Standards, Regulations & Compliance , Video
ISMG Editors: US Supreme Court May Limit Identity Theft Law
Also: ISMG Hosts Engage Event in Toronto; Vendor Wiz Quadruples Workforce Anna Delaney (annamadeline) • March 3, 2023In the latest weekly update, four editors at Information Security Media Group discuss important cybersecurity and privacy issues, including highlights of ISMG's upcoming Engage Toronto event, how the U.S. Supreme Court challenges the identity theft statute and how - despite tough economic times - vendor Wiz boosted its valuation by $4 billion in 16 months.
See Also: Accelerate Your Mission with Elastic as a Global Data Mesh
The panelists - Anna Delaney, director, productions; Tom Field, senior vice president, editorial; Michael Novinson, managing editor, ISMG Business; and Marianne Kolbasuk McGee, executive editor, HealthcareInfoSecurity - discuss:
- Highlights from ISMG's upcoming ISMG Engage Toronto event, which features in-depth conversations among security leaders on API security, third-party risk and ChatGPT;
- How justices on the U.S. Supreme Court appear ready to restrict federal prosecutors' use of a federal law criminalizing identity theft after hearing a case challenging its application in a Medicaid fraud case;
- How cybersecurity vendor Wiz has become the most valuable venture-backed cybersecurity company in the world, nearly quadrupling its workforce from 168 employees to more than 650 in 16 months and raising $300 million on a $10 billion valuation.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the Feb. 17 edition, which discusses how a ransomware campaign hits outdated VMware hosts, and the Feb. 24 special edition on zero trust.
Anna Delaney: Hello, I'm Anna Delaney and thanks for joining us for the latest edition of the ISMG Editors' Panel, a weekly show where I'm joined by three of my colleagues to discuss the latest cybersecurity incidents, industry news and events. And I'm in good company today with Tom Field, senior vice president of editorial, Marianne Kolbasuk McGee, executive editor for HealthcareInfoSecurity, and Michael Novinson, managing editor for ISMG Business. Wonderful to see you all.
Tom Field: Wonderful to see you.
Delaney: Tom, are you in the sea? Like, Sebastian, the crab?
Field: Under the sea. Yes, this was a trip to the New England Aquarium last weekend. And although it was probably freezing temperatures outside, this might be as close to tropical as I get this year. But as always looking around saying, "What's my virtual background going to be next week?" and it was right in front of me or in this case right underneath me.
Delaney: Very good. Can you give us a peek of the creature behind you?
Field: Yes. How about my friend, the tortoise? We don't have these men.
Delaney: Wonderful. Marianne, looking pretty cold out there.
Marianne McGee: Yeah, this was a shot from outside our back deck yesterday when we had like two inches of snow, which is already melted. Very unusual winter so far in New England. It's the most snow we've gotten all winter.
Delaney: Yeah, it's supposed to be spring as well.
Field: Let's qualify that. The most snow she's gotten.
Delaney: Michael, looks enchanting. You're in a in a gallery, I presume?
Michael Novinson: Indeed I am. I'm at the Rhode Island School of Design Museum in Providence, Rhode Island. Art Museum dates back to 1877. They are kind enough to do every so often Super Art Sundays where they do crafts and scissors and all kinds of fun stuff for people who have two-year-old children who are looking for things to do so. Fortunately, she enjoyed the museum and did not touch any of the artwork.
Delaney: Or steal it. Very good. Well, this is a view from the top of one of London's most iconic skyscrapers - you'll probably laugh at our version of skyscrapers. But anyway, it's endearingly called the Gherkin by Londoners because of its gherkin like shape. I'm sure you'll be familiar with the image. And I was there moderating a roundtable last night so I just had to take this epic view.
Field: Okay, why are my roundtables at steak houses and yours at iconic landmarks?
Delaney: Come to Europe! Well, you get the good steaks, right? Trade off. Well, Tom, I believe you are jumping on a plane next week to host ISMG Engage Toronto. Tell us about it and what attendees might expect.
Field: Yeah, very excited by it. So second Engage event of the year and as we've discussed before, this is an event that is sort of a cross between a traditional summit and a traditional roundtable where we do have an opening keynote featuring CISOs, we break off into pairs of roundtables. You attend a session for about an hour, take a break, go attend another session. And so it's an opportunity for people to network and mass and in smaller groups, and take in topics such as software supply chain security and SOC modernization are the things that we're talking about. What I'm excited about is the keynote panel that we're going to host. Now, the topic of this one is about really the modern CISO and we're talking about - surprise - API security, third-party risk. And guess what's the most popular topic of conversation in any cybersecurity room you enter this year?
Delaney: Is it about an AI chatbot?
Field: It will be about an AI chatbot: The impact of ChatGPT. So, we've got a great panel here. It includes Rob Knobloch, who is the Deputy CISO with Scotiabank, one of Canada's major financial institutions. We've got Zia Shah, CISO, managing director of technology with KPMG in Canada, Greg Thompson, CISO with Manulife and Deniz Hanley, who is the CISO and head of technology and operations risk with Morgan Stanley. So among the topics that we're going to discuss with this panel - and this will be a good one to kick things off - we're going to talk about if API is the new endpoint, then how do we get a handle on inventory, vulnerabilities and defense? Terms of third-party risk. What happens when your greatest vulnerabilities are through the doors of your most strategic service providers? Sounds like a story Marianne writes about every week. And then ChatGPT, not what are just the potential use cases for the adversary, but what are the potential use cases for the defender. Each of these CISOs was adamant that this was something that they wanted to talk about and they wanted to get some input from the people in the audience. So we hope to open this up to a broad discussion. It's a terrific way to kick off the event. And I look forward to getting back to Toronto for the first time since the pandemic.
Delaney: Yeah, wonderful. So these Engage events are obviously different to our traditional summit experience. And what are the benefits of this sort of event? And what was the feedback like from our first event from attendees in New York?
Field: I think the benefit is you're not just sitting there taking in information. You know, conferences are so much sit, listen to an individual presenter, listen to a panel, maybe getting a question or two. We start with the panel, but then we immediately break into smaller discussion groups where there's more interaction. So I think, for the attendee, you're just more, well, I hate to say it, but you're more engaged. And that's a good thing. And for the sponsors and the speakers is an opportunity not just to present information, but to take in information. So I think that the give and take just offers everyone a higher level of interactivity and engagement than they've ever had before. You will walk away with some new ideas, you will walk away with some new contacts and maybe even some context. So it's a terrific way to consolidate everything into four or five hours. It's almost like a conference. Concentrate, if you want to say.
Delaney: We're looking forward to hearing your takeaways next week. Good luck with the event.
Field: Thank you so much. Look for Anna. Next one's coming to your town. So pay particular attention.
Delaney: Yes, in May. I'm looking forward to that. Marianne, you've written this week about a U.S. Supreme Court hearing involving a case of healthcare fraud and identity theft. So it sounds pretty serious there.
McGee: You're right, Anna. It's actually an interesting case. The Supreme Court heard arguments on Monday in a case that involves healthcare fraud and identity theft. And it's worth watching on several levels. Now, the case involved a gentleman or an individual named David Dubin, who is the managing partner at a Texas psychological services company, and Dubin, in 2020, was convicted of Medicaid fraud for overbilling the scope of mental health evaluations that were provided to a patient, and his conviction - Dubin received a one-year prison sentence for the Medicaid fraud. But the Texas Court also tagged on an extra two-year mandatory sentence for aggravated identity theft, because he used a patient's name while submitting the exaggerated bills to Medicaid. Now, federal prosecutors have obtained the identity theft conviction by pointing to a statute that makes it a felony to use, without lawful authority, another person's identity, and by saying that Dubin acted outside the law by submitting a false claim in that patient's name. And the patient is a minor that is identified in court proceedings only as patient L. So Dubin last year challenged the aggravated identity theft conviction in a Texas appeals court. But that court upheld the lower court's decision. To the Supreme Court, Dublin's attorney argued that Dubin did not use the patient's identity in relationship to the healthcare fraud offense, but the use of the patient's name was merely incidental to that. And the attorney also argue that Dubin did not use the patient's identity without lawful authority, because he had the patient's permission to build Medicaid for the services. And that's what Dubin did. A transcript of the Supreme Court hearing indicates that the justices were really sort of picking at the arguments that the attorney was making. The justices questioned other potential scenarios involving authorized use of identity versus potential identity theft committed in other sort of fraud examples. For instance, one of the justices asked if it would be considered identity theft if a waiter used a customer's credit card to add food items onto the bill that the customer didn't order, or if the waiter instead use the customer's credit card to pay down the waiter's mortgage. Now, some legal experts also say that the Supreme Court ruling to overturn - if it does overturn this lower court's decision - could impact the scope of what constitutes identity theft in healthcare but also perhaps in other scenarios. Also, some legal experts say that the federal prosecutors in the Dubin case could have used other legal strategies in their case such as pursuing criminal HIPAA charges for wrongfully disclosing patient information in the committing of this healthcare fraud. So it's a complicated case. Interesting, and we'll see what happens.
Delaney: Yeah, very interesting. I was reading that criminal defense lawyers have referred to the prosecution as a symptom of the federal over-criminalization epidemic. Do you think this argument has weight to it?
McGee: Ah, well, I'm not a real expert, but certainly when I was reading the transcript from the Supreme Court hearing, there were a lot of different examples that were brought up. Well, if this was fraud, why would - if this is identity theft, why would that maybe not be? And, you know, kind of making the example that while maybe it's overdoing it to say that just because you use the patient's name, and then you overbuild Medicaid, that using that patient's name was identity theft. But you had the patient's name for lawful billing of Medicaid. You just happen to overbill and committed fraud. So was that really identity theft? And those were the sorts of examples that they were kind of chewing over. So we'll see what happens.
Delaney: Yeah, very interesting. Thanks, Marianne. So Michael, there's been much talk about tough economic times. Recently, we've discussed various layoffs at numerous tech companies on this program. However, you're going to be showing something almost at the other end of the spectrum: cybersecurity company Wiz is experiencing some explosive growth. Do share more details.
Novinson: Of course, and I'm glad to do that, Anna. So in terms of Wiz, it's a really interesting story. The founders behind Wiz had actually earlier on created a company called Adallom that was a pioneer in the cloud access security broker market. They sold it to Microsoft back in 2015 for 320 million, which was a whole lot of money for a security acquisition back then. And then essentially, ran Microsoft's cloud security business for a number of years, both connections and relationships there. They leave at the end of 2019, at 2020, they launched a company called Wiz. I really tried to focus on the CNAPP space, that cloud network application protection platform. So bringing together CASBs and CSPM and SIEM. So, you're safeguarding applications, data user workloads, all from the same platform. So they launched in February of 2020, which was after you'd already seen some other folks launch, and then they emerge from stuff in December of 2020, with $100 million in funding and some other pretty impressive accolades. We're not even three years out from that, or just about three years after that. And they are now announcing that they have 100 million in annual recurring revenue. And they just received a valuation of $10 billion, which is up from $6 billion back in October of 2021, which was really the peak of the economic boom. So somehow, in the past 16 months, they have actually increased their valuation by two thirds or about 67%, which is really remarkable. I mean, you could look across the private markets, the public markets, nobody's worth 67% more today than they were 16 months ago. To give you another data point around that, when they got their $6 billion valuation in October 2021, they had 168 employees. Today, they have more than 650 employees. So they've nearly quadrupled their headcount in the past 16 months. Again, I know it's of a smaller base, but you simply can't find anybody in cybersecurity, who is quadrupling headcount in the face of a recession. I'll add to that, today, at this 10 billion they are what's called a Decacorn status, which is essentially a super fancy unicorn, it's that 10 billion valuation rather than that 1 billion valuation. They're the fastest SaaS company ever to get to Decacorn status: 2.9 years. So that's faster than Facebook or Twitter, Uber, Airbnb. So we're talking about a really remarkable story here. And I mean, I think it speaks to the quality of the technology and it speaks to the quality of the relationships that these founders have, as well as their pedigree, given everything the founding team has done. I think this is going to have massive ramifications for the industry. So if you're to take a step back here, if you think about maybe the endpoint market going back to maybe 2017, 2018, when they entered security, there were a ton of these next-generation endpoint companies, you had CrowdStrike and SentinelOne and Carbon Black and Cylance and Endgame and Cybereason. So you had really six companies doing endpoint detection response, you fast forward five years and now things are really checked out. CrowdStrike is obviously one of the biggest companies in the industry, SentinelOne has a niche among smaller customers. They went public and then a downturn hit them a little bit. Cybereason's still privately held, trying to navigate through that and then the other three all sold, Carbon Black sold to VMware, Cylance sold to BlackBerry and Endgame sold to Elastic. I think you're going to see a really similar dynamic here in the CNAPP market. So you have a number of pure play startups, you have Wiz, you have Orca, you have Lacework you have Aqua you have Sysdig, they all do very similar things. And I think you're really starting to get some calling now. I think this $10 billion valuation is a sign that investors, as well as customers, see Wiz is the clear market leader, that they may be the CrowdStrike of the CNAPP market. So what does that mean for the rest of these companies? Do they try to maybe focus a little bit downmarket since Wiz is really focused on the larger enterprises? Do they look for financial buyer or strategic buyer, or for some type of an exit, or, and I think you're going to start to see a pretty significant reduction in the number of players here. The other thing I will point out and similar to what CrowdStrike has, where they really have to compete against Microsoft as a broader platform play, Wiz also faces some very stiff competition in the form of Prisma Cloud, which is the Palo Alto Networks' cloud security portfolio. And they're the clear market incumbent here. They built it out through acquisition over the past half decade. But it does speak to - I mean Palo's doing great, but it does speak to the sense that maybe customers aren't fully satisfied. Wiz has 35% of the Fortune 100 working with them, it's hard to imagine that Fortune 100 customers would work with both Prisma Cloud and Wiz - they do very similar things. Of course, these Fortune 100 companies, they use Palo Alto Networks' firewalls, or their SOC or anything else. But it does speak to maybe that there's a little bit of dissatisfaction if some of these folks are looking to Wiz for their cloud security needs. I'll leave you with a quote here from Assaf Rappaport. This is the CEO of Wiz. He was talking about this in a press article Monday, and he had said that in terms of Palo Alto Networks, that from a customer's perspective, it's a Frankenstein mash up. It's hard to deploy, hard to use and more noisy than Wiz' products. So gives you a pretty clear sense of how they're trying to go and compete and win against power. But definitely, I think they're then - for the past couple years really the question after CrowdStrike kind of just overthrown Symantec overthrown McAfee, who's going to be the next great company in cybersecurity? And I think we now have our answer.
Delaney: Great, great. So overview intriguing developments. So is Wiz concerned and its investors, are they concerned by an impending recession? Do we know?
Novinson: Really doesn't seem like it. And I know I'd talked to Ami Luttwak in our studios at RSA Conference in last June on this very topic. And I mean, they at some point, it's kind of escape velocity. If you're growing your topline so fast, the things that affect others don't affect you. I mean, you can see that there. That's not the case of their peers. Lacework in the cloud security market has done layoffs, Aqua Security has done layoffs. And I mean, I'd actually spoken - we published earlier this month in interview with Assaf Rappaport, the CEO of Wiz, he was in our virtual studios, and he had said to us, "In these times, the best companies are actually growing, the best companies are actually winning." And people always talk about how Uber and Airbnb came out of their own recessions. And it does seem that essentially, if you're - I mean, typically companies want to grow revenue faster than you grow headcount. But if you're growing revenue fast enough, you got to add people. And if they're nearly quadrupling headcount in 16 months, that really says something about how fast that revenue growth must be. You intent to interview Wiz at RSA this year? I'd certainly love to.
Delaney: Very good. We look forward to that. Thanks, Michael. Okay, and finally, I believe the month of March is already upon us. Can you believe? Thank goodness. And I seem to remember a bit of excitement last year, around March Madness, a reference, I believe, which will be familiar with the followers of men's U.S. college basketball, Tom, am I right? Can you help me with the explanation for those who are unfamiliar with this phrase?
Field: I think you've captured that well, we have educated you. That's good to hear.
Delaney: Getting there. So my last question is inspired by March Madness. What's your best or even tackiest or corniest sports cybersecurity analogy?
Field: I don't have an analogy so much but I have a saying from sports I think is very applicable to cybersecurity as well as to life. Believe it or not, I heard this on sports radio years ago from an ex-football player. And he was talking about how hard times don't build character. They reveal it. Thought about that a lot over the years. I think it's very applicable to life but also to cybersecurity. We've seen some very high-profile incidents. We've all covered them. We've all talked about people that have responded to them one way or another, poorly or not poorly. And I think it holds true. Yeah, times such as those, events don't build character as we always say, they reveal the character that's already there. I think that's something to bear in mind.
Delaney: Great, great. Love it. Marianne?
McGee: Well, mine's not as philosophical as Tom's. Mine's a baseball analogy. You see lots of strikes and hits and I guess there's a home run if the attackers get a big ransom payment. That's all I got.
Delaney: I like that. That is actually very creative. Michael?
Novinson: So I will say and I will note that at long last, March Madness actually now it's allowed to apply to the women's college basketball tournament here. There is a long licensing argument that it lasted, can now apply to both sexes, which is good. But I'm actually sticking to baseball as well. And it's cliche but just this innings analogy when talking about maturity of different technology markets that you would say, whatever firewalls or antivirus software, really late innings items, and then maybe something like API security is really just in the first inning or software supply chain security is in the first inning. To answer the question, I'm sure that's on everyone's minds, in terms of the cloud security, I'll say to the third inning, I think we are starting to see some consolidation, some synthesis in this market.
Delaney: That's what I love about this last question. Everybody has a different take. Well, I'm going to recall what your former president Obama said about American cybersecurity, and this was obviously a few years back. This is more like basketball than football in the sense that there's no clear lines between offense and defense and things are going back and forth all the time. And I think that's a really interesting spot-on analogy.
Field: The game is getting faster and there aren't nearly enough officials.
Delaney: Yeah, very messy. Well, Marianne, Michael and Tom, thank you very much. This has been a pleasure and very interesting discussion.
Field: As always. Thanks.
Delaney: And thanks so much for watching. Until next time.