Living Security aims to ensure the management of risks related to human security
Cybersecurity is arguably one of the hottest tech sectors today. Venture capital funds invest millions of dollars in startups while most companies tout the benefits of zero trust and secure access to applications. What often gets lost in these conversations is that most of the fallout from phishing and ransomware attacks is the direct result of human error.
This is why I was particularly interested in speaking with Living Security, based in Austin. Founded in my hometown by CEO Ashley Rose in 2017, the startup is looking to take security compliance training to the next level. She and I recently discussed Living Security’s approach of using human risk management to complement an organization’s security infrastructure. Today I would like to share what I find most compelling about the platform.
Shift from compliance to behavior change
Before we jump into our conversation, it might be helpful to provide some background on the origin of Living Security. Rose’s husband and company co-founder Drew Rose had high-level security access while working with the US federal government on cybersecurity-related initiatives. It quickly became clear to the couple that it is ultimately up to individuals and groups to ensure effective endpoint security solutions and devices. Traditionally, this effort has been accomplished through computerized training modules focused on compliance. What the Roses discovered was an opportunity to build safety awareness and drive behavior change.
Living Security aims to provide a more focused and data-centric approach, one that drives lasting change in human behavior, or “safety hygiene”. At the beginning of the company’s existence, this involved physical training sessions of the escape room type. Over time, it has moved to a Software-as-a-Service platform that offers a wide variety of content, playbooks, and campaigns tailored to a client’s specific needs. All of this is easily accessible via an intuitive dashboard.
The pandemic pivot
Like many other companies at the height of the pandemic, Living Security had to redefine its approach to go to market. The company has invested heavily in digital capabilities, creating a new virtualized escape room experience within months. The company also launched a phishing simulation service that uses harmless employee-directed emails to assess a company’s vulnerability. Phishing remains one of the most difficult scams for IT departments in corporate environments to foil, given the lateral movement of the threat through corporate networks.
Currently on the waiting list, Living Security’s Unify platform promises to bring together its current teams, training and phishing simulation to measure and quantify human risk, identify the most significant risks, determine appropriate actions and ensure continuous risk mitigation. The data-centric architecture aims to integrate with some of the largest security endpoint vendors through an application program interface (API). Today, around nine Unify integration points include Microsoft and VMware Carbon Black, but many more are allegedly in the works. In my opinion, too many cybersecurity companies are taking a walled garden approach. There is a reluctance to expose APIs as these companies also want to sell adjacent solutions. Living Security, however, takes a more open approach, hoping to improve the resiliency of the security infrastructure and SecOps efforts.
Living Security’s vision is to measure, predict and be proactive in managing human security risks. I am impressed with how far the company has grown over its four year journey, and by winning clients with companies such as Charles Schwab, CVS, Sony, Target, T-Mobile, and others. The ultimate success will lie in Living Security’s integrations with security solution providers. If it can overcome this hurdle, it will be a compelling offer that complements the deployment and management of security infrastructure.
Disclosure: My company, Moor Insights & Strategy, like all research and analysis companies, provides or has provided research, analysis, advice and / or advice to many high-tech companies in the industry. I do not own any participation in the companies mentioned in this column.