The Expert's View with Michael Novinson

Governance & Risk Management , Training & Security Leadership

Cyberstarts Program Sparks Debate Over Ethical Boundaries

Scrutiny Over Ethics of Profit-Sharing Prompts End to Cyberstarts CISO Compensation
Cyberstarts Program Sparks Debate Over Ethical Boundaries
Image: Shutterstock

Does compensating CISOs for advising startups cloud their judgment when it comes time to purchase technology?

See Also: On Demand I Prisma Cloud for Google Cloud Environments - Top Drivers

That's the $250,000 question surrounding Cyberstarts, an Israeli incubator behind some of the most successful cybersecurity vendor launches in recent years.

Why $250,000? Until recently, that's the amount Cyberstarts promised CISOs they could earn over the lifetime of a fund if they provided product feedback and market insights to three or four new security startups annually, Forbes reported last month.

Cyberstarts stopped compensating CISOs in June after a bombshell Calcalist report raised ethical concerns around potential conflicts of interest. Critics argued the financial incentives associated with Cyberstarts' "Sunrise" program swayed procurement decisions by CISOs, with some companies opting not to renew contracts with Cyberstarts portfolio companies after affiliated CISOs exited.

"Cynical allegations about ethical problems in the Sunrise program have forced us to suspend payments within the program," Cyberstarts founder Gili Raanan said in a June 27 letter to the firm's CISO advisors, Forbes reported last month. Raanan didn't respond to Information Security Media Group requests for comment.

Cyberstarts' focus on early customer engagement through a network of 75 CISO advisors - up to half of whom were compensated - has been effective, with portfolio firm Wiz receiving a $23 billion acquisition offer from Google. But critics said allowing CISOs to earn money when Cyberstarts' investment portfolio grows undermines trust, distorts competition and doesn't align with best practices around governance (see: Why Google Is Eyeing a $23B Buy of Cloud Security Phenom Wiz).

"You should not have a personal interest in any business decision that you're overseeing," a CISO who didn't wish to be identified told Information Security Media Group. "Even the perception of bias really erodes the work environment."

How Compensating CISOs Could Create a Conflict of Interest

The cybersecurity market is notoriously difficult for startups to break into due to high competition and complex procurement processes. Cyberstarts addressed this by tapping a network of compensated CISOs to help startups achieve early traction. Critics said this setup inflated valuations for Cyberstarts portfolio companies without proven market success and made it tough for other startups to compete.

"We were in a competitive situation with one of the companies in the Cyberstarts portfolio, and we couldn't understand how they were getting so much traction so quickly with so many different companies," the CISO told ISMG.

Raanan said offering profit-sharing in the form of carried interest incentivized CISOs to participate in advisory roles, gave Cyberstarts startups access to valuable insights, and limited potential conflicts of interests by tying compensation to overall fund performance rather than an individual startup. Rivals with CISO compensation plans like YL Ventures prohibit advisors from participating in procurement decisions.

Concerns around CISOs prioritizing vendors due to personal financial incentives are magnified by the informal power dynamics within cybersecurity teams, where staff might unintentionally lean toward solutions favored by their leaders. Similar incentive structures in industries like pharmaceuticals and finance have led to regulatory backlash, but no restrictions exist in the technology or security arena.

"We want our security leaders and their teams to choose security products based solely on the quality of the product," Joe Sullivan, former chief security officer at Facebook, Uber and Cloudflare, told ISMG. "And sometimes the potential perception of bias is more poisonous than any actual bias."

Transparency is a cornerstone of ethical decision-making in procurement, and Sullivan said he navigated potential conflicts of interest during his time as CSO by disclosing relationships and recusing himself. He argued that even full transparency is sometimes insufficient, as the perception of bias can still influence outcomes.

"The general principle that we're trying to uphold is that you should not have a personal interest in any business decision that you're overseeing," said Sullivan, who navigated his own set of ethical landmines while working at Uber (see: Jury Finds Former Uber CSO Joe Sullivan Guilty of Cover-Up).

Raanan told Calcalist and Forbes the compensation was meant to incentivize CISOs for their time and expertise, with CISOs obliged to disclose their advisory role to employers. But Calcalist found some of the payments from Cyberstarts were routed directly to CISOs' personal bank accounts, potentially bypassing corporate disclosure processes.

"The real damage this does is it makes the bar to entry for startups with real value much higher, and it creates a situation where the most innovative and best security solutions are having to either fight 10 times harder to be successful, or they're not even getting a chance to be successful," the CISO told ISMG.

Influencing CISO Spurs Success for Cyberstarts, Headaches for Others

CISOs play a critical role in cybersecurity procurement and strategy, with peer network interactions often informing major decisions and making them valuable as advisors. But using these networks as a commercial lever raised ethnical concerns and damaged trust within the community since CISOs didn't know peers pushing technology from Cyberstarts portfolio companies were actually being compensated.

CISOs often rely on peer networks to navigate the crowded field of cybersecurity startups, but Sullivan said this reliance could give undue influence to CISOs being compensated by Cyberstarts. As a result, startups without access to compensated advisory networks face greater challenges gaining traction since standing out requires innovative technology and strategies for building visibility.

"There are so many security startups and there's so much noise that it's really hard for a startup to get visibility," Sullivan told ISMG.

The compensation offered to CISO by Cyberstarts and YL Ventures highlights key differences between Israeli venture capital firms, YL's compensation model worked differently than Cyberstarts, with the former offering fund profits for due diligence on potential investments rather than for work with existing investments. Other funds including Glilot Capital and Team8 eschew CISO compensation.

Sullivan said the current model driven by venture capital firms like Cyberstarts prioritizes rapid growth over meaningful innovation, with a reliance on aggressive marketing sometimes leading to poor product quality and unmet promises. He would like to see a systemic reform where the focus shifts to long-term value creation rather than short-term financial gains or valuation growth.

"Is this a healthy model for developing good products to help us become more secure?" Sullivan asked. "I don't think it's the ideal environment with 5,000 startups, half of which are just features."

Experts told ISMG VC firms should be required to disclosure all advisory relationships with CISOs, even if uncompensated. In addition, there should exist a firewall between advisory roles and procurement responsibilities so that organizational buying decisions aren't influenced by a CISOs consulting work. Independent oversight around venture fund practices should be established.

"Transparency seems like it would have solved this problem, whereas the way that the process went, it raises a lot of questions," the CISO told ISMG. "The question is, 'Are there more shoes waiting to be dropped?' There's no smoking gun, but something is smoking and that means there could be fire."



About the Author

Michael Novinson

Michael Novinson

Managing Editor, Business, ISMG

Novinson is responsible for covering the vendor and technology landscape. Prior to joining ISMG, he spent four and a half years covering all the major cybersecurity vendors at CRN, with a focus on their programs and offerings for IT service providers. He was recognized for his breaking news coverage of the August 2019 coordinated ransomware attack against local governments in Texas as well as for his continued reporting around the SolarWinds hack in late 2020 and early 2021.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.asia, you agree to our use of cookies.