Thanks to an uncertain economy, cybersecurity budgets are in a tight spot.
According to a 2023 survey from IANS and recruiting firm Artico Search, more than a third of chief information security officers (CISOs) kept their security spending the same — or slightly reduced — in 2023. A separate report from PwC suggests that one in five organizations will see their cybersecurity budgets stagnate or even shrink this year.
So what’s a CISO to do? Well, if you ask Garrett Hamilton, they should give Reach Security a whirl.
Reach is Hamilton’s brainchild, a startup he co-founded with Colt Blackmore in 2021. It’s technically a cybersecurity platform — but not a conventional one.
Instead of serving as just another layer in a company’s cybersecurity stack, Reach connects to a company’s existing IT and security products, collecting data on attacks and recommending ways to combat them using security tools that the company already owns.
“The average security team uses less than 20% of what they have, and struggles to secure their organization as a direct result,” Hamilton told TechCrunch in an interview. “Every other company in our industry will say that you need another security mousetrap to solve this problem. They’re wrong.”
Prior to Reach, Hamilton worked at Palo Alto Networks, where he was director of product management. Blackmore headed data science efforts at cybersecurity firm Proofpoint, and, before that, was a technical lead at Palo Alto.
Hamilton says that he and Blackmore designed Reach to abstract away some of businesses’ basic security decisions. Organizations feel like they’re “running in place,” the way Hamilton sees it — buying security tools and putting in the work to operate them but often not seeing the results.
The sprawl is real. A survey from security posture management vendor Panaseer found that organizations manage on average between 64 to 76 security tools (as of 2022). According to the same survey, only a third said they “very confident” in their ability to prove that their security controls were working as intended.
Perhaps it’s not surprising that many CISOs feel their cybersecurity budget’s being wasted — and that, even with countless defensive and offensive tools, it takes them days to weeks to detect threats.
“It’s becoming increasingly important for security teams to optimize the tools they already own based on the attacks they actually face,” Hamilton said. “Vendors should meet the customer where they are to prove their value, and customers should focus on operating what they have deployed effectively before considering another tool or platform.”
To that end, Reach attempts to suss out the identity of attackers, their targets, what they have access to and how their attacks work — and suggest options available to stop the attacks through a company’s subscribed-to products. Reach also auto-tunes security tool configurations to try to prevent attacks, prioritizing actions based on how the attacks are being carried out.
“Reach assesses the security posture of an organization beyond best practices and compliance frameworks,” Hamilton said. “It also tailors security control recommendations and assessments based on each customer’s unique threat profile, and solves the ‘last mile’ problem by giving operators the ability to deploy the changes directly from Reach.”
Companies — and investors — find this premise attractive.
Hamilton says that “dozens” of organizations have deployed Reach’s tools, including Autodesk. And Reach recently closed a $20 million funding round led by Ballistic Ventures with participation from Artisanal Ventures, Ridge Ventures, Webb Investment Network, Tech Operators and former Palo Alto Networks CEO Mark McLaughlin.
Here’s Geoff Belknap, LinkedIn’s CISO, on it:
Reach Security solves the ‘too many tools, not enough people’ problem not by asking you to buy one more tool, but by pragmatically attacking the problem with a product that focuses on ensuring you get the most out of what you already have. Definitely worth ignoring if you’re one of those security leaders that has all the people and budget they could ever want. But, for the 99.999% of us looking to get more out of the tooling investments we’re already made and get better at showing our board and executive stakeholders a steady or even increasing return on those investments: Something to actively look into.
That Reach managed to secure a reasonably large funding tranche is all the more impressive considering the continued downturn the cybersecurity sector’s experiencing.
According to DataTribe, a startup incubator, there was a 37% dip in completed cybersecurity funding deals from Q4 2022 to Q4 2023. Series A valuations took an outsize hit, with median pre-money valuations dropping from a five-year high of $73.45 million to $29.5 million.
“The broader slowdown in tech has amplified the value that Reach provides,” he added. “Reach addresses a universal need and is positioned for growth in a sector where the demand for using existing security controls more effectively is escalating … While this new capital was raised to scale [up] the business, we’ll continue to follow a disciplined approach that scrutinizes spend against results achieved.”