust in a company’s security.

As the Forbes’ investigation points out, there are numerous instances of overlap between Sunrise participants and companies that signed contracts with Cyberstarts’ unicorn Wiz – from Chipotle to Takeda. One common thread throughout all these instances is that all the companies using Wiz technology maintain enormous amounts of customer and other data. 

While Cyberstarts notes it has suspended the Sunrise “loyalty program,” a disturbing precedent has been set. Protecting sensitive data is one of the most important responsibilities corporations have, and the decisions about how to safeguard this information cannot be influenced by personal financial gain. Corporate leaders must take notice of arrangements like Cyberstarts’ Sunrise program and ensure conflicts of interest have no place in their company’s security infrastructure.

Dr. José A. Marquez-Leon is national president and CEO of TechLatino. 


Comment
Show comments Hide Comments