The Gately Report: Salt Security Heavily Recruiting Partners as API Security Market Sizzles
Meantime, more than 200 million Twitter users' email addresses have been leaked online.
![API API](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt2d90dc0655f1f543/65240a7db64ed77c510672ee/API.jpg?width=700&auto=webp&quality=80&disable=upscale)
Shutterstock
Channel Futures: Is Salt Security’s partner program and partner community growing? If so, what’s fueling that growth?
Salt Security’s Mandy Kelley: Yes, it’s absolutely growing. Salt really got serious about the channel in 2021. Their first step was to bring in and build a channel team internally. And for two-thirds of 2022, we were in recruitment mode. Now we’re really more on optimization. What I’m working closely with our channel managers on is a focused partner program. What are those handful of partners we need to double down on? Not excluding others, but who do we want to run specific incentive programs with? Who do we want to make sure their technical teams are enabled? So I would say throughout 2022, we experienced a lot of growth in the number of partners that were transacting and asking about us, and now we’re really trying to kind of sift through to make sure that those partners that have the resources and the customer base are absolutely enabled and ready to go.
I’ve been in information security for over two decades and I love the startup scale-up environment. And this has been really fun because the end users are going to the partners and asking them about API security. So they’re coming to us. It is definitely more of a pull than a push than it’s been in other places in my career.
CF: Where does Salt Security fit in the competitive landscape in terms of API security? And what gives Salt Security an edge over over its competitors?
MK: From my perspective, being first to the market and being the market leader, having the patents and the experience, I think that is what differentiates us. I will also say from the channel side, the channel teams that we’ve hired are very well respected within the industry. So our partners already have a trust with us. And [regarding the] competition, the feedback I’ve been given is that they may not always be perceived as channel-friendly or there’s a risk of taking things direct. And I think Salt is showing that they are committed to building those partner relationships. So in addition to the technology, just our investment in our partners is something that differentiates us.
CF: Last February, Salt Security announced its expanded Essential Partner Program. What can partners expect from the program this year?
MK: It took us the full year to execute on that initial announcement. So in 2022, we formalized the deal registration with the margin protections. We rolled out the partner portal and really invested a lot in demand-generation programs and incentives. So in the first half of this year, we are rolling out formalized enablement where there’s going to be sales associate training as well as technical associate training. And those should be coming out in the first quarter for our partners to be better enabled and equipped to sell, or at least start the selling process without waiting on anybody from Salt.
CF: What’s the latest in terms of partner feedback? What do they want from Salt Security?
MK: They appreciate that we have a great incentive program for identifying net-new opportunities as well as deal-progression incentives, getting POVs up and running, and trying to incent the technical team to be participatory throughout the process. So I’ve heard positive feedback there. Also, joint demand-generation programs. Because API security is so relevant, our partners are wanting to bring in Salt or an API solutions provider because it’s drawing, it’s putting butts in seats because their customers are understanding that it’s a problem.
Some asks from the partners include continued enablement … and then additional selling selling resources, which we’ve already started to provide around competitive differentiation and overcoming objections. And the mentality I’m trying to really build with Salt is the partners are truly an extension of our sales force. So whatever training our sales force gets, our partner community needs to have the exact same training. So I think we have been checking that box, but we’re going to continue to do it more effectively.
CF: How can Salt Security help partners that are potentially impacted by ongoing economic uncertainty?
MK: Part of it is extending patience. I have seen — and I anticipate it’ll continue for at least a quarter or two — that the sales cycle is longer right now. The purse strings are tighter. And because API security is a newer threat attack surface, there’s a lot more education that has to be done at the customer level. So giving those partners every tool they need to educate their customers on the importance of protecting APIs and how this is going to save them money in the long run, I think helps. And again, the patience and being active partners with them throughout the sales process so they know they’re not alone and that we are not in it for just a deal. We want to help them help their customers be successful long-term. I have been really impressed with the way our management team has approved us working with our partners to help end users be successful even when budgets are tight.
CF: Is API security a tougher sell because it’s newer and organizations may not know they need it?
MK: API security is not a harder sell and I’m really curious to see what it looks like this year with new budget cycles because there’s not a lot of convincing. Especially when you get into the financial and insurance sectors, there are some industries that you don’t have to educate them on the problem. They get it. It was just an unbudgeted problem because they weren’t aware of it before. So I’m really curious to see what it looks like this year because I don’t think we’ve had to help a partner convince a customer that there’s a problem. It’s more trying to be creative on, is this a bigger problem than something else that you’re going to pull budget? Is this something we can start to build out so that when you do have the budget we can implement? I think the budgeting side of it is a way different discussion than the maturation of needing to solve the problem.
CF: What do you find most disturbing or dangerous about the current threat landscape?
MK: I’m not a CISO, thank goodness, because I can’t even imagine how they sleep at night. I think for me it’s what’s next. What did the bad guys think of that we haven’t yet? How do you always stay ahead of it? When I started in this industry, it was 2000. Think about the problems we were solving then and where we were. An RSA token was the state-of-the-art, best thing ever. Think about all the things that these security practitioners have to think about and get in front of. I think that’s probably what overwhelms me the most because you have to break through the noise, and API security is the hot topic right now. It’s not the only topic, but it is the one that seems to be an easy conversation to get meetings about.
CF: Overall, what can partners expect from Salt Security in 2023?
MK: They can expect profitability selling our solution. Our margins are healthy. The problem is one that their customers are already talking about. Also, partners can expect flexibility. I think flexibility is really key for Salt, whether it’s customizing a POV for their customers, and being creative in a go-to-market (GTM) or demand-generation program. In addition, they can expect accessibility. We have technical teams and marketing teams that are all working closely with our partner community. So I think those are the key things that they can expect from us.
In other cybersecurity news this week …
According to the latest Check Point Research (CPR) data, global cyberattacks increased 38% in 2022 compared to the prior year.
These cyberattack numbers were driven by smaller, more agile hacker and ransomware gangs. They focused on exploiting collaboration tools used in work-from-home (WFH) environments, targeting education institutions that shifted to e-learning post COVID-19.
This increase in global cyberattacks also stems from hacker interest in health care organizations. Health care saw the largest increase in cyberattacks in 2022, when compared to all other industries.
CPR warns the maturity of artificial intelligence (AI) technology, such as ChatGPT, can accelerate the number of cyberattacks in 2023. ChatGPT is a chatbot launched by OpenAI in November.
Key CPR statistics include:
The global volume of cyberattacks reached an all-time high in the fourth quarter with an average of 1,168 weekly attacks per organization.
The top three most attacked industries in 2022 were education/research, government and health care.
Africa experienced the highest volume of attacks with 1,875 weekly attacks per organization, followed by APAC with 1,691 weekly attacks per organization.
North America (+52%), Latin America (+29%) and Europe (+26%) showed the biggest increases in cyberattacks in 2022, compared to 2021.
The United States saw a 57% increase in overall cyberattacks in 2022, while the United Kingdom saw a 77% increase and Singapore saw a 26% increase.
Omer Dembinsky is data group manager at Check Point Software Technologies. He said several cyber threat trends are all happening at once.
“For one, the ransomware ecosystem is continuing to evolve and grow with smaller, more agile criminal groups that form to evade law enforcement,” he said. “Second, hackers are widening their aim to target business collaboration tools such as Slack, Teams, OneDrive and Google Drive with phishing exploits. These make for a rich source of sensitive data given that most organizations’ employees continue to work remotely.”
Third, academic institutions have become a popular feeding ground for cybercriminals following the rapid digitization they undertook in response to the pandemic, Dembinsky said.
“Many education institutions have been ill-prepared for the unexpected shift to online learning, creating ample opportunity for hackers to infiltrate networks through any means necessary,” he said. “Schools and universities also have the unique challenge of dealing with children or young adults, many of which use their own devices, work from shared locations, and often connect to public Wi-Fi without thinking of the security implications.”
Fast-food chain Five Guys has disclosed a security incident in which sensitive customer data was exposed by an unauthorized party who accessed a file server.
The data breach occurred last September and Five Guys announced it in a recent letter to customers from COO Sam Chamberlain.
On Sept. 17, Five Guys discovered that it had experienced a data breach in which sensitive personal identifiable information (PII) in its systems may have been accessed. Through its investigation, the company determined that an unauthorized actor may have accessed this sensitive information on Sept. 17. On Dec. 29, it began contacting individuals whose information may have been impacted. The type of information exposed includes names, Social Security numbers and driver’s license numbers.
“We immediately implemented our incident response plan, took steps to contain the activity, and launched an investigation,” Chamberlain said. “A cybersecurity firm that has assisted other companies in similar situations was engaged. We also notified law enforcement and are supporting its investigation.”
Casey Ellis is Bugcrowd‘s founder and CTO.
“From a motivation standpoint, the most common motivation for this type of attack is financial, either exploiting the data directly or holding it for ransom,” he said. “But there is also a rising trend of opportunistic or casual attackers, as well as initial access brokers who essentially trawl the internet for opportunities like this one. In my experience, demonstrating just how easy it can be to hack an organization tends to be the most effective way for them to believe in the boogeyman and start approaching security more proactively. Vulnerability disclosure programs and bug bounty programs, for example, engage hackers who operate in good faith to do almost exactly the same thing the bad guys would, but for the purpose of demonstrating and identifying weakness so that it can be fixed before it is exploited for real.”
Two-and-a-half months is, unfortunately, a pretty good response time for an organization that wouldn’t necessarily be subject to constant, targeted attacks, Ellis said.
“From a consumer perspective, the sooner notification can happen (within reason) the better,” he said. “And there are active bills in Washington, D.C., at the moment to attempt to legislate, normalize and tighten breach discovery and notification windows.”
Andrew Hay is COO of Lares Consulting.
“The attackers could sell the data to a competitor or a criminal organization,” he said. “The former could use the information to target advertising to specific customer segments in the hopes of chipping away at the organization’s market share. The latter scenario may lead to customer information being used to open bank accounts, conduct targeted phishing exercises, or engage in other criminal activity to defraud those affected. As is common with this type of attack, customers will likely be offered credit monitoring services to help prevent identity theft. However, the bigger challenge for Five Guys is winning back the loyalty of the customers affected.”
More than 200 million Twitter users’ email addresses have been leaked online.
According to Bloomberg, an anonymous user has published a massive database they claim contains basic information on more than 230 million Twitter users, such as email addresses and screen names. The database contains the names and email addresses of politicians, journalists and bankers, among others.
Jamie Boote is associate software security consultant at Synopsys Software Integrity Group.
“This is a common example of how an unsecured API that developers design to ‘just work’ can remain unsecured because when it comes to security, what is out of sight is often out of mind,” he said. “Humans are terrible at securing what they can’t see. As always, malicious actors have your email address. To be safe, users should change their Twitter password and make sure it’s not reused for other sites. And from now on, it’s probably best to just delete any emails that look like they’re from Twitter to avoid phishing scams.”
Sammy Migues is principal scientist also with Synopsys.
“API security is the real story here,” he said. “As cloud-native app development explodes, so does the world of refactoring monolithic apps into hundreds and thousands of APIs and microservices. Certainly this effort is growing much faster than the skills and numbers of application architects who can craft working secure API and zero trust architectures. It’s also growing faster than the time there is available to do threat modeling and skilled security testing. In this case, the lapse in API security resulted in email addresses tied to Twitter accounts and it seems the marketplace has spoken on the value of that data — next to nothing.”
More than 200 million Twitter users’ email addresses have been leaked online.
According to Bloomberg, an anonymous user has published a massive database they claim contains basic information on more than 230 million Twitter users, such as email addresses and screen names. The database contains the names and email addresses of politicians, journalists and bankers, among others.
Jamie Boote is associate software security consultant at Synopsys Software Integrity Group.
“This is a common example of how an unsecured API that developers design to ‘just work’ can remain unsecured because when it comes to security, what is out of sight is often out of mind,” he said. “Humans are terrible at securing what they can’t see. As always, malicious actors have your email address. To be safe, users should change their Twitter password and make sure it’s not reused for other sites. And from now on, it’s probably best to just delete any emails that look like they’re from Twitter to avoid phishing scams.”
Sammy Migues is principal scientist also with Synopsys.
“API security is the real story here,” he said. “As cloud-native app development explodes, so does the world of refactoring monolithic apps into hundreds and thousands of APIs and microservices. Certainly this effort is growing much faster than the skills and numbers of application architects who can craft working secure API and zero trust architectures. It’s also growing faster than the time there is available to do threat modeling and skilled security testing. In this case, the lapse in API security resulted in email addresses tied to Twitter accounts and it seems the marketplace has spoken on the value of that data — next to nothing.”
The global API security market is growing at a rapid pace, and Salt Security is among the leaders in this active market.
For the past year, Salt Security has been building its structured partner program. In addition, it has seen swift expansion of its partner community. It has grown from fewer than 40 signed partners last May to nearly 150 globally today.
According to Future Market Insights, the global API security market should grow at a compound annual growth rate (CAGR) of 26.3% through 2032, reaching nearly $10.2 billion by the end of 2032.
Salt Security’s patented API Protection Platform combines cloud-scale big data and machine learning/artificial intelligence (ML/AI) to detect and prevent API attacks. By correlating activities across millions of APIs and users over time, Salt Security delivers context with real-time analysis and continuous insights for API discovery, attack prevention and shift-left practices.
Jon Peppler recently left his role as Salt Security‘s vice president of worldwide channels. Mandy Kelley, global director of channel marketing, helped Peppler build the program. She’s now “globally behind the scenes making sure everything is running OK.”
Understanding API Security
In a Q&A, Kelley talks about Salt Security’s work with partners and what they can expect in 2023.
Channel Futures: What encompasses Salt Security’s channel strategy?
Salt Security’s Mandy Kelley
Mandy Kelley: Our strategy is to walk before we run, to really just build the fundamentals, focusing primarily on the resellers and the distribution partners. Distribution is especially key in our LATAM and EMEA markets. And part of the methodology that … is so important is what we call engagement, enablement and demand generation. The first step is really engaging the partner community. Are we where they are? Are we meeting them? Do they like us? Will they take our calls? And once we’ve checked that box, we move on to enablement and we help them understand why API security is important and how this fits into their overall solution. Most of the partners that we work with really pride themselves on being solution advisors. So we want to help them be consultative and help them be forward thinkers with their customers. That’s where the engagement piece is.
And once we’ve got them them engaged and enabled, that’s when we want to start helping them drive demand. We want them to be comfortable with the problem that’s out there and why we think Salt is better at solving it, and then working together. We really want it to be a very collaborative sales process. And we try to make sure every deal we have goes through our partner ecosystem.
Scroll through our slideshow above for more from Salt Security and more of the week’s cybersecurity news.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like